<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr">On Fri, Oct 5, 2018, 12:03 Toke Høiland-Jørgensen <<a href="mailto:toke@toke.dk">toke@toke.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">"Jason A. Donenfeld" <<a href="mailto:Jason@zx2c4.com" target="_blank" rel="noreferrer">Jason@zx2c4.com</a>> writes:<br>
<br>
> Hey Konstantin,<br>
><br>
> When you're doing policy routing with packets that are being forwarded<br>
> by the system -- a router, for example -- then the prerouting table is<br>
> sufficient. But for locally generated packets, you have to use the<br>
> OUTPUT table and also probably MASQUERADE. I just reproduced<br>
> everything here and confirm this works:<br>
><br>
> ip route add default dev wg0 table 2468<br>
> ip rule add fwmark 1234 table 2468<br>
> wg set wg0 peer [...] allowed-ips <a href="http://0.0.0.0/0" rel="noreferrer noreferrer" target="_blank">0.0.0.0/0</a><br>
> sysctl net.ipv4.conf.wg0.rp_filter=0<br>
> iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype<br>
> --src-type LOCAL -j MASQUERADE<br>
> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234<br>
<br>
Any reason why you can't just do<br>
<br>
ip rule add dport 22 lookup 2468<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">That's indeed the best by far as long as other netfilter fanciness isn't desired. Probably should set ipproto to tcp too in the rule.</div><div dir="auto"><br></div><div dir="auto">Jason</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
?<br>
<br>
-Toke<br>
</blockquote></div></div></div>