Output traffic on different interfaces based on destination port
You're close.
The actual reason that the application isn't seeing the return traffic is because of the kernel's built in IP spoofing protection. I.e., the return traffic doesn't match the routing table and is therefore dropped. You can fix this by turning off spoofing protection like this:
sudo sysctl net.ipv4.conf.wlan0.rp_filter=0
But I wouldn't recommend it. The more proper way is to create an alternate routing instance.
- The mark is necessary. Keep it.
- Source NAT is also necessary.
- The final DNAT is unnecessary, so you can remove it.
Make sure you have the iproute package installed. If you have the ip command then you're set (which it looks like you do, but if not get that first).
Edit /etc/iproute2/rt_tables and add a new table by appending the following line:
200 wlan-route
You then need to configure your new routing table named wlan-route with a default gateway and create rules to conditionally send traffic to that table. I'll assume your default gateway is 192.168.0.1. Naturally this needs to match your actual network, and not just my assumptions.
ip route add default via 192.168.0.1 dev wlan0 table wlan-route
ip rule add fwmark 0x1 table wlan-route
Your final annotated script would look like this:
# Populate secondary routing table
ip route add default via 192.168.0.1 dev wlan0 table wlan-route
# Anything with this fwmark will use the secondary routing table
ip rule add fwmark 0x1 table wlan-route
# Mark these packets so that iproute can route it through wlan-route
iptables -A OUTPUT -t mangle -o eth1 -p tcp --dport 443 -j MARK --set-mark 1
# now rewrite the src-addr
iptables -A POSTROUTING -t nat -o wlan0 -p tcp --dport 443 -j SNAT --to 192.168.0.2
bahamat's solution is correct; however, please note that the only way for me to make this work was to disable the rp_filter for every interface in the system, not only the two (eth1 and wlan0 in this case) involved in the NATing.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/route/flush
(see the IMPORTANT note at the end of this page: Advanced Routing Howto -- the link posted there doesn't exist anymore, but I found it through the wayback machine)