Sending just ssh traffic via wg
Toke Høiland-Jørgensen
toke at toke.dk
Fri Oct 5 12:03:04 CEST 2018
"Jason A. Donenfeld" <Jason at zx2c4.com> writes:
> Hey Konstantin,
>
> When you're doing policy routing with packets that are being forwarded
> by the system -- a router, for example -- then the prerouting table is
> sufficient. But for locally generated packets, you have to use the
> OUTPUT table and also probably MASQUERADE. I just reproduced
> everything here and confirm this works:
>
> ip route add default dev wg0 table 2468
> ip rule add fwmark 1234 table 2468
> wg set wg0 peer [...] allowed-ips 0.0.0.0/0
> sysctl net.ipv4.conf.wg0.rp_filter=0
> iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype
> --src-type LOCAL -j MASQUERADE
> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234
Any reason why you can't just do
ip rule add dport 22 lookup 2468
?
-Toke
More information about the WireGuard
mailing list