I've managed to configure openvpn on my DD-WRT router such that the tunnel is up and working, but that it doesn't mess with routes at all (the default configuration wants all traffic to go through it).
I would like to port forward port 51413 on tun1 to a specific host on my network (192.168.77.145).
I also need to masquerade ports 6881-6890 so that they are routed through tun1. I know this involves packet mangling/marking, and setting up routes manually as well, but it's been 12 years since I've even thought about iptables (I think I still had dialup at the time).
Is there some recipe out on the internet somewhere that I'm not stumbling over?
[edit]
I've been experimenting with tcpdump, and it appear that the client I use (Transmission on OSX) has a curious feature: it uses 51413 (user configurable) as the source port for all outgoing packets, and as the destination for all incoming packets. Even when I look for port 6881-6889 in tcpdump, those are always the source port for the remote end, and it's always being sent to the 51413.
So this is a rather simpler than I imagined it would be. I just need to route/masquerade anything with that src port number through the tun1 interface.
I think that the iptables rules might be something like the following:
# mark bittorrent packets
iptables -t mangle -A OUTPUT -p udp --sport 51413 -j MARK --set-mark 7
iptables -t mangle -A OUTPUT -p tcp --sport 51413 -j MARK --set-mark 7
# allow responses
iptables -A INPUT -i tun1 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# allow bittorrent
iptables -A INPUT -i tun1 -p udp --dport 51413 -j ACCEPT
iptables -A INPUT -i tun1 -p tcp --dport 51413 -j ACCEPT
# block everything incoming on vpn
#iptables -A INPUT -i tun1 -j REJECT
# masquerading
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Do these look sane? Still no clue on the routing rules.
[edit 2]
I think -A is wrong, as this appends it to the end of the iptables rules. My router is adding god-knows-what first, and if those rules match, these are ignored. I'm pretty sure they should all be -I.
Even with that change though, I'm unable to get anything to work.
The packets show up on my private network on br0, the bridge interface. If I change nothing, DD-WRTs configuration will do NAT out over vlan2. And of course, OpenVPN's interface is tun1 (the interface I want to send bt traffic through).
[edit 3]
The initial two iptables statements are wrong. I was working off of examples where the author was using his desktop machine as a router (I think), and so this is different than a desktop machine that sends packets over a local network to a router with two external interfaces. The correct set of statements is something like this:
# routing table setup
ip route replace default via $VPNGW dev tun1 table 100
ip rule add fwmark 7 table 100
# mark bittorrent packets
iptables -t mangle -I PREROUTING -p udp --sport 51413 -j MARK --set-mark 7
iptables -t mangle -I PREROUTING -p tcp --sport 51413 -j MARK --set-mark 7
# allow responses
iptables -A INPUT -i tun1 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# allow bittorrent
iptables -A INPUT -i tun1 -p udp --dport 51413 -j ACCEPT
iptables -A INPUT -i tun1 -p tcp --dport 51413 -j ACCEPT
# block everything incoming on vpn
iptables -A INPUT -i tun1 -j REJECT
# masquerading
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
This still isn't perfect. The bulk of bt traffic now goes over tun1, but I continue to see incoming packets for 51413 on vlan2. It's unclear to me why this is happening.
