Shorewall users - Dec 2005 - Multiple ISPs: How to force traffic generated from FW to a specific ISP

Hello, I have follow this message:
>                                Da: 
> Stanley Gambarin
> <stanley@apogee.com>
>                        Rispondi-a: 
> shorewall-users@lists.sourceforge.net
>                                 A: 
> shorewall-users@lists.sourceforge.net
>                           Oggetto: 
> Re: [Shorewall-users] multiple
> ISPs: using only one for email ?
>                              Data: 
> Mon, 26 Sep 2005 16:23:14 -0700
> (mar, 01:23 CEST)
> 
> Tom,
> 
> Tom Eastep wrote:
> > The ''firewall'' code in the current SHOREWALL-2_4
branch of CVS
> should
> > create the routing rules in the correct order and allow you to
> configure
> >  proper email handling with just packet marking.
> > 
> > Unfortunately, the anonymous CVS server at Sourceforge is completely
> > broken at the moment but if you would like me to send you the
> ''firewall''
> > file, you could just copy it over /usr/share/shorewall/firewall.
> 
>    sure, that would be great... and just so that I am clear on
> things...
> 
> - once i replace new ''shorewall'' file, I should contain
the following
> in
> my config files:
> 
> providers:
> MAIL    5       5       -     eth0     65.84.10.209
> DSLNET  1       1       main  eth0     65.84.10.209
> track,balance=2 eth2
> YAHOO   2       2       main  eth1     69.227.235.46    track,balance
> eth2
> 
> tcrules:
> 5               $FW                     0.0.0.0/0       tcp     25
> 
> start:
> # empty
> 
> masq:
> eth0            eth2
> eth1            eth2
> eth0            69.227.235.45           65.84.10.210  # do i still
> need this ?
> 
.. for setup my firewall whit 2 ISP.

I want force the SSH and Mail traffic to a specific ISP, but when I test
the connection using ssh (22) or telnet on port 25 from the firewall the
connection does not work.

I have analysed the traffic with tcpdump on firewall and on remote host
and I have see as the traffic between the 2 hosts begins correctly but
then is interrupted.

Please, tell me some suggest or other solutions in order to force some
traffic generated from FW to a specific ISP.

Many thanks!

This is my configuration files:
>
#[/etc/shorewall/Config/PayOpen2rt/interfaces]-----------------------------------------------
> net     $NET_IF         detect          $NET_OPT
> net     $FWB_IF         detect          $FWB_OPT
> loc     $LOC_IF         detect          $LOC_OPT,routeback
> dmz     $DMZ_IF         detect          $DMZ_OPT
> vpn     tun+            -
> 
> 
>
#[/etc/shorewall/Config/PayOpen2rt/masq]-----------------------------------------------
> $NET_IF                 $LOC_IF         80.18.151.125
> $NET_IF                 $DMZ_IF         80.18.151.125
> $FWB_IF                 $LOC_IF         192.168.0.2
> $FWB_IF                 $DMZ_IF         192.168.0.2
> 
>
#[/etc/shorewall/Config/PayOpen2rt/params]-----------------------------------------------
> NET_OPT="routefilter,tcpflags,norfc1918"
> WWW_LEPAGHE_IT="80.18.151.121"
> ONLINE_LEPAGHE_IT="80.18.151.124"
> RT_LEPAGHE_LEPAGHE_IT="80.18.151.126"
> LOC_IF="eth0";
> LOC_OPT="tcpflags";
> LOC_FW_IP="192.168.1.254";
> LOC_BIG="192.168.1.20"
> DMZ_OPT=""
> 
>
#[/etc/shorewall/Config/PayOpen2rt/policy]-----------------------------------------------
> fw              all             ACCEPT
> loc             all             ACCEPT
> vpn             all             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> 
>
#[/etc/shorewall/Config/PayOpen2rt/providers]-----------------------------------------------
> LocTel  5       5       -               eth1            80.18.151.126
> Telec   1       1       main            eth1            80.18.151.126  
track,balance  eth0,eth2
> Fweb    2       2       main            eth3            192.168.0.1    
track,balance=10 eth0,eth2
> 
>
#[/etc/shorewall/Config/PayOpen2rt/proxyarp]-----------------------------------------------
> 80.18.151.121   $DMZ_IF         $NET_IF         No
> 80.18.151.124   $DMZ_IF         $NET_IF         No
> 
>
#[/etc/shorewall/Config/PayOpen2rt/routestopped]-----------------------------------------------
> $LOC_IF         -
> 
>
#[/etc/shorewall/Config/PayOpen2rt/rules]-----------------------------------------------
> SECTION NEW
> ...(cut)
> ACCEPT  net     fw              icmp    8
> ACCEPT  loc     dmz             icmp    8
> ACCEPT  dmz     loc             icmp    8
> ACCEPT  dmz     net             icmp    8
> 
>
#[/etc/shorewall/Config/PayOpen2rt/shorewall.conf]-----------------------------------------------
> STARTUP_ENABLED=Yes
> LOGFILE=/var/log/messages
> LOGFORMAT="Shorewall:%s:%s:"
> LOGTAGONLY=No
> LOGRATE> LOGBURST> LOGALLNEW> BLACKLIST_LOGLEVEL>
MACLIST_LOG_LEVEL=info
> TCP_FLAGS_LOG_LEVEL=info
> RFC1918_LOG_LEVEL=info
> SMURF_LOG_LEVEL=info
> LOG_MARTIANS=No
> IPTABLES>
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> SHOREWALL_SHELL=/bin/sh
> SUBSYSLOCK=/var/lock/subsys/shorewall
> MODULESDIR> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
> RESTOREFILE> IPSECFILE=zones
> FW> IP_FORWARDING=On
> ADD_IP_ALIASES=Yes
> ADD_SNAT_ALIASES=No
> RETAIN_ALIASES=No
> TC_ENABLED=Internal
> CLEAR_TC=Yes
> MARK_IN_FORWARD_CHAIN=No
> CLAMPMSS=No
> ROUTE_FILTER=No
> DETECT_DNAT_IPADDRS=No
> MUTEX_TIMEOUT=60
> ADMINISABSENTMINDED=Yes
> BLACKLISTNEWONLY=Yes
> DELAYBLACKLISTLOAD=No
> MODULE_SUFFIX> DISABLE_IPV6=Yes
> BRIDGING=No
> DYNAMIC_ZONES=No
> PKTTYPE=Yes
> RFC1918_STRICT=No
> MACLIST_TABLE=filter
> MACLIST_TTL> SAVE_IPSETS=No
> MAPOLDACTIONS=No
> FASTACCEPT=No
> BLACKLIST_DISPOSITION=DROP
> MACLIST_DISPOSITION=REJECT
> TCP_FLAGS_DISPOSITION=DROP
> 
>
#[/etc/shorewall/Config/PayOpen2rt/tcrules]-----------------------------------------------
> 5       $FW             0.0.0.0/0       tcp     22
> 5       $FW             0.0.0.0/0       tcp     25
> 
>
#[/etc/shorewall/Config/PayOpen2rt/zones]-----------------------------------------------
> fw      firewall
> net     ipv4
> loc     ipv4
> dmz     ipv4
> vpn     ipv4
> 
-- 
Dario Lesca <d.lesca@solinos.it>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

On Thursday 15 December 2005 14:22, Dario Lesca wrote:
>
> I want force the SSH and Mail traffic to a specific ISP, but when I test
> the connection using ssh (22) or telnet on port 25 from the firewall the
> connection does not work.
>
> I have analysed the traffic with tcpdump on firewall and on remote host
> and I have see as the traffic between the 2 hosts begins correctly but
> then is interrupted.
>
What do you mean "is interrupted"?

How many packets do you see before this "interruption"?

Are eth1 and eth3 connected to the same switch/hub?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thursday 15 December 2005 14:49, Tom Eastep wrote:
> On Thursday 15 December 2005 14:22, Dario Lesca wrote:
> > I want force the SSH and Mail traffic to a specific ISP, but when I
test
> > the connection using ssh (22) or telnet on port 25 from the firewall
the
> > connection does not work.
> >
> > I have analysed the traffic with tcpdump on firewall and on remote
host
> > and I have see as the traffic between the 2 hosts begins correctly but
> > then is interrupted.
>
> What do you mean "is interrupted"?
>
> How many packets do you see before this "interruption"?
>
> Are eth1 and eth3 connected to the same switch/hub?
And, it sure would be good to get the output of "shorewall status" (if
you are
running shorewall 2.x) or "shorewall dump" (if you are running 3.x) as
a
compressed attachment.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hello Dario,

Dario Lesca wrote:
> I have analysed the traffic with tcpdump on firewall and on remote host
> and I have see as the traffic between the 2 hosts begins correctly but
> then is interrupted.
> 
> Please, tell me some suggest or other solutions in order to force some
> traffic generated from FW to a specific ISP.
We have seen something similar. This is a bit premature, but could you
try changing the subnet entries in your masq file from the interface
name to 0.0.0.0/0?

$NET_IF                 0.0.0.0/0       80.18.151.125
$NET_IF                 0.0.0.0/0       80.18.151.125
$FWB_IF                 0.0.0.0/0       192.168.0.2
$FWB_IF                 0.0.0.0/0       192.168.0.2

This seemed to be the clue for shaping locally orininating traffic at
our site, but i''m far from sure about that, so it would be nice if you
can confirm this.

Bye,
-- 
  - Pieter


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

----- Original Message ----- 
<snip>
> > masq:
> > eth0            eth2
> > eth1            eth2
> > eth0            69.227.235.45           65.84.10.210  # do i still
> > need this ?
> > 
The answer from that thread is yes.
> 
> .. for setup my firewall whit 2 ISP.
> 
> I want force the SSH and Mail traffic to a specific ISP, but when I test
> the connection using ssh (22) or telnet on port 25 from the firewall the
> connection does not work.
<snip>
> >
#[/etc/shorewall/Config/PayOpen2rt/masq]-----------------------------------------------
> > $NET_IF                 $LOC_IF         80.18.151.125
> > $NET_IF                 $DMZ_IF         80.18.151.125
> > $FWB_IF                 $LOC_IF         192.168.0.2
> > $FWB_IF                 $DMZ_IF         192.168.0.2
> > 
Your missing:
$NET_IF    192.168.0.2    80.18.151.125

Jerry




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

Il giorno ven, 16/12/2005 alle 04.42 -0600, Jerry Vonau ha scritto:
> 
> Your missing:
> $NET_IF    192.168.0.2    80.18.151.125
> 
I''m sorry, I have missing this line only in to message: (cut&past
error)
In the masq file there is.

-- 
Dario Lesca <d.lesca@solinos.it>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Il giorno ven, 16/12/2005 alle 09.53 +0100, Pieter Ennes ha
scritto:
> Hello Dario,
> We have seen something similar. This is a bit premature, but could you
> try changing the subnet entries in your masq file from the interface
> name to 0.0.0.0/0?
> 
> This seemed to be the clue for shaping locally orininating traffic at
> our site, but i''m far from sure about that, so it would be nice if
you
> can confirm this.
> 
Try change the subnet entries, and none is changed, the local ssh
connection still not work.

however thanks.

-- 
Dario Lesca <d.lesca@solinos.it>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Il giorno gio, 15/12/2005 alle 14.49 -0800, Tom Eastep ha
scritto:
> On Thursday 15 December 2005 14:22, Dario Lesca wrote:
> 
> What do you mean "is interrupted"?
this is the ssh -vv:
> OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 82.186.161.26 [82.186.161.26] port 22.
.... the connection is not established, and I press CRTL+C
> 
> How many packets do you see before this "interruption"?
this is the output of tcpdump:

17:13:11.594999 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37592: S [tcp sum ok]
2026152488:2026152488(0) ack 993842405 win 5792 <mss 1460,sackOK,timestamp
748874008 2598568527,nop,wscale 2>
17:13:14.044552 IP (tos 0x0, ttl  64, id 42223, offset 0, flags [DF], proto 6,
length: 60) 80.18.151.125.37593 > 82.186.161.26.ssh: S [tcp sum ok]
1037310735:1037310735(0) win 5840 <mss 1460,sackOK,timestamp 2598617056
0,nop,wscale 2>
17:13:14.140407 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748874645 2598617056,nop,wscale 2>
17:13:17.019806 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37589: S [tcp sum ok]
1983362704:1983362704(0) ack 956144386 win 5792 <mss 1460,sackOK,timestamp
748875358 2598525742,nop,wscale 2>
17:13:17.043901 IP (tos 0x0, ttl  64, id 42225, offset 0, flags [DF], proto 6,
length: 60) 80.18.151.125.37593 > 82.186.161.26.ssh: S [tcp sum ok]
1037310735:1037310735(0) win 5840 <mss 1460,sackOK,timestamp 2598620056
0,nop,wscale 2>
17:13:17.139923 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748875395 2598617056,nop,wscale 2>
17:13:17.996375 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748875608 2598617056,nop,wscale 2>
17:13:23.043627 IP (tos 0x0, ttl  64, id 42227, offset 0, flags [DF], proto 6,
length: 60) 80.18.151.125.37593 > 82.186.161.26.ssh: S [tcp sum ok]
1037310735:1037310735(0) win 5840 <mss 1460,sackOK,timestamp 2598626056
0,nop,wscale 2>
17:13:23.139068 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748876894 2598617056,nop,wscale 2>
17:13:23.995488 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748877109 2598617056,nop,wscale 2>
17:13:36.003755 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748880109 2598617056,nop,wscale 2>
17:13:40.996425 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37590: S [tcp sum ok]
2016997159:2016997159(0) ack 978651900 win 5792 <mss 1460,sackOK,timestamp
748881359 2598549666,nop,wscale 2>
17:13:59.818285 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37592: S [tcp sum ok]
2026152488:2026152488(0) ack 993842405 win 5792 <mss 1460,sackOK,timestamp
748886059 2598568527,nop,wscale 2>
17:14:00.200532 IP (tos 0x0, ttl  60, id 0, offset 0, flags [DF], proto 6,
length: 60) 82.186.161.26.ssh > 80.18.151.125.37593: S [tcp sum ok]
2086507416:2086507416(0) ack 1037310736 win 5792 <mss 1460,sackOK,timestamp
748886159 2598617056,nop,wscale 2>
> Are eth1 and eth3 connected to the same switch/hub?
No, the eth[13] are connect to respective router.

Thanks Tom!.

-- 
Dario Lesca <d.lesca@solinos.it>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Il giorno gio, 15/12/2005 alle 14.55 -0800, Tom Eastep ha scritto:
> And, it sure would be good to get the output of "shorewall
status" (if you are
> running shorewall 2.x) or "shorewall dump" (if you are running
3.x) as a
> compressed attachment.
All config files and debug files is into attachment tar file.
> Thanks,
Thanks you Tom!

-- 
Dario Lesca <d.lesca@solinos.it>

----- Original Message ----- 
> All config files and debug files is into attachment tar file.
> 
> > Thanks,
> Thanks you Tom!
> 
From the dump that you posted:
Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 MARK       tcp  --  *      *       0.0.0.0/0          
!192.168.0.0/16      tcp dpt:22 MARK set 0x5
    7   420 MARK       tcp  --  *      *       0.0.0.0/0          
!192.168.0.0/16      tcp dpt:25 MARK set 0x5

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7   420 SNAT       all  --  *      *       192.168.0.2          0.0.0.0/0   
to:80.18.151.125
   10   677 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
to:80.18.151.125
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
to:80.18.151.125

Note the 7 pkts, 420 bytes that are common to both chains, there should be 8
pkts, 480 bytes for
the eth1_masq chain if the ssh client used 192.168.0.2 as a source address, and
leaves me
wondering what the source address the ssh clinet is actually using. 

With tcrules the last match gets to mark the packet, so to help debug this could
you try these tcrules:

5 $FW:    !192.168.0.0/16 tcp 22
5 $FW:192.168.1.254  !192.168.0.0/16 tcp 22
5 $FW:172.16.1.1  !192.168.0.0/16 tcp 22
5 $FW:80.18.151.125  !192.168.0.0/16 tcp 22
5 $FW:192.168.0.2  !192.168.0.0/16 tcp 22

5 $FW:  !192.168.0.0/16 tcp 25
5 $FW:192.168.1.254  !192.168.0.0/16 tcp 25
5 $FW:172.16.1.1  !192.168.0.0/16 tcp 25
5 $FW:80.18.151.125 !192.168.0.0/16 tcp 25
5 $FW:192.168.0.2  !192.168.0.0/16 tcp 25

The first rule should catch anything not below it, the second/third rules should
catch
anything that comes from the loc/dmz interfaces, and the forth/fifth rules
should catch
anything from your isp''s interfaces.

"shorewall restart", then "shorewall reset" and retest, then
sumit a "shorewall dump" again.
 
Jerry




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click