#!/bin/bash # Copyright (C) 2016 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. [[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@" source /a/bin/errhandle/errcatch-function source /a/bin/errhandle/errallow-function source /a/bin/errhandle/bash-trace-function errcatch usage() { cat <<'EOF' Usage: mail-route start|stop|show EOF exit $1 } if (( $# != 1 )); then usage 1 fi case $1 in start) iptables_op=-A ip_op=add e() { "$@"; } ;; stop) iptables_op=-D ip_op=del e() { "$@" || printf "maybe ok failure: %s\n" "$*"; } ;; show) e() { printf "${0##*/}: %s\n" "$*"; "$@"; } e iptables -t mangle -S e iptables -t nat -S e ip rule e ip route show table 1 exit 0 ;; *) usage 1 ;; esac # note, something like this does not work for packets which # exim is replying to. I don't know why. #iptables -t mangle -A OUTPUT -m owner --uid-owner Debian-exim -j MARK --set-mark 0x1 # match source or dest port. when we send to 25, it picks a random high port as # the source. for port in 25 993; do # smtp and imap with ssl. e iptables -t mangle $iptables_op OUTPUT -m tcp -p tcp -m multiport --ports $port -j MARK --set-mark 0x1 done e iptables -t nat $iptables_op POSTROUTING -o tun0 -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4 e ip rule $ip_op fwmark 1 table 1 # note, this rule does not persist when the tun interface is deleted e ip route $ip_op default via 10.8.0.1 table 1 e ip route $ip_op 192.168.1.0/24 via 192.168.1.1 dev br0 table 1 exit 0