How to add a routing rule that only match "dport"?

Leon

3/15/23, 7:01 AM

In my OpenWrt box, I want to route only a specific protocol(tcp:1888) to a tun interface only for one PC(192.168.28.2), so I do as following:

ip rule add from 192.168.28.2 dport 1888 lookup 123

ip route add default via 10.8.0.2 dev tun0 table 123

But it does NOT work!

When I check the rule list with ip rule, I get:

0: from all lookup local

32765: from 192.168.28.2 lookup 123

32766: from all lookup main

32767: from all lookup default

I guest that the dport SELECTOR doesn't take effect.

How should I do?

Thanks!!!

Solution: With Nikita Kipriyanov's help, I got it, but the FORWARD chain of mangle table doesn't work, I used the PREROUTING instaed.

Would pls anyone explain why should I use PREROUTING instead of FORWARD of mangle?

0 + 0

iptables

ip-routing

openwrt

rules

iproute2

Score:2

Server

Nikita Kipriyanov

3/15/23, 7:28 AM

Add a netfilter mark rule in the FORWARD chain of the mangle table. Then add a routing rule using that mark:

iptables -t mangle -A PREROUTING -s 192.168.28.2 -p tcp --dport 1888 -j MARK --set-mark 0x1/0x1
ip rule add fwmark 0x1/0x1 lookup 123

0 + 0

Leon

3/15/23, 4:54 PM

Thanks for your help. I have successed, but by using PREROUTING chain of the mangle. the FORWARD chain doesn't work. would you pls explain me why?

Nikita Kipriyanov

3/15/23, 6:15 PM

I was too lazy to evaluate which routing decision we must target. There are two in the packet path: the one after PREROUTING which decides FORWARD or INPUT, and the one after FORWARD or OUTPUT before POSTROUTING, which decides which output interface to egress. I targeted for second routing decision, while it happened we needed to correctly use first one. I updated the answer to reflect your comment.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to add a routing rule that only match "dport"?

TH: จะเพิ่มกฎการกำหนดเส้นทางที่ตรงกับ "dport" ได้อย่างไร

RO: Cum să adăugați o regulă de rutare care se potrivește doar cu „dport”?

RU: Как добавить правило маршрутизации, которое соответствует только «dport»?

VI: Làm cách nào để thêm quy tắc định tuyến chỉ khớp với "dport"?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.