On Wed, Oct 2, 2013 at 2:30 PM, James Harper <james.harper@bendigoit.com.au> wrote:
1) Add a mark to the packet # iptables -t mangle -A PREROUTING -p tcp --dport 1194 -j MARK --set-mark 0x4aa
2) Verify the PREROUTING table has the mark # iptables t mangle -L PREROUTING -v Chain PREROUTING (policy ACCEPT 126K packets, 87M bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp - any any anywhere anywhere tcp dpt:openvpn MARK set 0x4aa
That "0 0" means no bytes have been satisfied by that rule. Can you check after you have tested a packet that should satisfy the rule to confirm that the counters are increasing?
The counters are not increasing.
So to my mind, any packet with destination port of tcp 1194, should get the 0x4aa mark and then be routed using the routing table vlan156 which tells it to use the default gateway of 172.26.10.1. However this is not happening, all traffic is still being routed using the default gateway in the main routing table (ip route show).
Any suggestions as to why it's not working?
How are you determining that the packets aren't going the right way?
tcpdump, lsof -i, conntrack -L and checking the connected IP address on the openvpn server.
Is OpenVPN definitely using TCP? Default is UDP.
Yes, definitely using TCP.
Did you flush the route cache after - "ip route flush cache"?
No I hadn't, but I just tried this now, and it hasn't made any difference. I also tried with conntack -F to flush the conntrack caches. Marcus. -- Marcus Furlong