On Wed, 2 Oct 2013, 14:17, Marcus Furlong wrote: } Hi, } } I am trying to route any tcp openvpn connection from localhost via a } particular network which is on eth1, and have all other traffic go via } the default gateway on eth0. } } Just wondering if anyone knows if this is possible or why the below is } not working for me? I've tried using the technique specified in [1]. } The diagram in [2] also seems to support that this should work. The } technique is basically: } } 1) Add a mark to the packet } # iptables -t mangle -A PREROUTING -p tcp --dport 1194 -j MARK --set-mark 0x4aa } } 2) Verify the PREROUTING table has the mark } # iptables t mangle -L PREROUTING -v } Chain PREROUTING (policy ACCEPT 126K packets, 87M bytes) } pkts bytes target prot opt in out source destination } 0 0 MARK tcp - any any anywhere anywhere tcp dpt:openvpn MARK set 0x4aa } } 3) Add a routing rule that tells a packet with that mark to use a } specific routing table. } # ip rule add from all fwmark 0x4aa lookup vlan156 } } 4) Verify the rule has higher priority than the other rules } # ip rule show } 0: from all lookup local } 32764: from all fwmark 0x4aa lookup vlan156 } 32765: from 172.26.10.0/24 lookup vlan156 } 32766: from all lookup main } 32767: from all lookup default } } 5) Add the above routing table (already added to /etc/iproute2/rt_tables) } # ip route add default via 172.26.10.1 dev eth1 table vlan156 } } 6) Verify the routing table exists } # ip route show table vlan156 } default via 172.26.10.1 dev eth1 } } So to my mind, any packet with destination port of tcp 1194, should } get the 0x4aa mark and then be routed using the routing table vlan156 } which tells it to use the default gateway of 172.26.10.1. However this } is not happening, all traffic is still being routed using the default } gateway in the main routing table (ip route show). } } Any suggestions as to why it's not working? Do you want udp 1194 instead of tcp ? T. } Regards, } Marcus. } } [1] http://lartc.org/howto/lartc.netfilter.html } [2] http://inai.de/images/nf-packet-flow.png } } -- } Marcus Furlong