I have this setup:
hosta <--> hostb <--> hostc
Hosta and hostc are not directly connected via tinc. But both are
conncted via hostb (I called my network tincnet). This works fine I can
ssh from hosta to hostc and vice versa without any problems.
hostc is in a whitelisted iprange at some service provider.
I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.
I added the iptables mangle rule to mark all traffic to ipaddressx at
-A OUTPUT -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK
ip route add default via iphostc dev tincnet table hostc
ip rule add from 0.0.0.0/0 fwmark 1 table hostc
Now when I try this:
traceroute -T -n ipaddressx -p 700
The route goes via the ip of hostb and not via the ip of hostc as I
would have expected.
If I remove the iptables rule the route goes directly via the ip of
hosta. So the mangle rule and ip rule lines are okay I think.
Of course I also checked this via telnet ipaddressx 700 and watched via
tcpdump what happened on hostb and hostc.
A weird thing is when I try the add route with any ip in the tincnet
subnet the route gets added even if that ip is not in use and all
traffic still goes via the ip of hostb.
ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet
Does any one know what is happening here?
Is it tincd at hostb that intercepts the traffic actually meant for
hostc and thinks it's meant for hostb and rewrites stuff automaticaly?
Or am I missing something in the ip route / ip rules part?
I am using tinc a lot but so far it was between tinc nodes that are also
directly connected. and never had this problem before.
If I just use iptables on hosta and hostc with nat en prerouting it
works fine. I just tell iptables on hosta that all traffic to ipaddressx
has to be dnatted to hostc and at hostc I just dnat this to the
But I really would like to understand how to do this via mangle/fwmark
and ip route / ip rule way.
hosta is centos 7 tinc 1.0.31
hostb is centos 5 tinc 1.0.25
hostc is centos 5 tinc 1.0.13
I hope someone can help me on my way.
Hans de Groot
tinc mailing list