Route certain trafic via a tinc node that is not directly connected.

Hans de Groot hansg at dandy.nl
Tue Apr 10 15:36:08 CEST 2018 

Hello List,

I have this setup:

hosta  <--> hostb  <-->  hostc

Hosta and hostc are not directly connected via tinc. But both are 
conncted via hostb (I called my network tincnet). This works fine I can 
ssh from hosta to hostc and vice versa without any problems.

hostc is in a whitelisted iprange at some service provider.

I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.

I added the iptables mangle rule to mark all traffic to ipaddressx at 
port 700.

-A OUTPUT  -p 6 -m tcp -d ipaddressx/255.255.255.255 --dport 700 -j MARK 
--set-mark 0x1

I added:
     ip route add default via iphostc dev tincnet table hostc
     ip rule add from 0.0.0.0/0 fwmark 1 table hostc

Now when I try this:

traceroute -T -n ipaddressx -p 700

The route goes via the ip of hostb and not via the ip of hostc as I 
would have expected.
If I remove the iptables rule the route goes directly via the ip of 
hosta. So the mangle rule and ip rule lines are okay I think.
Of course I also checked this via telnet ipaddressx 700 and watched via 
tcpdump what happened on hostb and hostc.

A weird thing is when I try the add route with any ip in the tincnet 
subnet the route gets added even if that ip is not in use and all 
traffic still goes via the ip of hostb.
ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet 
table hostc

Does any one know what is happening here?

Is it tincd at hostb that intercepts the traffic actually meant for 
hostc and thinks it's meant for hostb and rewrites stuff automaticaly?  
Or am I missing something in the ip route / ip rules part?

I am using tinc a lot but so far it was between tinc nodes that are also 
directly connected. and never had this problem before.

If I just use iptables on hosta and hostc with nat en prerouting it 
works fine. I just tell iptables on hosta that all traffic to ipaddressx 
has to be dnatted to hostc and at hostc I just dnat this to the 
destination ip.

But I really would like to understand how to do this via mangle/fwmark 
and ip route  / ip rule way.

hosta is centos 7 tinc 1.0.31
hostb is centos 5 tinc 1.0.25
hostc is centos 5 tinc 1.0.13

I hope someone can help me on my way.

Thx

Hans de Groot

More information about the tinc mailing list