0

I'm routing specific devices through a separate gateway device that connects to a Tailscale VPN exit node.

I'm using this command so my device can act as NAT router to Tailscale:

sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE

But this only works because I've enabled IP forwarding in sysctl:

sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv6.conf.all.forwarding=1

I'd like to be more specific with my NAT routing such that only traffic to certain domains go through the tailscale0 interface and everything else passes through. I'm assuming this is the same issue you'd see with OpenVPN's tun0 and tap0 interfaces.

How can I accomplish L3 domain routing with iptables?

Sawtaytoes
  • 143
  • 8
  • How would you know whether a specific IP address "belongs" to a domain? Have you ever tried to think this through? – TomTom Feb 18 '23 at 12:59
  • As far as I understand, `iptables` allows mapping domains, so this is definitely possible. Another option is `route`, but I'm pretty sure this can be done with `iptables`. – Sawtaytoes Feb 18 '23 at 20:22
  • 1
    The iptables *command* will resolve a DNS name into an IP address and send the resulting IP address along the rule to the kernel. From now on, it's all about IP addresses. Same with routing. – A.B Feb 18 '23 at 22:08
  • Yeah. There also is the little problem that ip packets may belong to multiple domains - how would that work? No, IP tables works only on IP addresses. – TomTom Feb 18 '23 at 22:11

0 Answers0