# allow WAN to LAN access
#########################
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun1".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun1 | while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
and firewall:
Code:
# Allow WAN to LAN access
iptables -t mangle -F PREROUTING
# SSH Traffic: Bypass VPN
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.1.10 --sport 22 -j MARK --set-mark 1
# SSH Traffic: Bypass VPN
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.1.10 --sport 22 -j MARK --set-mark 1
I'll confirm tomorrow with a real ssh client after my daily migration from LAN to WAN (I never referred to my work like that before )
For now I tested with http://www.infobyip.com/sshservertest.php and # tcpdump -n host 45.79.3.202 on 192.168.1.10
Can't thank you enough for the help, much appreciated!
Hello.
I'm trying to do this now, but if I understand well
iptables -t mangle -F PREROUTING will flush mangle table for PREROUTING...
But in Mangle I have this :
Code:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 0 -- anywhere 192.168.XX.XX MARK or 0x80000000
CONNMARK 0 -- anywhere anywhere CONNMARK save
Where 192.168.XX.XX is my ISP router I guess.
I don't know why this MARK would be necessary, the same for tne CONNMARK...
I would rather know what I'm doing ^^
So why do you think I would need to flush the prerouting ?