Hello List,

I have this setup:

hosta  <--> hostb  <-->  hostc

Hosta and hostc are not directly connected via tinc. But both are conncted via hostb (I called my network tincnet). This works fine I can ssh from hosta to hostc and vice versa without any problems.

hostc is in a whitelisted iprange at some service provider.

I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.

I added the iptables mangle rule to mark all traffic to ipaddressx at port 700.

-A OUTPUT  -p 6 -m tcp -d ipaddressx/ --dport 700 -j MARK --set-mark 0x1

I added:
    ip route add default via iphostc dev tincnet table hostc
    ip rule add from fwmark 1 table hostc

Now when I try this:

traceroute -T -n ipaddressx -p 700

The route goes via the ip of hostb and not via the ip of hostc as I would have expected. If I remove the iptables rule the route goes directly via the ip of hosta. So the mangle rule and ip rule lines are okay I think. Of course I also checked this via telnet ipaddressx 700 and watched via tcpdump what happened on hostb and hostc.

A weird thing is when I try the add route with any ip in the tincnet subnet the route gets added even if that ip is not in use and all traffic still goes via the ip of hostb. ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table hostc

Does any one know what is happening here?

Is it tincd at hostb that intercepts the traffic actually meant for hostc and thinks it's meant for hostb and rewrites stuff automaticaly?  Or am I missing something in the ip route / ip rules part?

I am using tinc a lot but so far it was between tinc nodes that are also directly connected. and never had this problem before.

If I just use iptables on hosta and hostc with nat en prerouting it works fine. I just tell iptables on hosta that all traffic to ipaddressx has to be dnatted to hostc and at hostc I just dnat this to the destination ip.

But I really would like to understand how to do this via mangle/fwmark and ip route  / ip rule way.

hosta is centos 7 tinc 1.0.31
hostb is centos 5 tinc 1.0.25
hostc is centos 5 tinc 1.0.13

I hope someone can help me on my way.


Hans de Groot

tinc mailing list

Reply via email to