On Fri, Oct 5, 2018, 12:03 Toke Høiland-Jørgensen <toke@toke.dk> wrote:

"Jason A. Donenfeld" <Jason@zx2c4.com> writes:

> Hey Konstantin,
>
> When you're doing policy routing with packets that are being forwarded
> by the system -- a router, for example -- then the prerouting table is
> sufficient. But for locally generated packets, you have to use the
> OUTPUT table and also probably MASQUERADE. I just reproduced
> everything here and confirm this works:
>
> ip route add default dev wg0 table 2468
> ip rule add fwmark 1234 table 2468
> wg set wg0 peer [...] allowed-ips 0.0.0.0/0
> sysctl net.ipv4.conf.wg0.rp_filter=0
> iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype
> --src-type LOCAL -j MASQUERADE
> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234

Any reason why you can't just do

ip rule add dport 22 lookup 2468

That's indeed the best by far as long as other netfilter fanciness isn't desired. Probably should set ipproto to tcp too in the rule.

Jason

?

-Toke