And small question. Adding policy with 'OUTPUT' chain, all packets with src_port 22 are routed via WAN. So answers to packets, coming from LAN are routed via WAN also, so login from LAN doesn't work. We've tried to change 'OUTPUT' by 'INPUT', but without success (I hoped, it will mark incoming packets, and responses will be marked also due to connection tracking). So the only solution is to use multiple dropbear instances on different ports. Is it possible to configure PBR in this case differently, to use single port of dropbear?
A range can be excluded from the rule by either explicitly in the rule (not sure if the README has a good example, but it's mentioned in the README) or in the Append Local/Remote IP Tables rules (under Advanced tab in WebUI).
Sorry, I can't find specified range of IP's in output of iptables -S -t mangle, I've tried both src, and dest:
option append_src_rules '! -d 192.168.1.0/24'
option append_dest_rules '! -d 192.168.1.0/24'
I remind you, that our case is about SSH-server, and OUTPUT chain. Or should we use 'Ignored Interfaces' instead?
Both at the same time as pasted above definitely wouldn't work. Also, src rules should have -d parameter, and dest rules should have the -s parameter, as multiple parameters of same time (as in multiple -d are not allowed by iptables if memory serves me correctly. There should be warning on service reload on CLI and maybe even WebUI in case of collisions.
I haven't tried exposing SSH port to WAN, but I'm guessing just option append_src_rules '! -d 192.168.1.0/24' should work.
OK, but where should it be in output of iptables etc.?
It's appended to the iptables rules where the source is explicitly specified. Maybe it's just for VPR_PREROUTING chain, I'll need to double-check the code.
We've tried to append following rule:
iptables -t mangle -A VPR_OUTPUT -p tcp -m multiport --sports 22 !
-d 192.168.1.0/24 -m comment --comment Ssh-Wan2Lan -j MARK --set-xmark
0x10000/0xff0000
But it doesn't work (no changing in behavior, access from LAN, no access from WAN), also counter is not zero:
27 1188 MARK tcp -- * * 0.0.0.0/0 !192.168.1.0/24 multiport sports 22 /* Ssh-Wan2Lan */ MARK xset 0x10000/0xff0000
Removing '! -d 192.168.1.0/24' results in 'previous' behavior with PBR policy: access from WAN, no access from LAN.
I'm not sure if I have a solution for this then. I'm sure a proper iptables rule can be created (and then used with the help of the user-script) I just can't think of one now.