Shorewall users - Apr 2007 - policy routing with two shorewalls

I have, for the time being, decided to split my dual ISP/single
shorewall connection into two shorewall connections/boxes, each handling
one ISP.

I am running OSPF in the network and so far things are working out
fairly well (from a client of the two gateways).

$ ip route ls
10.33.66.2 via 10.75.22.199 dev eth0  proto zebra  metric 20 
192.168.200.1 via 10.75.22.254 dev eth0  proto zebra  metric 20 
192.168.0.0/24  proto zebra  metric 20 
        nexthop via 10.75.22.137  dev eth0 weight 1
        nexthop via 10.75.22.137  dev eth0 weight 1
10.75.22.0/24 dev eth0  proto kernel  scope link  src 10.75.22.1 
10.75.23.0/24 via 10.75.22.199 dev eth0  proto zebra  metric 20 
72.38.184.0/23 via 10.75.22.199 dev eth0  proto zebra  metric 20 
169.254.0.0/16 via 10.75.22.254 dev eth0  proto zebra  metric 20 
default  proto zebra  metric 10 
        nexthop via 10.75.22.199  dev eth0 weight 1
        nexthop via 10.75.22.254  dev eth0 weight 1

I would like/need to implement some policy routing though, due to
brain-deadeness and bandwidth tradeoffs between the two ISPs (one has
great policies, no port blocking or traffic shaping, etc. but lower in
bandwidth and other is draconian but great bandwidth).

I''d rather not implement the policy on each client in the network
though.

It seems to me that I could implement the policy using "ip rule" and
"ip
route" on the two shorewall gateways and have them a) move the traffic
for the other''s ISP between them and b) send redirects to the clients
as
needed.

Certainly this is doable manually, but since shorewall does ip
r{oute,ule} manipulations, I wondered if there was any facility to do
this?

It seems it''s a bit of a perversion of providers, but would it be much
of perversion?  Would it be as simple as pointing to the other
gateway''s
internal address as the 2nd provider, as if it were the IP of the other
provider?

Thots?
b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Brian J. Murrell wrote:
> 
> It seems it''s a bit of a perversion of providers, but would it be
much
> of perversion?  Would it be as simple as pointing to the other
gateway''s
> internal address as the 2nd provider, as if it were the IP of the other
> provider?
>
Yes. You would also need to set the ''routeback'' option on both
routers''
internal interface.

Regardless of whether you use Shorewall providers, you probably want to
monitor the conntrack table usage. That is because your routing will be
asymmetric; both routers will be trying to track connections redirected from
one to the other. Note that only the destination router will have complete
conntrack entries since the redirecting router will only handle traffic in
the outbound direction.

You will also want to set
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal and
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to avoid tcp packets
being dropped as invalid by Netfilter connection tracking.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

OK, as somewhat of a followup on this dual gateway shorewall situation
here is what I finally have:

  I1    I2
   |    |
  G1    G2
   |    |
------------
|  |  |  |
H1 H2 H3 H4

I* are consumer-grade Internet connections, DSL and Cable although the
transport doesn''t much matter.  What does is they are with two
different
providers and thus two different IP addresses.

G* are the shorewall gateways and H* are the hosts in the network.  The
important thing is that packets for an established session between an H
and the Internet are not free to flow over whichever connection they
wish to, they must use the same connection for the life of the session.
No surprise to anyone here.

The network runs OSPF and the path through the Cable connection is given
a lower cost so that the distributed default route is through the Cable
connection.  Should the cable connection go down (for various values of
"down"), the DSL connection becomes the default automatically. 
What''s
important to remember here is that by default all traffic is routed
through the Cable connection.

The Cable connection is a dynamic IP and the DSL connection a static IP,
so it''s much easier to have inbound NATted services (smtp, http, etc.)
come over the DSL connection (DDNS solutions aside) rather than the
cable connection, who''s IP could change at any time.

As you might be guessing at this point though, this creates a problem.
If say, H4 is an SMTP server and port 25 is NATted through both G1 and
G2 and the publicly advertised address for SMTP service is on the DSL
gateway, when the SMTP server, H4 tries to respond to an incoming SYN
packet with the SYN-ACK, that goes through the Cable connection.  No
good.

So what I have done is this on the Cable gateway:

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination
 7378  891K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0/0xffff CONNMARK restore mask 0xff
18202 3054K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xffff
 2788  531K MARK       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0   
MARK set 0xb
 2788  531K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xffff CONNMARK save mask 0xff

Where vlan1 is the Internet interface on the Cable gateway.  This
ensures (or so I believe) that all packets that come in through the
Cable gateway are connmarked with 0xb.  So now I can know that when
traffic comes to the Cable gateway from the H*s whether it''s in
response
to an incoming or already established outgoing session.

That just leaves the traffic coming from H*s that is either originating
a new outgoing session or in response to a session originated on the DSL
gateway.  If the packet is an initial SYN, no ACK it should be routed
via the Cable gateway, which is what happens normally.  All good.  It
will wind up getting into a connection marked with 0xb.

So the only thing left is how to handle the return packet flow from a
session started on the DSL gateway.  The magic seems to be in matching
packets with an ACK bit set but no connection mark and these rules seems
to take care of it:

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination
31462 4804K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match 0x0/0xffff CONNMARK restore mask 0xff
18046 3308K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xffff
  528 51207 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x10/0x10 MARK set 0xa

The first two rules I can setup in shorewall''s tcrules.  The last I
don''t think I can since it uses the --tcpflag match.  Or is there a way
I can do it that I''m not aware of?

Oh, on top of all of this I had to manually create the following policy
routing rules:

# ip rule ls
0:      from all lookup local 
1000:   from all fwmark 0xa lookup 1 
32766:  from all lookup main 
32767:  from all lookup default 

(I created 1000:)

# ip route ls table 1
default via 10.75.22.254 dev br0 

Where 10.75.22.254 is the DSL gateway.

I have not yet looked into whether "providers" is suitable for this or
not.  Thots?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV