Hi Tom, Jerry and all, Heres my shorewall dump (attachement file) like you asked. Heres a reminder of what my problem is all about: -THE PROBLEM- My problem is very clear. The rules in the /etc/shorewall/tcrules file DO NOT APPLY to traffic Originating from the firewall ($FW). Tcrules apply perfectly to traffic originating from other interfaces (ex.eth0). But ive tryed everything I tough of, but traffic Originating from the firewall just aint following the tcrules. I did alot of tests already (in the past week). BTW one thing I did that kinda blows my mind away is this: In the TCRULES, I specified only one thing (has a test): 1 0.0.0.0/0 0.0.0.0/0 all Even then, the FW originating traffic still wasent steered to my ISP1 (ISPABCDEF). Eth0 traffic was tought. And right now, the rules in tcrules is this: 1 $FW 0.0.0.0/0 all 2:P eth0 0.0.0.0/0 all If I do a shorewall show mangle I can see packet were marked with 1: Chain tcout (1 references) pkts bytes target prot opt in out source destination 364K 119M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 But aint going out ISPABCDEF(ppp0). Another thing Im pretty sure Ive notice (all have to re-verify this tough) is that FW Originating traffic seemed to be responding to the /etc/shorewall/providers option BALANCE and was balancing from ISP1 to ISP2, but it was not as ovious as the balancing of traffic origination from eth0, witch was very clearly balancing. (to see the balancing take place, I do a "tail -f /var/log/messages" and there is a log :INFO rule so I can see to what interface the traffic is directed to.) Thx alot for your help. Ill keep searching on my side... but Im pretty much out of options. (All my altered files from /etc/shorewall are in the joinded file (SiO Problem.tar.gz). Other files are untouched so I did not join them.) Thanks for having a look. When your done, send my a list of TESTs and Displays you want me to do. Good Luck helping me ! Later SiO
On Sunday 01 January 2006 13:36, Child from KoRn wrote:> (should this have been posted to the entire LIST instead of you personnaly? > If so pls tell me, ill do so next time.) > > Hi ! > > Ive been trying to solve a problem for the past week. > Jerry Vonau is also trying to help me on his side. > > Ive seen a few posts from you on the same problem I have, but never found > the final solution. > Now im really stuck. Ive been using Shorewall for 3 years now, and ive > never been that desperate to make it work :) > > > > -THE PROBLEM- > > My problem is very clear. > The rules in the /etc/shorewall/tcrules file DO NOT APPLY to traffic > Originating from the firewall ($FW). > > Tcrules apply perfectly to traffic originating from other interfaces > (ex.eth0). > But ive tryed everything I tough of, but traffic Originating from the > firewall just aint following the tcrules.Given the following entry in /etc/shorewall/masq, Shorewall WON''T EVEN START (I see that you have hacked up shorewall.conf to include FW=fw even though you are running Shorewall 3.0 -- silly). #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC ppp0 $FW #All from FW goto ppp0(ISPABCDEF) What you want there is #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC ppp0 <ip address of eth2> #All from FW goto ppp0(ISPABCDEF) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 01 January 2006 14:27, Child from KoRn wrote:> Hi Tom, Jerry and all, > > Heres my shorewall dump (attachement file) like you asked. > > > > Heres a reminder of what my problem is all about: > > -THE PROBLEM- > > My problem is very clear. > The rules in the /etc/shorewall/tcrules file DO NOT APPLY to traffic > Originating from the firewall ($FW). > > Tcrules apply perfectly to traffic originating from other interfaces > (ex.eth0). > But ive tryed everything I tough of, but traffic Originating from the > firewall just aint following the tcrules. > > > I did alot of tests already (in the past week). > BTW one thing I did that kinda blows my mind away is this: > > In the TCRULES, I specified only one thing (has a test): > > 1 0.0.0.0/0 0.0.0.0/0 all > > Even then, the FW originating traffic still wasent steered to my ISP1 > (ISPABCDEF).IT WOULDN''T!!!!!!!!!!!!> Eth0 traffic was tought. > > And right now, the rules in tcrules is this: > > 1 $FW 0.0.0.0/0 all > 2:P eth0 0.0.0.0/0 all > > If I do a shorewall show mangle I can see packet were marked with 1: > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 364K 119M MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x1 > > But aint going out ISPABCDEF(ppp0). >Looks to me like some are going out ppp0 with a source IP of 24.200.89.15. There are several conntrack entries like this: tcp 6 47 SYN_SENT src=24.200.89.15 dst=67.68.89.173 sport=34854 dport=80 packets=1 bytes=60 [UNREPLIED] src=67.68.89.173 dst=24.200.89.15 sport=80 dport=34854 packets=0 bytes=0 mark=0 use=1 That''s why both of us have told you to add this entry to /etc/shorewall/masq: ppp0 24.200.89.15 How are you testing this? When you run tcpdump, what command are you using? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thx for the replys. Ok, first point:>(I see that you have hacked up shorewall.conf to include FW=fw even though >you are running Shorewall 3.0 -- silly).This was just a test. Had nothing to loose at this point. All my previous tests were made using FW in the ZONE file. ok, second point:>That''s why both of us have told you to add this entry to >/etc/shorewall/masq: > >ppp0 24.200.89.15I can''t put this IP cause 24.200.89.15 is my DHCP ISP2 Ip. It could change any time. I could put the interface (eth2) tought... but read on pls. ppp0 = ISP1(ISPABCDEF) = Mark 1 = 67.71.73.188 = DHCP eth2 = ISP2(ISPUVWXYZ)= Mark 2 = 24.200.89.10 = DHCP eth0 = LAN1 = 10.10.10.0/24 = STATIC So what your telling me is to MASQUERADE my DHCP IPS2 IP (24.200.89.10) to go trough my ISP1 interface (ppp0), right? You know my goal is to: - Make all FW traffic out ppp0 (isp1) - Make all eth0(LAN1) traffic out eth2(isp2) - Later on I might kris-kros a few TCP and UDP ports. So can you tell my why I would want to MASQ my ISP2 ip has my ISP1 ip? Is this because my firewall use this interface (this ip) as its source IP for all traffic it generates? But has I said, sometimes traffic Originating from firewall IS balanced, so then the Source Ip is eighter 67.71.73.188 (when balanced trough ISP1 MARK 1) or sometimes its balanced to 24.200.89.10 (when balanced trough ISP2 MARK2). Maybe theres something Im not getting right here. I don''t understand why you want me to MASQ my FW Originating traffic. All the servers and applications it runs were bound to the ppp0 interface. No masquerading, just like a plain computer alone with its ADSL on ppp0, using the ppp0 wan IP as it''s own. Maybe my mistake is here: Do you NEED masq when you want to balance FW originating traffic? Until now I didnt think so cause I never needed to before. Alright. So from here, you want me to MASQ my ISP2 ip to my ISP1 ip like this: ppp0 24.200.89.15 Ill try it even if its a DHCP address. I guess I could put the interface instead righ? (eth2) ? Ill go and try it. Ill see if it works and figure it out afterwards if this works. BTW im currently on IRC (nickname: SiO) Send me a message, ill tell you live what is going on. It might be easier to explain it LIVE to. Thx alot for your help! Really apresheate it. (sry for my bad english) Shoewall is the best, nice work. (ill join the developement mailing list ! like I said im a network analyst, not a programmer but maybe I could help.) Later. SiO>From: Tom Eastep <teastep@shorewall.net> >Reply-To: shorewall-users@lists.sourceforge.net >To: shorewall-users@lists.sourceforge.net >CC: "Child from KoRn" <child_from_korn@hotmail.com> >Subject: Re: [Shorewall-users] Tcrules is ignored by firewall >Date: Sun, 1 Jan 2006 16:18:47 -0800 > >On Sunday 01 January 2006 14:27, Child from KoRn wrote: > > Hi Tom, Jerry and all, > > > > Heres my shorewall dump (attachement file) like you asked. > > > > > > > > Heres a reminder of what my problem is all about: > > > > -THE PROBLEM- > > > > My problem is very clear. > > The rules in the /etc/shorewall/tcrules file DO NOT APPLY to traffic > > Originating from the firewall ($FW). > > > > Tcrules apply perfectly to traffic originating from other interfaces > > (ex.eth0). > > But ive tryed everything I tough of, but traffic Originating from the > > firewall just aint following the tcrules. > > > > > > I did alot of tests already (in the past week). > > BTW one thing I did that kinda blows my mind away is this: > > > > In the TCRULES, I specified only one thing (has a test): > > > > 1 0.0.0.0/0 0.0.0.0/0 all > > > > Even then, the FW originating traffic still wasent steered to my ISP1 > > (ISPABCDEF). > >IT WOULDN''T!!!!!!!!!!!! > > > Eth0 traffic was tought. > > > > And right now, the rules in tcrules is this: > > > > 1 $FW 0.0.0.0/0 all > > 2:P eth0 0.0.0.0/0 all > > > > If I do a shorewall show mangle I can see packet were marked with 1: > > > > Chain tcout (1 references) > > pkts bytes target prot opt in out source > > destination > > 364K 119M MARK all -- * * 0.0.0.0/0 > > 0.0.0.0/0 MARK set 0x1 > > > > But aint going out ISPABCDEF(ppp0). > > > >Looks to me like some are going out ppp0 with a source IP of 24.200.89.15. >There are several conntrack entries like this: > >tcp 6 47 SYN_SENT src=24.200.89.15 dst=67.68.89.173 sport=34854 >dport=80 >packets=1 bytes=60 [UNREPLIED] src=67.68.89.173 dst=24.200.89.15 sport=80 >dport=34854 packets=0 bytes=0 mark=0 use=1 > >That''s why both of us have told you to add this entry to >/etc/shorewall/masq: > >ppp0 24.200.89.15 > >How are you testing this? When you run tcpdump, what command are you using? > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key><< attach3 >>------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click