On Fri, Oct 5, 2018, 12:03 Toke Høiland-Jørgensen <toke@toke.dk> wrote:

> "Jason A. Donenfeld" <Jason@zx2c4.com> writes:
>
> > Hey Konstantin,
> >
> > When you're doing policy routing with packets that are being forwarded
> > by the system -- a router, for example -- then the prerouting table is
> > sufficient. But for locally generated packets, you have to use the
> > OUTPUT table and also probably MASQUERADE. I just reproduced
> > everything here and confirm this works:
> >
> > ip route add default dev wg0 table 2468
> > ip rule add fwmark 1234 table 2468
> > wg set wg0 peer [...] allowed-ips 0.0.0.0/0
> > sysctl net.ipv4.conf.wg0.rp_filter=0
> > iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype
> > --src-type LOCAL -j MASQUERADE
> > iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234
>
> Any reason why you can't just do
>
> ip rule add dport 22 lookup 2468
>

That's indeed the best by far as long as other netfilter fanciness isn't
desired. Probably should set ipproto to tcp too in the rule.

Jason


> ?
>
> -Toke
>