If you have multiple interfaces on a router, and want to send (for example) your web traffic (HTTP/80 and HTTPS/443) out a different interface then your default route, then here is some information on how to do it.
Disappointingly, I thought this was a fairly simple ask – and in the end – it has turned out to be a relatively small set of instructions, but it took a long time to find much information about it at all.
My scenario is that I have a router connected to the internet, I also have a VPN to a USA Hosted VPN service. Given all this stupidity here in Australia with the “Great Australian Firewall” that the fool Senator Conroy is trying to implement, I wanted to practice redirecting web traffic out to the world via the VPN.
I use a snap gear router, but the instructions are pretty much the same for any iptables based router.
ip route flush table 200
ip rule del fwmark 0x50
iptables -t mangle -A PREROUTING -j MARK --set-mark 80 -p tcp --dport 80
iptables -t mangle -A PREROUTING -j MARK --set-mark 80 -p tcp --dport 443
ip route add table 200 default via 192.168.52.1
ip rule add fwmark 0x50 table 200
The first line flushes (empties) table 200. We are keeping our special routing table here, you can use any number you wish.
The second line deletes the reference telling the router to route all packets that are marked via the rule.
The next two iptables lines establish the rules for what gets to go out the auxiliary / secondary interface (in my case a VPN). Without explaining how iptables works, I am essentially looking for anything matching port 80 or port 443. That is HTTP and HTTPS respectively. If it does match that rule it gets marked with an “80″ or “0×50″ in hex (the hex is important in a moment).
Next we add the default route to our special routing table (table 200). It only has a default route for the moment, and it is the gateway IP of the VPN endpoint.
Finally we instruct the router to use the special routing table (table 200) for any packets marked as 0×50 (which is 80 decimal).
UPDATE
For those looking for some information about applying these sorts of rules in an OpenVPN environment, have a look at Taiter Tech Blog.
Now I am able to access pandora.com easily, and even watch full length episodes on CBS’s website (among other more legitimate uses).
Hi Troy,
Excellent how-to for this. I hope you don’t mind, but I took some of your information and ported it to a project I have been working on. I wanted to make OpenVPN send through external interface and basing it off of this worked!
So, thank you! This got my project out of a 5 day slump of trying to figure out what was going on with my server.
I put a link to this entry in my blog right where I used an adaptation of your code. You are welcome to check it out here: http://www.taiter.com/blog/2009/04/openvpn-firewall-and-routing-f.html
All the best, and thanks again.
-Tait