Swapnil Jain
2009-May-29 06:20 UTC
CONNMARK target and connmark match support in Ubuntu kernel
Hi, as per the shorewall MultiISP documentation ( http://www1.shorewall.net/MultiISP.html ), it says "Use of this feature requires that your kernel and iptables include CONNMARK target and connmark match support (Warning: Standard Debian™ and Ubuntu™ kernels are lacking that support!)." it means MultiISP wont work properly if i am using Ubuntu server. if yes whats the workaround. -------------------------------- Swapnil Jain Indore ----------------------------------------------- E-mail: swapnil@pisces.net.in GTalk : swapnil@pisces.net.in MSN: jswapnil@hotmail.com Skype : sj1410 YIM : sj1410 ----------------------------------------------- # DO everything over SSH # ======================# - SECURE pop3/imap ..... do NOT use pop3/imap # - use ssh ............. do NOT use ftp/telnet -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Tom Eastep
2009-May-29 13:27 UTC
Re: CONNMARK target and connmark match support in Ubuntu kernel
Swapnil Jain wrote:> as per the shorewall MultiISP documentation ( http://www1.shorewall.net/MultiISP.html > ), it says > > > "Use of this feature requires that your kernel and iptables include > CONNMARK target and connmark match support (Warning: Standard Debian™ > and Ubuntu™ kernels are lacking that support!)." > > > it means MultiISP wont work properly if i am using Ubuntu server. if > yes whats the workaround.Assuming that Shorewall is started on the system, as root do the following: root@ursa:~# shorewall show capabilities | grep -i CONNMARK CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available root@ursa:~# If the first and third links of output other than the above, then your kernel and/or iptables are missing the required support. Workarounds are: - Upgrade your distribution. Jaunty has the required support. - Don''t use ''track'' - Build and install a kernel with the proper support. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Brian J. Murrell
2009-May-29 13:35 UTC
Re: CONNMARK target and connmark match support in Ubuntu kernel
On Fri, 2009-05-29 at 06:27 -0700, Tom Eastep wrote:> > Assuming that Shorewall is started on the system, as root do the following: > > root@ursa:~# shorewall show capabilities | grep -i CONNMARK > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > root@ursa:~# > > If the first and third links of output other than the above, then your > kernel and/or iptables are missing the required support.And may just need (a) module(s) to be loaded. I think they are nf_conntrack_ipv4 and nf_conntrack on Ubuntu Intrepid. b. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Laura Bartolomé
2009-Jun-01 10:56 UTC
Re: CONNMARK target and connmark match support inUbuntu kernel
Hi there I have problems too with a MultiISP configuration + Ubuntu. Well, maybe CONNMARK is not compiled with the kernel but is loaded like a module, I checked that... My output of "shorewall show capabilities | grep -i CONNMARK" is: CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available So, it''s correct, but my problems are going on... I have problems only with openvpn traffic (udp) and I created a tcrules file with the next to try to redirect this traffic to one of my ISP''s but it isn''t work properly... 2 $FW 0.0.0.0/0 udp - 1194 Some idea? Should I recompile kernel to solve it? Thank you Laura -----Mensaje original----- De: Brian J. Murrell [mailto:brian@interlinx.bc.ca] Enviado el: viernes, 29 de mayo de 2009 15:35 Para: Shorewall Users Asunto: Re: [Shorewall-users] CONNMARK target and connmark match support inUbuntu kernel On Fri, 2009-05-29 at 06:27 -0700, Tom Eastep wrote:> > Assuming that Shorewall is started on the system, as root do thefollowing:> > root@ursa:~# shorewall show capabilities | grep -i CONNMARK > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > root@ursa:~# > > If the first and third links of output other than the above, then your > kernel and/or iptables are missing the required support.And may just need (a) module(s) to be loaded. I think they are nf_conntrack_ipv4 and nf_conntrack on Ubuntu Intrepid. b. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
CW Möller
2009-Jun-01 11:52 UTC
Re: CONNMARK target and connmark match support inUbuntu kernel
Hi Laura I had the same problem a while ago. I had an UDP OpenVPN server on my firewall, and 3 routes to the server. No matter which incoming route you used, it only ever replied on the default route. The only ways to fix this are either switching to TCP, or moving your Open VPN to a host behind the firewall and DNAT''ing your OpenVPN traffic to that host. ciao Charl (\_/) This is Bunny. Copy and paste Bunny (=''.''=) into your signature to help him gain (")_(") world domination. 2009/6/1 Laura Bartolomé <laurabsm@mayanssoft.com>> Hi there > > I have problems too with a MultiISP configuration + Ubuntu. Well, maybe > CONNMARK is not compiled with the kernel but is loaded like a module, I > checked that... > > My output of "shorewall show capabilities | grep -i CONNMARK" is: > > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > > So, it''s correct, but my problems are going on... I have problems only with > openvpn traffic (udp) and I created a tcrules file with the next to try to > redirect this traffic to one of my ISP''s but it isn''t work properly... > > 2 $FW 0.0.0.0/0 udp - 1194 > > Some idea? Should I recompile kernel to solve it? > > Thank you > > Laura > > > -----Mensaje original----- > De: Brian J. Murrell [mailto:brian@interlinx.bc.ca] > Enviado el: viernes, 29 de mayo de 2009 15:35 > Para: Shorewall Users > Asunto: Re: [Shorewall-users] CONNMARK target and connmark match support > inUbuntu kernel > > On Fri, 2009-05-29 at 06:27 -0700, Tom Eastep wrote: > > > > Assuming that Shorewall is started on the system, as root do the > following: > > > > root@ursa:~# shorewall show capabilities | grep -i CONNMARK > > CONNMARK Target: Available > > Extended CONNMARK Target: Available > > Connmark Match: Available > > Extended Connmark Match: Available > > root@ursa:~# > > > > If the first and third links of output other than the above, then your > > kernel and/or iptables are missing the required support. > > And may just need (a) module(s) to be loaded. I think they are > nf_conntrack_ipv4 and nf_conntrack on Ubuntu Intrepid. > > b. > > > > > ------------------------------------------------------------------------------ > Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT > is a gathering of tech-side developers & brand creativity professionals. > Meet > the minds behind Google Creative Lab, Visual Complexity, Processing, & > iPhoneDevCamp as they present alongside digital heavyweights like Barbarian > Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Tom Eastep
2009-Jun-01 13:39 UTC
Re: CONNMARK target and connmark match support inUbuntu kernel
CW Möller wrote:> Hi Laura > > I had the same problem a while ago. I had an UDP OpenVPN server on my > firewall, and 3 routes to the server. No matter which incoming route you > used, it only ever replied on the default route.It actually replies on the first interface to receive a connection. And you apparently didn''t read http://www.shorewall.net/MultiISP.html#Local. If you only want your server to accept connections through one of your public interfaces, you simply specify the IP address of that interface as the server''s ''local'' address.> > The only ways to fix this are either switching to TCP, or moving your > Open VPN to a host behind the firewall and DNAT''ing your OpenVPN traffic > to that host.Actually, there is a third way (and IMHO, a better way), assuming that you want your UDP clients to be able to connect through any of the interfaces. Simply run multiple instances of the UDP OpenVPN server on the firewall and tie each to a separate public interface using the ''local'' specification. I do that here -- works fine. Just be sure that the local subnets (specified in the ''server'' specification) for the instances are disjoint. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com