My question is basically the same as Only allow certain outbound traffic on certain interfaces.
I have two interfaces eth1
(10.0.0.2) and wlan0
(192.168.0.2).
My default route is for eth1
.
Let's say I want all https-traffic to go through wlan0
.
Now if I use the solution suggested in the other question, https traffic will go through wlan0
, but will still have the source-address of eth1
(10.0.0.2). Since this address is not routeable for the wlan0
gateway, answers won't ever come back. The easy way would be to just set the bind-addr properly in the application, but in this case it is not applicable.
I figure I need to rewrite the src-addr:
# first mark it so that iproute can route it through wlan0
iptables -A OUTPUT -t mangle -o eth1 -p tcp --dport 443 -j MARK --set-mark 1
# now rewrite the src-addr
iptables -A POSTROUTING -t nat -o wlan0 -p tcp --dport 443 -j SNAT --to 192.168.0.2
Now tcpdump sees the outgoing packets just fine and ingoing packets arrive for 192.168.0.2, however they probably never end up in the application, because all I ever get to see, is that the application is resending the SYN-packet, although the SYN-ACK was already received.
So I thought, maybe I need to rewrite the incoming address too:
iptables -A PREROUTING -t nat -i wlan0 -p tcp --sport 443 -j DNAT --to 10.0.0.2
but that didn't work either. So I’m kind of stuck here. Any suggestions?
Best Answer
You're close.
The actual reason that the application isn't seeing the return traffic is because of the kernel's built in IP spoofing protection. I.e., the return traffic doesn't match the routing table and is therefore dropped. You can fix this by turning off spoofing protection like this:
But I wouldn't recommend it. The more proper way is to create an alternate routing instance.
Make sure you have the
iproute
package installed. If you have theip
command then you're set (which it looks like you do, but if not get that first).Edit
/etc/iproute2/rt_tables
and add a new table by appending the following line:You then need to configure your new routing table named
wlan-route
with a default gateway and create rules to conditionally send traffic to that table. I'll assume your default gateway is 192.168.0.1. Naturally this needs to match your actual network, and not just my assumptions.Your final annotated script would look like this: