+#!/bin/bash
+# Copyright (C) 2016 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
+
+source /a/bin/errhandle/errcatch-function
+source /a/bin/errhandle/errallow-function
+source /a/bin/errhandle/bash-trace-function
+errcatch
+
+usage() {
+ cat <<'EOF'
+Usage: mail-route start|stop|show
+EOF
+ exit $1
+}
+
+if (( $# != 1 )); then
+ usage 1
+fi
+case $1 in
+ start)
+ iptables_op=-A
+ ip_op=add
+ e() { "$@"; }
+ ;;
+ stop)
+ iptables_op=-D
+ ip_op=del
+ e() { "$@" || printf "maybe ok failure: %s\n" "$*"; }
+ ;;
+ show)
+ e() { printf "${0##*/}: %s\n" "$*"; "$@"; }
+ e iptables -t mangle -S
+ e iptables -t nat -S
+ e ip rule
+ e ip route show table 1
+ exit 0
+ ;;
+ *)
+ usage 1
+ ;;
+esac
+
+
+# note, something like this does not work for packets which
+# exim is replying to. I don't know why.
+#iptables -t mangle -A OUTPUT -m owner --uid-owner Debian-exim -j MARK --set-mark 0x1
+
+
+e iptables -t mangle $iptables_op OUTPUT -m tcp -p tcp -m multiport --sports 25 -j MARK --set-mark 0x1
+e iptables -t nat $iptables_op POSTROUTING -o tun0 -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
+e ip rule $ip_op fwmark 1 table 1
+# note, this rule does not persist when the tun interface is deleted
+e ip route $ip_op default via 10.8.0.1 table 1
+e ip route $ip_op 192.168.1.0/24 via 192.168.1.1 dev br0 table 1
+
+exit 0