On Wed, Oct 2, 2013 at 5:43 PM, James Harper <james.harper@bendigoit.com.au> wrote:
http://techedu.cu.cc/linux/OReilly%20Linux%20iptables,%20Pocket%20Refer ence%20(2004).pdf
Slowly coming to the same same conclusion myself, but I was hoping this was out of date:
http://www.faqs.org/docs/iptables/traversingoftables.html
Table 3-2. Source local host (our own machine), at Step 2 the routing decision is taken before the OUTPUT chain of the mangle table. Grr.
Does anyone have any other ideas how I might achieve this?
Did you actually try putting it in the OUTPUT chain? I have rules for that on my router and it is definitely working (just checked with tcpdump).
I have 2 DSL connections and a 3G connection. One DSL is for web browsing etc, the other is for SSH, RDP, and other low volume latency sensitive traffic, and the 3G is for failover.
I have another rule that sets the connection mark for incoming connections and then reflects that in the outgoing connections so a connection stays with the right DSL, so I can come in on either DSL if one is playing up.
I just tried this now. Chain OUTPUT (policy ACCEPT 4504 packets, 857K bytes) pkts bytes target prot opt in out source destination 170 27734 MARK tcp -- any any anywhere anywhere tcp dpt:openvpn MARK set 0x4aa So this time the packets are actually getting marked, but they still go out over the wrong interface. It looks like because the routing decision has already been made, it doesn't bother to look up the routing tables. Marcus. -- Marcus Furlong