Firstly I don''t think this is a shorewall problem, but I suspect
shorewall
might be able to solve it for me.
I''ve posted this so far at
http://mandrakeusers.org/index.php?showtopic=18942
I''ve stumble upon a problem that has me stumped
I have a multipath router using 2.6.8.1 with patches from here
http://www.ssi.bg/~ja/#routes
basic setup:
___ ISP1
LAN---ROUTER---[
|___ ISP2
I have also setup ipsec-tools, and loaded the correct modules for IPSEC to
work
If initiate a TCP port 80 connection from outside to my ISP1 public IP
address, multipath returns the request out the correct gateway.
example from 0.0.0.0 --> 202.x.x.x -->192.168.10.x(Web server) -->
192.168.10.x(router) --> 202.x.x.x --> 0.0.0.0
Perfect !!!
Like wise if I initiate a TCP port 80 connection from outside to my ISP2
public IP address, multipath returns the request out the correct gateway.
example from 0.0.0.0 --> 203.x.x.x -->192.168.10.x(Web server) -->
192.168.10.x(router) --> 203.x.x.x --> 0.0.0.0
PERFECT!
if I''m inside my lan, multipath randomly selects from the two gateways.
Example:
lan-->192.168.10.x(router)-->some randomness--> Either 202.x.x.x or
203.x.x.x
PERFECT!!!
now here comes ipsec ..
from outside 10.99.99.x ->202.x.x.x (ipsec does its thing, and passes the
packet to routing) --> Either 202.x.x.x or 203.x.x.x ... NOT COOL!
if I''m lucky and the packet is returned out the interface I initiated
the
IPSEC connection from then it works perfect.
often I''m not lucky, and ipsec fails because the response is sent out
the
"other" gateway interface.
For testing purposes I have set a static route to a public IP address
example:
ip route add 205.x.x.x. via 202.x.x.x. dev eth2 src 202.x.x.x
now I can ipsec perfectly from 205.x.x.x from the source IP address
10.99.99.x
But I want to use this as a "road warrior" so my IP address will be
0.0.0.0/0 which, on the router has two gateways 202.x.x.x and 203.x.x.x
Understand?
can anybody help?
is this perhaps an IPTABLES problem? if so can anybody suggest anything?
(I''m not very good at IPTABLES, but shorewall makes it easy for me)
is it perhaps a routing issue that I may have missed?
I''ve come to this conclusion.
/etc/shorewall/tcrules
############################################################################
##
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
1 0.0.0.0/0 202.37.230.93 udp 500
2 0.0.0.0/0 203.96.213.101 udp 501
1 fw 0.0.0.0/0 udp 500
2 fw 0.0.0.0/0 udp 501
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
rama-kandra root # ip route list
202.37.230.64/26 dev eth2 proto kernel scope link src 202.37.230.93
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.1.1
203.96.216.0/24 via 203.96.212.1 dev eth3 proto static src 203.96.213.101
203.96.212.0/23 dev eth3 proto kernel scope link src 203.96.213.101
172.30.0.0/20 dev eth1 proto kernel scope link src 172.30.7.4
127.0.0.0/8 via 127.0.0.1 dev lo scope link
rama-kandra root #
rama-kandra root # ip rule list
0: from all lookup local
50: from all lookup main
201: from 202.37.230.64/26 lookup 201
202: from 203.96.212.0/23 lookup 202
222: from all lookup 222
32766: from all lookup main
32767: from all lookup default
rama-kandra root #
rama-kandra root # ip route show table 201
default via 202.37.230.65 dev eth2 proto static src 202.37.230.93
prohibit default proto static metric 1
rama-kandra root #
rama-kandra root # ip route show table 202
default via 203.96.212.1 dev eth3 proto static src 203.96.213.101
prohibit default proto static metric 1
rama-kandra root #
rama-kandra root # ip route show table 222
default proto static
nexthop via 202.37.230.65 dev eth2 weight 1
nexthop via 203.96.212.1 dev eth3 weight 1
rama-kandra root #
I''ve now done this
# packets marked with a "1" go to table 206
ip rule add fwmark 1 table 206
ip rule add fwmark 2 table 207
# add a route which specifies the source and gateway to each of the tables
ip route add 0.0.0.0/0 src 202.37.230.93 via 202.37.230.65 table 206
ip route add 0.0.0.0/0 src 203.96.216.101 via 203.96.212.1 table 207
my hope is that outgoing packets from IPSEC will match table 206 or 207 and
get routed out the correct interface.
So far its not working.
I''m guessing that I haven''t set up tcrules properly to mark
outgoing
packets, but I don''t know where to start.
Any help would be appreciated.
FYI:
If a connection is initiated from the outside world to one of my public IP
addresses, shore (or IPTABLES) DNAT''s the connection to my internal
server,
and connection_tracking returns the response out the correct interface.
But with VPN (on the router) there is no "source" (I think) so
I''m guessing
connection_tracking is failing because its not DNAT''ed it is
ACCPET''ed
locally.
Now when IPSEC return the packet is gets passed to my equal cost routing
table.
What I''m hoping is I can mark the packet, then make a routing table
based on
that mark.
Am I headed down the right track? Or way off?
Thanks
Paul.
Here is the output of shorewall status:
Shorewall-2.0.4 Status at rama-kandra - Wed Sep 22 12:54:47 NZST 2004
Counters reset Wed Sep 22 12:49:21 NZST 2004
Chain INPUT (policy DROP 1 packets, 234 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
350 40966 accounting all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
160 14446 eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
189 26286 eth2_in all -- eth2 * 0.0.0.0/0
0.0.0.0/0
0 0 eth3_in all -- eth3 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
58 2960 accounting all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
29 1555 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
29 1405 eth2_fwd all -- eth2 * 0.0.0.0/0
0.0.0.0/0
0 0 eth3_fwd all -- eth3 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
95 13505 accounting all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 fw2vpn1 all -- * eth2 0.0.0.0/0
192.168.192.0/24
95 13505 fw2local all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 fw2golive all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 fw2wiredc all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 fw2wave all -- * eth3 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain AllowPing (7 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
Chain Drop (3 references)
pkts bytes target prot opt in out source
destination
189 26286 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
189 26286 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (4 references)
pkts bytes target prot opt in out source
destination
3 734 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
3 734 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain accounting (3 references)
pkts bytes target prot opt in out source
destination
0 0 wave all -- eth3 * 0.0.0.0/0
0.0.0.0/0
0 0 wave all -- * eth3 0.0.0.0/0
0.0.0.0/0
219 27925 wiredc all -- eth2 * 0.0.0.0/0
0.0.0.0/0
29 1555 wiredc all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain all2all (13 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 734 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
192 27020 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (8 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 all2all all -- * eth2 0.0.0.0/0
192.168.192.0/24
0 0 local2golive all -- * eth1 0.0.0.0/0
0.0.0.0/0
29 1555 local2wiredc all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 local2wave all -- * eth3 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
4 794 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
160 14446 local2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 golive2all all -- * eth2 0.0.0.0/0
192.168.192.0/24
0 0 golive2all all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 golive2all all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 golive2all all -- * eth3 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 golive2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 vpn12local all -- * eth0 192.168.192.0/24
0.0.0.0/0
0 0 all2all all -- * eth1 192.168.192.0/24
0.0.0.0/0
0 0 all2all all -- * eth2 192.168.192.0/24
0.0.0.0/0
0 0 all2all all -- * eth3 192.168.192.0/24
0.0.0.0/0
0 0 wiredc2all all -- * eth2 0.0.0.0/0
192.168.192.0/24
29 1405 wiredc2local all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 wiredc2all all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 wiredc2all all -- * eth3 0.0.0.0/0
0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source
destination
189 26286 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 vpn12fw all -- * * 192.168.192.0/24
0.0.0.0/0
189 26286 wiredc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth3_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 wave2all all -- * eth2 0.0.0.0/0
192.168.192.0/24
0 0 wave2local all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 wave2all all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 wave2all all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain eth3_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 wave2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2golive (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2local (1 references)
pkts bytes target prot opt in out source
destination
94 13435 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:53
1 70 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.2 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.3 tcp dpt:873
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.3 udp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.3 tcp dpt:80
0 0 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn1 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn2 (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2wave (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2wiredc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain golive2all (5 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:golive2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain golive2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 golive2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain local2fw (1 references)
pkts bytes target prot opt in out source
destination
156 13652 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080
3 734 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
3 734 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain local2golive (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain local2wave (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain local2wiredc (1 references)
pkts bytes target prot opt in out source
destination
29 1555 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 192.168.1.255
0.0.0.0/0
0 0 DROP all -- * * 172.30.15.255
0.0.0.0/0
0 0 DROP all -- * * 202.37.230.127
0.0.0.0/0
0 0 DROP all -- * * 203.96.213.255
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 192.168.1.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.1.255
0.0.0.0/0
0 0 LOG all -- * * 172.30.15.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 172.30.15.255
0.0.0.0/0
0 0 LOG all -- * * 202.37.230.127
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 202.37.230.127
0.0.0.0/0
0 0 LOG all -- * * 203.96.213.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 203.96.213.255
0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
Chain vpn12fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn12local (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:vpn12local:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn22fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wave (2 references)
pkts bytes target prot opt in out source
destination
0 0 all -- eth3 * 0.0.0.0/0
0.0.0.0/0
0 0 all -- * eth3 0.0.0.0/0
0.0.0.0/0
Chain wave2all (5 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:wave2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wave2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500
0 0 wave2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wave2local (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.3 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.2 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.5 tcp dpt:3389
0 0 wave2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wiredc (2 references)
pkts bytes target prot opt in out source
destination
219 27925 all -- eth2 * 0.0.0.0/0
0.0.0.0/0
29 1555 all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain wiredc2all (5 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
189 26286 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:wiredc2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wiredc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500
189 26286 AllowPing all -- * * 0.0.0.0/0
0.0.0.0/0
189 26286 wiredc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wiredc2local (1 references)
pkts bytes target prot opt in out source
destination
29 1405 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.3 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.2 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.2 tcp dpt:22
0 0 wiredc2all all -- * * 0.0.0.0/0
0.0.0.0/0
NAT Table
Chain PREROUTING (policy ACCEPT 20694 packets, 2772K bytes)
pkts bytes target prot opt in out source
destination
4 794 local_dnat all -- eth0 * 0.0.0.0/0
0.0.0.0/0
288 41240 wiredc_dnat all -- eth2 * 0.0.0.0/0
0.0.0.0/0
4 478 wave_dnat all -- eth3 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 846 packets, 50852 bytes)
pkts bytes target prot opt in out source
destination
0 0 eth2_masq all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 eth3_masq all -- * eth3 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 782 packets, 51316 bytes)
pkts bytes target prot opt in out source
destination
Chain eth2_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 192.168.1.0/24
0.0.0.0/0
Chain eth3_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 192.168.1.0/24
0.0.0.0/0
Chain local_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0
!192.168.1.0/24 tcp dpt:80 redir ports 8080
Chain wave_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 to:192.168.1.2
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3389 to:192.168.1.5
Chain wiredc_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:192.168.1.3
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 to:192.168.1.2
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143 to:192.168.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 to:192.168.1.2
Mangle Table
Chain PREROUTING (policy ACCEPT 72574 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
523 60122 pretos all -- * * 0.0.0.0/0
0.0.0.0/0
517 59810 tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 50316 packets, 7586K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 11429 packets, 1761K bytes)
pkts bytes target prot opt in out source
destination
58 2960 tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 42026 packets, 7783K bytes)
pkts bytes target prot opt in out source
destination
102 14445 outtos all -- * * 0.0.0.0/0
0.0.0.0/0
96 13621 tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 53420 packets, 9538K bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
100 14312 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
162 13760 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:501 MARK set 0x2
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK udp -- * * 0.0.0.0/0
202.37.230.93 udp dpt:500 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
203.96.213.101 udp dpt:501 MARK set 0x2
tcp 6 431999 ESTABLISHED src=192.168.1.3 dst=205.188.12.134 sport=40821
dport=5190 src=205.188.12.134 dst=202.37.230.93 sport=5190 dport=40821
[ASSURED] use=1
tcp 6 431993 ESTABLISHED src=192.168.1.3 dst=208.245.212.67 sport=40757
dport=5222 src=208.245.212.67 dst=202.37.230.93 sport=5222 dport=40757 use=1
tcp 6 431686 ESTABLISHED src=192.168.1.2 dst=192.168.1.1 sport=34791
dport=22 src=192.168.1.1 dst=192.168.1.2 sport=22 dport=34791 [ASSURED]
use=1
tcp 6 431975 ESTABLISHED src=192.168.1.3 dst=216.155.193.142
sport=40758 dport=5050 src=216.155.193.142 dst=202.37.230.93 sport=5050
dport=40758 use=1
udp 17 164 src=192.168.1.1 dst=192.168.1.2 sport=32769 dport=53
src=192.168.1.2 dst=192.168.1.1 sport=53 dport=32769 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=192.168.1.2 dst=192.168.1.1 sport=34794
dport=22 src=192.168.1.1 dst=192.168.1.2 sport=22 dport=34794 [ASSURED]
use=1
tcp 6 431998 ESTABLISHED src=192.168.1.3 dst=205.188.8.7 sport=40813
dport=5190 src=205.188.8.7 dst=202.37.230.93 sport=5190 dport=40813
[ASSURED] use=1
Robert K Coffman Jr - Info From Data Corporation
2004-Sep-22 12:40 UTC
RE: IPSEc versus Multipath routing
I don''t know much about this, but I''m using IPSEC with Leaf Bering 1.2. There is a setting rightnexthop and leftnexthop that indicates the gateway address for the ipsec interface (at least for the version of IPSEC used with Bering). It seems that might be something to take a look at. - Bob Coffman
> Firstly I don''t think this is a shorewall problem, but I suspect shorewall > might be able to solve it for me. > > I''ve posted this so far at > http://mandrakeusers.org/index.php?showtopic=18942 > > > I''ve stumble upon a problem that has me stumped > > I have a multipath router using 2.6.8.1 with patches from here > http://www.ssi.bg/~ja/#routes > > basic setup: > > ___ ISP1 > LAN---ROUTER---[ > |___ ISP2 > > I have also setup ipsec-tools, and loaded the correct modules for IPSEC to > work > If initiate a TCP port 80 connection from outside to my ISP1 public IP > address, multipath returns the request out the correct gateway. > example from 0.0.0.0 --> 202.x.x.x -->192.168.10.x(Web server) --> > 192.168.10.x(router) --> 202.x.x.x --> 0.0.0.0 > Perfect !!! > Like wise if I initiate a TCP port 80 connection from outside to my ISP2 > public IP address, multipath returns the request out the correct gateway. > example from 0.0.0.0 --> 203.x.x.x -->192.168.10.x(Web server) --> > 192.168.10.x(router) --> 203.x.x.x --> 0.0.0.0 > PERFECT! > > if I''m inside my lan, multipath randomly selects from the two gateways. > Example: > lan-->192.168.10.x(router)-->some randomness--> Either 202.x.x.x or > 203.x.x.x > PERFECT!!! > now here comes ipsec .. > from outside 10.99.99.x ->202.x.x.x (ipsec does its thing, and passes the > packet to routing) --> Either 202.x.x.x or 203.x.x.x ... NOT COOL! > > if I''m lucky and the packet is returned out the interface I initiated the > IPSEC connection from then it works perfect. > often I''m not lucky, and ipsec fails because the response is sent out the > "other" gateway interface. > > For testing purposes I have set a static route to a public IP address > example: > ip route add 205.x.x.x. via 202.x.x.x. dev eth2 src 202.x.x.x > now I can ipsec perfectly from 205.x.x.x from the source IP address > 10.99.99.x > But I want to use this as a "road warrior" so my IP address will be > 0.0.0.0/0 which, on the router has two gateways 202.x.x.x and 203.x.x.x > > Understand? > > can anybody help? > is this perhaps an IPTABLES problem? if so can anybody suggest anything? > (I''m not very good at IPTABLES, but shorewall makes it easy for me) > > is it perhaps a routing issue that I may have missed? > > > I''ve come to this conclusion. > > /etc/shorewall/tcrules > ############################################################################ > ## > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER > 1 0.0.0.0/0 202.37.230.93 udp 500 > 2 0.0.0.0/0 203.96.213.101 udp 501 > 1 fw 0.0.0.0/0 udp 500 > 2 fw 0.0.0.0/0 udp 501 > # PORT(S) > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > rama-kandra root # ip route list > 202.37.230.64/26 dev eth2 proto kernel scope link src 202.37.230.93 > 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > 203.96.216.0/24 via 203.96.212.1 dev eth3 proto static src 203.96.213.101 > 203.96.212.0/23 dev eth3 proto kernel scope link src 203.96.213.101 > 172.30.0.0/20 dev eth1 proto kernel scope link src 172.30.7.4 > 127.0.0.0/8 via 127.0.0.1 dev lo scope link > rama-kandra root # > > rama-kandra root # ip rule list > 0: from all lookup local > 50: from all lookup main > 201: from 202.37.230.64/26 lookup 201 > 202: from 203.96.212.0/23 lookup 202 > 222: from all lookup 222 > 32766: from all lookup main > 32767: from all lookup default > rama-kandra root # > > rama-kandra root # ip route show table 201 > default via 202.37.230.65 dev eth2 proto static src 202.37.230.93 > prohibit default proto static metric 1 > rama-kandra root #I set the tables up a bit different: [root@sarg3 jerry]# /sbin/ip route show table T1 64.56.140.0/24 dev eth0 scope link src 64.56.140.zzz 127.0.0.0/8 dev lo scope link default via 64.56.140.1 dev eth0> > rama-kandra root # ip route show table 202 > default via 203.96.212.1 dev eth3 proto static src 203.96.213.101 > prohibit default proto static metric 1 > rama-kandra root # > > rama-kandra root # ip route show table 222 > default proto static > nexthop via 202.37.230.65 dev eth2 weight 1 > nexthop via 203.96.212.1 dev eth3 weight 1 > rama-kandra root #My default doesn''t appear in a table, just with the "ip route ls" default nexthop via 64.56.140.1 dev eth0 weight 1 nexthop via 205.200.28.28 dev ppp0 weight 1 The other difference that I can see from mine is where your are using networks for the ip rules, I''m using my external ips. Mine is more or less ripped from the howto. Hope this helps in some way. Jerry