thr3ads.net - Shorewall users - routing packet from/to source/destination [Oct 2008]

If this information is useful, please help other people find it:
Share via:

Gilberto Nunes

2008-Oct-24 16:24 UTC

routing packet from/to source/destination

Hi all and specially Mr. Tom....

(Please, do not be acid with me please! I am only a newbie, trying learn
more about shorewall)

I get involved with a Firewall Project in a customer here in my city...

In this customer, he has two Internet Providers.

So,  he ask me how make certain connection following one routing path (like
RT_1) and others connections type, following the other routing path (like
RT_2).

Let me try do a ascii art here:


( I know is horrible think! rsrs I am not artist!)

So, all traffic is pass by SHOREWALL MACHINE. ok!

Some traffic have to out via ISP 1 and others traffic, will be out via ISP
2.

I am reading Multiple ISP docs, but it is not clearly for me

So, I need some help  with this.

Can I use packet mark? How?

In a traditional iptables rules, I use --set-mark.
But in a Shorewall enviroment, how can I take action with this iptables
rules?

THanks for all response.

Sorry for my poor english...


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Jerry Vonau

2008-Oct-24 16:56 UTC

head link

Re: routing packet from/to source/destination

Gilberto Nunes wrote:> Hi all and specially Mr. Tom....
> 
> (Please, do not be acid with me please! I am only a newbie, trying learn
> more about shorewall)
> 
> I get involved with a Firewall Project in a customer here in my city...
> 
> In this customer, he has two Internet Providers.
> 
> So,  he ask me how make certain connection following one routing path (like
> RT_1) and others connections type, following the other routing path (like
> RT_2).
> 
> Let me try do a ascii art here:
> 
> 
> ( I know is horrible think! rsrs I am not artist!)
> 
> So, all traffic is pass by SHOREWALL MACHINE. ok!
> 
> Some traffic have to out via ISP 1 and others traffic, will be out via ISP
> 2.
> 
> I am reading Multiple ISP docs, but it is not clearly for me
> Right after one of the "WARNING"s on:
http://www.shorewall.net/MultiISP.html

Entries in /etc/shorewall/masq have no effect on which ISP a particular 
connection will be sent through. That is rather the purpose of entries 
in /etc/shorewall/tcrules or /etc/shorewall/route_rules. 
<<<<<<

Now suppose that you want to route all outgoing SMTP traffic from your 
local network through ISP 2. You would make this entry in 
/etc/shorewall/tcrules (and if you are running a version of Shorewall 
earlier than 3.0.0, you would set TC_ENABLED=Yes in 
/etc/shorewall/shorewall.conf).

#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT 
USER    TEST
#                                                               PORT(S)
2:P             <local network> 0.0.0.0/0       tcp     25
"
> So, I need some help  with this.
> 
> Can I use packet mark? How?
> Depending on what you need to do, use entries in /etc/shorewall/tcrules 
or /etc/shorewall/route_rules.
> In a traditional iptables rules, I use --set-mark.
> But in a Shorewall enviroment, how can I take action with this iptables
> rules?
> More traffic marking info at:
http://www.shorewall.net/traffic_shaping.htm
> THanks for all response.
> 
> Sorry for my poor english...
> Hope this helps,

Jerry


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gilberto Nunes

2008-Oct-24 18:51 UTC

head link

Re: routing packet from/to source/destination

Thanks Jerry

You put some light on my darkness...

But I have a doubt here:

Where I declare the ISP 1 or 2? /etc/shorewall/providers?

Another question:

In this case, I have to send outgoing traffic through specific external IP.

Let me explain.

I have one LAN and two ISP, right?

When some user behind Shorewall open your web browser or certain
application, and enter a especific URL or Internet address, this traffic may
be outgoing via ISP1, per example.

Others traffic outgoinh via ISP2....

Thanks




2008/10/24 Jerry Vonau <jvonau@shaw.ca>
> Gilberto Nunes wrote:
> > Hi all and specially Mr. Tom....
> >
> > (Please, do not be acid with me please! I am only a newbie, trying
learn
> > more about shorewall)
> >
> > I get involved with a Firewall Project in a customer here in my
city...
> >
> > In this customer, he has two Internet Providers.
> >
> > So,  he ask me how make certain connection following one routing path
> (like
> > RT_1) and others connections type, following the other routing path
(like
> > RT_2).
> >
> > Let me try do a ascii art here:
> >
> >
> > ( I know is horrible think! rsrs I am not artist!)
> >
> > So, all traffic is pass by SHOREWALL MACHINE. ok!
> >
> > Some traffic have to out via ISP 1 and others traffic, will be out via
> ISP
> > 2.
> >
> > I am reading Multiple ISP docs, but it is not clearly for me
> >
> Right after one of the "WARNING"s on:
> http://www.shorewall.net/MultiISP.html
>
> Entries in /etc/shorewall/masq have no effect on which ISP a particular
> connection will be sent through. That is rather the purpose of entries
> in /etc/shorewall/tcrules or /etc/shorewall/route_rules. 
<<<<<<
>
> Now suppose that you want to route all outgoing SMTP traffic from your
> local network through ISP 2. You would make this entry in
> /etc/shorewall/tcrules (and if you are running a version of Shorewall
> earlier than 3.0.0, you would set TC_ENABLED=Yes in
> /etc/shorewall/shorewall.conf).
>
> #MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT
> USER    TEST
> #                                                               PORT(S)
> 2:P             <local network> 0.0.0.0/0       tcp     25
> "
>
> > So, I need some help  with this.
> >
> > Can I use packet mark? How?
> >
> Depending on what you need to do, use entries in /etc/shorewall/tcrules
> or /etc/shorewall/route_rules.
>
> > In a traditional iptables rules, I use --set-mark.
> > But in a Shorewall enviroment, how can I take action with this
iptables
> > rules?
> >
> More traffic marking info at:
> http://www.shorewall.net/traffic_shaping.htm
>
> > THanks for all response.
> >
> > Sorry for my poor english...
> >
> Hope this helps,
>
> Jerry
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Chakravarthy Girda

2008-Oct-24 19:08 UTC

head link

Re: routing packet from/to source/destination

Hi,
   I gave up on this issues. Here is my research...

  (1) /etc/shorewall/route_rules
       * It works but only per IP address or the entire LAN.
       * It won''t work per protocol or service based.
       * Failover capability won''t work
       Eg:-
         #SOURCE        DEST           PROVIDER        PRIORITY
        #192.168.2.10    -             DSL             11000
        #192.168.2.11    -             T1              11001

      Caution:
          You have to make modifications to your load balancing/ 
failover script (gwping..etc) ELSE if there is a failover on DSL (as 
shown above) line my route for the above machine still stays in the old 
routing table. That is where the failover script should switch the route 
to the other.

(2) /etc/shorewall/tcrules
     This is supposed to work per protocol but I could never make it work.
      Sample:-
        #2:130   eth0           eth4            tcp     -       873,21,22

  Chakri



Gilberto Nunes wrote:> Thanks Jerry
> 
> You put some light on my darkness...
> 
> But I have a doubt here:
> 
> Where I declare the ISP 1 or 2? /etc/shorewall/providers?
> 
> Another question:
> 
> In this case, I have to send outgoing traffic through specific external IP.
> 
> Let me explain.
> 
> I have one LAN and two ISP, right?
> 
> When some user behind Shorewall open your web browser or certain 
> application, and enter a especific URL or Internet address, this traffic 
> may be outgoing via ISP1, per example.
> 
> Others traffic outgoinh via ISP2....
> 
> Thanks
> 
> 
> 
> 
> 2008/10/24 Jerry Vonau <jvonau@shaw.ca <mailto:jvonau@shaw.ca>>
> 
>     Gilberto Nunes wrote:
>      > Hi all and specially Mr. Tom....
>      >
>      > (Please, do not be acid with me please! I am only a newbie,
>     trying learn
>      > more about shorewall)
>      >
>      > I get involved with a Firewall Project in a customer here in my
>     city...
>      >
>      > In this customer, he has two Internet Providers.
>      >
>      > So,  he ask me how make certain connection following one routing
>     path (like
>      > RT_1) and others connections type, following the other routing
>     path (like
>      > RT_2).
>      >
>      > Let me try do a ascii art here:
>      >
>      >
>      > ( I know is horrible think! rsrs I am not artist!)
>      >
>      > So, all traffic is pass by SHOREWALL MACHINE. ok!
>      >
>      > Some traffic have to out via ISP 1 and others traffic, will be
>     out via ISP
>      > 2.
>      >
>      > I am reading Multiple ISP docs, but it is not clearly for me
>      >
>     Right after one of the "WARNING"s on:
>     http://www.shorewall.net/MultiISP.html
> 
>     Entries in /etc/shorewall/masq have no effect on which ISP a particular
>     connection will be sent through. That is rather the purpose of entries
>     in /etc/shorewall/tcrules or /etc/shorewall/route_rules. 
<<<<<<
> 
>     Now suppose that you want to route all outgoing SMTP traffic from your
>     local network through ISP 2. You would make this entry in
>     /etc/shorewall/tcrules (and if you are running a version of Shorewall
>     earlier than 3.0.0, you would set TC_ENABLED=Yes in
>     /etc/shorewall/shorewall.conf).
> 
>     #MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT
>     USER    TEST
>     #                                                               PORT(S)
>     2:P             <local network> 0.0.0.0/0
<http://0.0.0.0/0>
>     tcp     25
>     "
> 
>      > So, I need some help  with this.
>      >
>      > Can I use packet mark? How?
>      >
>     Depending on what you need to do, use entries in /etc/shorewall/tcrules
>     or /etc/shorewall/route_rules.
> 
>      > In a traditional iptables rules, I use --set-mark.
>      > But in a Shorewall enviroment, how can I take action with this
>     iptables
>      > rules?
>      >
>     More traffic marking info at:
>     http://www.shorewall.net/traffic_shaping.htm
> 
>      > THanks for all response.
>      >
>      > Sorry for my poor english...
>      >
>     Hope this helps,
> 
>     Jerry
> 
> 
>    
-------------------------------------------------------------------------
>     This SF.Net email is sponsored by the Moblin Your Move
Developer''s
>     challenge
>     Build the coolest Linux based applications with Moblin SDK & win
>     great prizes
>     Grand prize is a trip for two to an Open Source event anywhere in
>     the world
>     http://moblin-contest.org/redirect.php?banner_id=100&url=/
>     <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
>     _______________________________________________
>     Shorewall-users mailing list
>     Shorewall-users@lists.sourceforge.net
>     <mailto:Shorewall-users@lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gilberto Nunes

2008-Oct-24 19:55 UTC

head link

Re: routing packet from/to source/destination

Oh my...

Thank you Chakravarthy...

May be I will use other solution and release shorewall...

Thank you

2008/10/24 Chakravarthy Girda <girdac@cassens.com>
> Hi,
>   I gave up on this issues. Here is my research...
>
>  (1) /etc/shorewall/route_rules
>       * It works but only per IP address or the entire LAN.
>       * It won''t work per protocol or service based.
>       * Failover capability won''t work
>       Eg:-
>         #SOURCE        DEST           PROVIDER        PRIORITY
>        #192.168.2.10    -             DSL             11000
>        #192.168.2.11    -             T1              11001
>
>      Caution:
>          You have to make modifications to your load balancing/
> failover script (gwping..etc) ELSE if there is a failover on DSL (as
> shown above) line my route for the above machine still stays in the old
> routing table. That is where the failover script should switch the route
> to the other.
>
> (2) /etc/shorewall/tcrules
>     This is supposed to work per protocol but I could never make it work.
>      Sample:-
>        #2:130   eth0           eth4            tcp     -       873,21,22
>
>  Chakri
>
>
>
> Gilberto Nunes wrote:
> > Thanks Jerry
> >
> > You put some light on my darkness...
> >
> > But I have a doubt here:
> >
> > Where I declare the ISP 1 or 2? /etc/shorewall/providers?
> >
> > Another question:
> >
> > In this case, I have to send outgoing traffic through specific
external
> IP.
> >
> > Let me explain.
> >
> > I have one LAN and two ISP, right?
> >
> > When some user behind Shorewall open your web browser or certain
> > application, and enter a especific URL or Internet address, this
traffic
> > may be outgoing via ISP1, per example.
> >
> > Others traffic outgoinh via ISP2....
> >
> > Thanks
> >
> >
> >
> >
> > 2008/10/24 Jerry Vonau <jvonau@shaw.ca
<mailto:jvonau@shaw.ca>>
> >
> >     Gilberto Nunes wrote:
> >      > Hi all and specially Mr. Tom....
> >      >
> >      > (Please, do not be acid with me please! I am only a newbie,
> >     trying learn
> >      > more about shorewall)
> >      >
> >      > I get involved with a Firewall Project in a customer here in
my
> >     city...
> >      >
> >      > In this customer, he has two Internet Providers.
> >      >
> >      > So,  he ask me how make certain connection following one
routing
> >     path (like
> >      > RT_1) and others connections type, following the other
routing
> >     path (like
> >      > RT_2).
> >      >
> >      > Let me try do a ascii art here:
> >      >
> >      >
> >      > ( I know is horrible think! rsrs I am not artist!)
> >      >
> >      > So, all traffic is pass by SHOREWALL MACHINE. ok!
> >      >
> >      > Some traffic have to out via ISP 1 and others traffic, will
be
> >     out via ISP
> >      > 2.
> >      >
> >      > I am reading Multiple ISP docs, but it is not clearly for me
> >      >
> >     Right after one of the "WARNING"s on:
> >     http://www.shorewall.net/MultiISP.html
> >
> >     Entries in /etc/shorewall/masq have no effect on which ISP a
> particular
> >     connection will be sent through. That is rather the purpose of
> entries
> >     in /etc/shorewall/tcrules or /etc/shorewall/route_rules. 
<<<<<<
> >
> >     Now suppose that you want to route all outgoing SMTP traffic from
> your
> >     local network through ISP 2. You would make this entry in
> >     /etc/shorewall/tcrules (and if you are running a version of
Shorewall
> >     earlier than 3.0.0, you would set TC_ENABLED=Yes in
> >     /etc/shorewall/shorewall.conf).
> >
> >     #MARK           SOURCE          DEST            PROTO   PORT(S)
> CLIENT
> >     USER    TEST
> >     #
> PORT(S)
> >     2:P             <local network> 0.0.0.0/0
<http://0.0.0.0/0>
> >     tcp     25
> >     "
> >
> >      > So, I need some help  with this.
> >      >
> >      > Can I use packet mark? How?
> >      >
> >     Depending on what you need to do, use entries in
> /etc/shorewall/tcrules
> >     or /etc/shorewall/route_rules.
> >
> >      > In a traditional iptables rules, I use --set-mark.
> >      > But in a Shorewall enviroment, how can I take action with
this
> >     iptables
> >      > rules?
> >      >
> >     More traffic marking info at:
> >     http://www.shorewall.net/traffic_shaping.htm
> >
> >      > THanks for all response.
> >      >
> >      > Sorry for my poor english...
> >      >
> >     Hope this helps,
> >
> >     Jerry
> >
> >
> >
> -------------------------------------------------------------------------
> >     This SF.Net email is sponsored by the Moblin Your Move
Developer''s
> >     challenge
> >     Build the coolest Linux based applications with Moblin SDK &
win
> >     great prizes
> >     Grand prize is a trip for two to an Open Source event anywhere in
> >     the world
> >     http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >    
<http://moblin-contest.org/redirect.php?banner_id=100&url=/>
> >     _______________________________________________
> >     Shorewall-users mailing list
> >     Shorewall-users@lists.sourceforge.net
> >     <mailto:Shorewall-users@lists.sourceforge.net>
> >     https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> >
-------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move
Developer''s
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win
great
> prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep

2008-Oct-24 22:14 UTC

head link

Re: routing packet from/to source/destination

Chakravarthy Girda wrote:> Hi,
>    I gave up on this issues. Here is my research...
> 
>   (1) /etc/shorewall/route_rules
>        * It works but only per IP address or the entire LAN.
>        * It won''t work per protocol or service based.
It isn''t designed to work per protocol or service.
>        * Failover capability won''t work
If you use a failover capability that doesn''t deal with routing rules,
that is probably true.> 
> (2) /etc/shorewall/tcrules
>      This is supposed to work per protocol but I could never make it work.
>       Sample:-
>         #2:130   eth0           eth4            tcp     -       873,21,22
That tcrule could NEVER have any effect on routing. You are specifying
an OUTPUT interface which cannot be determined until routing is completed!

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Jerry Vonau

2008-Oct-25 00:05 UTC

head link

Re: routing packet from/to source/destination

Gilberto Nunes wrote:> Thanks Jerry
> 
> You put some light on my darkness...
> 
> But I have a doubt here:
> 
> Where I declare the ISP 1 or 2? /etc/shorewall/providers?
> Yes, better re-read the Multi-ISP docs....
> Another question:
> 
> In this case, I have to send outgoing traffic through specific external IP.
> 
> Let me explain.
> 
> I have one LAN and two ISP, right?
> 
> When some user behind Shorewall open your web browser or certain
> application, and enter a especific URL or Internet address, this traffic
may
> be outgoing via ISP1, per example.
> 
> Others traffic outgoinh via ISP2....
>You would need to mark based on the destination ip address/port in 
tcrules, dns names can be a problem here, think about issues with 
round-robin dns inquiries.

Jerry




-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Apparently Analagous Threads

Search for more apparently analagous threads

Shorewall users - Oct 2008 - routing packet from/to source/destination

routing packet from/to source/destination

Re: routing packet from/to source/destination

Re: routing packet from/to source/destination

Re: routing packet from/to source/destination

Re: routing packet from/to source/destination

Re: routing packet from/to source/destination

Re: routing packet from/to source/destination

Apparently Analagous Threads