Networking :: Route Eth2 TCP Packets To Tun0 With IPTABLES And IP RULE/ROUTE?

May 8, 2011

I have 3 network interfaces on my Linux Router :

Interface - Gateway - Type


br0 - - Internet
eth2 - - LAN
tun0 - - VPN (via br0)

What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on If I delete all default routes and if I add a new route to tun0 like :


route del default
route add default gw

Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 ( I found on the Internet that we can mark packets before they get routed. Using the following commands :


iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via dev tun0
ip rule add fwmark 0x55 table 300

First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.

View 4 Replies


Networking :: Route Internet Traffic Over Tun0?

Mar 28, 2010

I have eth0 and tun0. tun0 is a VPN tunnel going over eth0. Everything on the other end is setup and working fine, when I type Code: traceroute I see my the ping is going over (eth0). When I then type Code: route add -net netmask dev tun0 traceroute I see ping is going over (tun0) instead of eth0, so that is working

What does not work however is when I do Code: route add -net netmask dev tun0 traceroute I get no ping! I believe the problem is because all traffic is routing over tun0, which means even the VPN tun0 needs to go through eth0, it can no longer do this. Is there a way around this where I can route everything except for (which is my VPN gateway for tun0)?

View 18 Replies View Related

Networking :: Set A Route For Eth1 - DHCP Clients - To Reach Tun0 - Openvpn Server - CentOS

Sep 21, 2010

I have openvpn tunnel setup between two CentOS servers. One of the CentOS servers also acts as a DHCP server for some client computers.

Server A= OpenVPN server
Server B= OpenVPN client (connects to Server A with OpenVPN)

The two CentOS servers can ping each other ( via the tun0.

However, client computer connected to Server B (DHCP server) can't reach (which is the OpenVPN server).

I think I am missing some routing in my "ip route show". Following is the full picture:

What command can I issue to get this fixed? something along ip route add?

There is no firewall service on both end. service iptables stop! I can't bridge eth1 and tun0 as DHCP server might mess up the other side. I can't do a push of "redirect-gateway def1" because then clients loose their IP as they send DHCP requests to Server A.

View 2 Replies View Related

Networking :: Route Packets Across NICS's?

Mar 11, 2010

I have two NIC's interfaces on my linux machine(eth1 and eth2). Each have different IP addresses(, These two interfaces are connected together through hub. Here is the my question?

1) If I 'ping', it should go out through network interface eth2 and through hub and enter on eth1 and response also travel through similar direction.

2) If I 'ping', it should go out through network interface eth1 and through hub and enter on eth2.

How can setup routing table for this,I have tried setting up routing and iptables, etc.. nothing helped.

If any one good router/networking guy, you should know this one.I am doing a project, I want this way to handle this.

View 9 Replies View Related

Networking :: Sending Packets To The Local Interface Through A Route?

Oct 13, 2010

I want to build a topology of this kind:

|eth0 (a.a.a.a) |
Linux PC |<----------------> | ROUTER
|eth1 (b.b.b.b) |

the linux machine has two interfaces eth0 (a.a.a.a) and eth1 (b.b.b.b) connnected to two interfaces of a router. Now that if I send any packet destined to b.b.b.b from a.a.a.a interface on the linux machine, it should take the folowing path: eth0->router->eth1 . and it should be the same for vice versa.

View 1 Replies View Related

Networking :: Route (forward) Packets In Promiscuous Mode?

Sep 16, 2010

I need to route packets coming from a standalone switch port which is a mirror ("tap") of another port ("source"). I can't seem to forward packets whose MAC address is for a different device (the actual "target" of "source"). My device is in promisc mode,I can see the incoming packets in tcpdump and Wireshark. The only packets which get forwarded are those which have my MAC destination address (I changed the wiring to come straight from source and not the mirror port, to get "my" MAC address in the packet). My routing table is configured to forward and I have ip_forwarding enabled, obviously (otherwise packets sent to my MAC wouldn't route). By the way, the incoming packets are all VLAN tagged and I have matching subinterfaces.

Q1 - is this inherent, that packets won't get "passed up" to the IP layer unless the MAC addresses match?

Q2 - Would ebtables be a good solution, i.e. rewrite the dest MAC address to my own MAC addr and send to the INPUT target?

View 5 Replies View Related

Networking :: Route-eth - Adding A Static Route?

Apr 29, 2009

I would like to add a static route, however I do not understand what is meant by the Address setting below


Does this mean any addresses beginning with are routed over the gateway an address range

View 3 Replies View Related

Networking :: Route Type Unreachable Overriding Local Packet Generation For Marking Packets

Jun 16, 2010

My issue is with linux routing tables using iproute2, coupled with the iptables MARK target. When I create a rule to lookup a table with iproute2, and the routing table routes an address as type unreachable (or blackhole, or prohibit), if a higher priority rule does a lookup to another table that routes the address as type unicast but that higher priority rule also matches on a fwmark, the packet to that address is never generated locally to even go through iptables packet filtering/mangling in order to mark it, because the lower priority rule that doesn't match on a fwmark says it's unreachable. For example, I have 2 rules installed with ip:


10: from all fwmark 0x1000 lookup routeit
20: from all lookup unreach
ip route list table routeit


Now, in the packet filter, I have an iptables rule to mark packets to destination with 0x1000 in the mangle table and OUTPUT chain. When I generate a packet locally to, all programs get ENETUNREACH (tested with strace). However, if I take out the route entry that is unreachable, it all works fine and the routes in the routeit table get applied to marked packets (I know because my default gateway would not be, but wireshark shows packets being sent to the MAC address of

The best I can surmise is that when generating a packet locally, the kernel tests the routing tables in priority order but without any mark to see if it is unreachable/blackhole/prohibit, and doesn't even bother generating the packet and traversing iptables rules to see if it would eventually be marked and thus routed somewhere. Then I assume after that step, it traverses iptables rules, then traverses the routing tables again to find a route. So is there any way around this behavior besides adding fake routes to the routing table (e.g. routing to dev lo in the unreach table in this example)?

View 2 Replies View Related

Networking :: Setup Multi-Path Route Iptables ?

Jun 14, 2010

Here's my scenario:

I want it so any inbound traffic from dsl goes back out the dsl and same for rogers. I've been searching and playing with many docs with no luck.

Anyone know how I do this? The multiple routes are on the same device br0. (which I think is causing all my havoc)

View 1 Replies View Related

Networking :: Using Iptables To Route/forward To Identical LANs?

Jul 18, 2011

The goal is to make connection calls (ssh, ping, ...) possible from one LAN (LAN-1) to a number of (at the moment two) separate smaller LANs.These smaller LANs (LAN-2a, LAN-2b, ...) have exact same specifications (same IP range, same number of nodes, ...)!The idea is to use a Fedora box (release 14 with and implement an appropriate iptables routing/forwarding.The Fedora box has three network interfaces:

- eth0 (aaa.bbb.ccc.m) on LAN-1 (aaa.bbb.ccc.0/24)
- eth1 (ddd.eee.fff.n) on LAN-2a (ddd.eee.fff.0/27)
- eth2 (ddd.eee.fff.p) on LAN-2b (ddd.eee.fff.0/27)


View 10 Replies View Related

Networking :: Definition: "a Process That Replaces A Series Of Related, Specific Routes In A Route Table With A More Generic Route"

Oct 21, 2010

I got this definition:"a process that replaces a series of related, specific routes in a route table with a more generic route." honestly I found it not so clear.. I want to know if this definition is correct and also more details about this subject..

View 1 Replies View Related

Ubuntu Networking :: Error - "route: Netmask Does Not Match Route Address"

Jan 25, 2011

Having trouble getting my Netgear WNA1000 working thru wireless router. Have tried lots of suggestions from other threads to no avail. Someone suggested that th routing table isn't set correctly, so have been trying to use the follwing to make the proper entry in the routing table: sudo route add -net netmask dev wlan0

Result: error message stating with:
"route: netmask does not match route address"

followed by "Usage" instructions which tell me to do what I just did. Any ideas on how I can populate my routing table with correct entry for my wireless card? Not to complicate matters, but I temporarily turned off encryption on my router to eliminate that as a possibility until I get connected. So maybe it'still trying to connect via encrypted mode - do I need to turn off encryption on my (client) end?

View 2 Replies View Related

Networking :: IPtables: Route Outgoing Traffic From Internal Host To Only Go A Internet Interface?

Nov 21, 2010

My Ubuntu Box has 3 interfaces. eth0 (Internal (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc ( to only go only go through eth2

View 4 Replies View Related

Ubuntu Security :: Drop Igmp Port 0 Packets With Iptables Rule?

Jan 3, 2011

how can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.

View 2 Replies View Related

Ubuntu Networking :: Ufw Blocking RST Packets When Rule Show Allow It?

Aug 30, 2010

I've setup ufw rules on my system but noticed that the rule i created to allow traffic from my local network is still dropping some RST's part of the output of dmesg

[43627.361500] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=2210 PROTO=TCP SPT=59521 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0


View 3 Replies View Related

Networking :: How To Add A Route And Keep It

Jan 19, 2009

I have a server in the office and when I need to connect via cable I have to start up a root terminal and type in:

route add -net gw dev eth0

Is there a way to have this saved so I don't have to re-type it every time ? I already tried adding the command in /etc/rc.local and also in /etc/network/interfaces but it doesn't.

View 2 Replies View Related

Networking :: How To Route Traffic To The Vpn

May 11, 2010

I've succesfullly connected to my vpn with kvpnc, but none of my traffic is going through the vpn! I dont know how to route traffic to the vpn. for instance, when I go to it still has my previous ip.

View 1 Replies View Related

Networking :: No Route To Host

Aug 21, 2009

I use linux.

I have below error, no route to host.

View 6 Replies View Related

Networking :: Route Add -net Netmask Gw

May 31, 2010

Code: route add -net netmask gw -net , is it for ip address of the client/host? man route says , "target is a network".What does it mean?

View 1 Replies View Related

Networking :: Route Two Pc's - Communicate To Each Others

Dec 3, 2010

I'm using Fedora 9 and has finished the DHCP for my eth2 and static on eth0. I would like to add a route so that the 192.168.22.x eth0 and 192.168.26.x eth2 can communicate to each others,.

View 3 Replies View Related

Networking :: What Does Route Command Do

Mar 16, 2011

What does it do? Any examples on how I use it?

View 2 Replies View Related

Ubuntu Security :: Set A Rule In Iptables, Does That Rule Also Apply To Ipv6, Or Just Ipv4?

Jul 16, 2010

Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?

2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?

3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?

4. Any gotchas or issues that I should be aware of?

View 9 Replies View Related

Ubuntu Networking :: How To Add Route Mask

Mar 11, 2010

How can I add this to Ubuntu so that I can effectively use both networks connected to my machine. All I do in WinXP is run this from the command prompt: route -p add mask

View 3 Replies View Related

Ubuntu Networking :: Re-route Audio Over Lan?

Apr 12, 2010

How would I go about re-routing the audio of a Jaunty PC, to another on the same LAN?

View 3 Replies View Related

Networking :: Can Ssh From A Computer But Not Into It - No Route To Host

Apr 11, 2010

I have 3 computers on a local home network. Computer 1 is not receiving incoming anything from other computers on the network, and I don't know why. The regular internet works fine.

Computer 1 can ping and ssh into either 2 or 3. 2 can ping and ssh into 3 and vice versa. But nothing can ping OR ssh into 1. Trying to do so says "no route to host".

All computers are running Ubuntu Karmic.

View 7 Replies View Related

Networking :: Route 2 Subnets Between 2 Routes?

Oct 28, 2010

I have some CISCO,Linux related problem with 2 Class C subnets: -> PC5 -> PC6

Here's a picture of my situation: [URL]

HQ has to have 2 STATIC routes in order those 2 "PCs" mentioned above to have end to end connectivity with NETWORK A and NETWORK B. Now I try with

route0 -> network:, mask:, nexthop: Serial 0/0/0
route1 -> network:, mask:, nexthop: Serial 0/0/1

And it seems to work but I don't think it's proper! I feel it's kinda wrong ... but all my other attempts to set another couple of static routes ends in "Request timed out" and thus connection lost.

View 1 Replies View Related

Networking :: Ip Route Mtu Doesn't Work?

Feb 26, 2010

I'm trying to troubleshoot some networking issues I'm having between my Linux servers connecting to a server at another location after a Cisco ASA firewall has been installed at my location. I can make the connection work if I lower the mtu on the NIC (ifconfig eth0 mth 1000) - however that supposedly can break the local network if I don't set everything else's mtu to match. Supposedly I can use the iproute package (debian etch) to lower the mtu on a per-route basis, but it doesn't seem to work for me.

ip route delete default
ip route add default via X.X.X.X mtu 1000

View 2 Replies View Related

Networking :: No Route To Host - Put Can Ping?

May 9, 2011

I have a server that I can ping, and I can connect remotely with ssh to it. But when I try to connect to apache (port 80) I get "no route to host". But I can connect to localhost It's not just my client system that is having this problem but also systems that are on the same subnet There is no firewall running on the server route on the server


View 9 Replies View Related

Networking :: Route Add With Specific Interface?

Apr 18, 2009

I have an Asterisk-server with 2 interfaces, a WAN-interface (eth1) and a LAN-interface (eth0).

SETUP : IAX-provider(internet) --> firewall --> Asterisk-server --> switch --> clients_on_LAN

So everything coming from the IAX-provider on port 4569 is forwarded to the Asterisk-server's WAN-interface (eth1). This needs then be routed to an internal SIP-phone (an IVR-system will define which one) via eth0. When a call is initiated from an internal SIP-phone (they register to the IP-address assigned to eth0) it needs to be routed via eth1 to the gateway ( Asterisk will setup an IAX-channel on WAN-interface (eth1) to the IAX-provider (via gateway). So... will this work :


route add -net ip_IAXprovider netmask gw dev eth1


route add -net netmask dev eth0 (no gateway needed for the LAN-interface, communications to the gateway need to go via the WAN-interface !)

View 4 Replies View Related

Networking :: Sendmail - No Route To Host ?

Feb 22, 2011

We have a Red Hat Linux server that sends email out daily. It points to and Exchange server for smtp. It works fine, however, at least once a day, an email will fail and in the maillog I see "No route to host". After a few minutes, everything is working fine. The Linux server and Exchange are on the same VLAN and IP subnet.

View 2 Replies View Related

Copyrights 2005-15, All rights reserved