Challenge: You have a linux based firewall, which should forward all internal and external traffic of its connected clients through a VPN tunnel, and at the same time the traffic from the firewall itself should not go through the tunnel (e.g. the tunnel connection packets).
Solution: There are lots of howtos for this probably. Here is my very simple and quick (3 lines) solution.
Mark all packets that should go through the tunnel:
> iptables -t mangle -A PREROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -i eth1 -j MARK –set-mark 3
Setup a second routing table:
> ip route add table 3 default dev tun0
Add a rule to use routing-table 3 for packets marked with 3:
> ip rule add fwmark 3 table 3
192.168.2.0/24: client IPs
tun0: device of the vpn tunnel