6.8.3 PREROUTING chain no longer modifyable


raun

Recommended Posts

I finally upgraded from 6.7.2 to 6.8.3

 

I run openvpn-as and openvpn client.  My default route is through the openvpn client (interface tun5).  I accept openvpn-as connections through interface br0.

 

I solved the somewhat common problem with this configuration that openvpn-as attempts replies to client connection requests over tun5 instead of the interface used to start the connection request (br0) using a PREROUTING rule:

 

iptables -t mangle -A PREROUTING -s 172.17.0.7 -p tcp --sport 9443 -j MARK --set-mark 4321
ip route add default via 192.168.2.1 dev br0 table 3412
ip rule add fwmark 4321 table 3412

 

I'm far from a networking expert, but this allowed me to run a service in a docker using NAT on the docker and ensure the service replied using the same interface/gateway as the incoming request.  This allowed openvpn-as to accept connections over my ISP's public IP, but route all external traffic through the VPN (tun5).

 

After my upgrade to 6.8.3 any modifications to the PREROUTING table don't stick.  The table always contains only a single rule

 

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

 

Is there a solution to get my old behaviour back in 6.8.3?

 

Link to comment
  • 1 month later...

I'm an idiot.  There's nothing wrong.

 

My script adds a prerouting mangle rule.  I wasn't displaying the mangle table when looking at iptables rules.

 

Quote

iptables -L -n -t mangle

 

My real problem was that my docker container's IP changed - not sure if that was caused the 6.8.3 upgrade, or if it was me messing something up.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.