On Wed, 14 Oct 2015 12:52:19 -0400, Selva Nair wrote:
> To test, keep it simple -- try with just one IP directly specified in
> the rule
>
> # iptables -t mangle -I OUTPUT -d 8.8.8.8/32 -j MARK --set-mark 200
>
> (to work locally this has to be in the OUTPUT chain -- see below)
>
> # ip rule
On Wed, 14 Oct 2015 12:52:19 -0400, Selva Nair wrote:
> The manpage is probably referring to routing of received and forwarded
> packets, not outgoing packets.
>
> As far as I know, PREROUTING chain is traversed by packets coming in
> from the network, not by locally generated packets. So if
On Thu, Oct 15, 2015 at 8:20 AM, Hongyi Zhao wrote:
> 2- With the route in table openvpn:
>
> $ ip route show table openvpn
> default via 10.211.1.34 dev tun-gfwlist
>
> This time the following command will give nothing:
>
>
> $ traceroute 8.8.8.8
> traceroute to 8.8.8.8
On Wed, Oct 14, 2015 at 4:42 AM, Hongyi Zhao wrote:
> On Wed, 14 Oct 2015 02:05:38 -0400, Selva Nair wrote:
>
> > This should work for forwarded packets, but for locally generated
> > traffic you will need to mangle them in the OUTPUT chain.
>
> I've tried with the OUTPUT
On Tue, Oct 13, 2015 at 10:23 PM, Hongyi Zhao wrote:
>
> 2- Using iptables to set the mark value 200 for all of the traffic
> which are destinated to google.com:
>
> $ sudo iptables -t mangle -A PREROUTING -m set --match-set
> openvpn-test dst -j MARK --set-mark 200
>
On Wed, 14 Oct 2015 02:05:38 -0400, Selva Nair wrote:
> This should work for forwarded packets, but for locally generated
> traffic you will need to mangle them in the OUTPUT chain.
I've tried with the OUTPUT chain, but still it failed for me to access
google.com via openvpn.
The traceroute to
Hi,
On Wed, Oct 14, 2015 at 08:42:08AM +, Hongyi Zhao wrote:
> I've tried with the OUTPUT chain, but still it failed for me to access
> google.com via openvpn.
I think your approach is a bit too complicated - why bother with marking
anyway? "ip rule" can apply directly to destination