Shorewall users - May 2009 - CONNMARK target and connmark match support in Ubuntu kernel

Hi,

as per the shorewall MultiISP documentation (
http://www1.shorewall.net/MultiISP.html
  ), it says


"Use of this feature requires that your kernel and iptables include  
CONNMARK target and connmark match support (Warning: Standard Debian™  
and Ubuntu™ kernels are lacking that support!)."


it means MultiISP wont work properly if i am using Ubuntu server. if  
yes whats the workaround.



--------------------------------
Swapnil Jain
Indore
-----------------------------------------------
E-mail: swapnil@pisces.net.in
GTalk : swapnil@pisces.net.in
MSN: jswapnil@hotmail.com
Skype : sj1410
YIM   : sj1410
-----------------------------------------------
# DO everything over SSH
# ======================#	- SECURE pop3/imap ..... do NOT use pop3/imap
#	- use ssh  ............. do NOT use ftp/telnet


-- 
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Swapnil Jain wrote:
> as per the shorewall MultiISP documentation (
http://www1.shorewall.net/MultiISP.html
>   ), it says
> 
> 
> "Use of this feature requires that your kernel and iptables include  
> CONNMARK target and connmark match support (Warning: Standard Debian™  
> and Ubuntu™ kernels are lacking that support!)."
> 
> 
> it means MultiISP wont work properly if i am using Ubuntu server. if  
> yes whats the workaround.
Assuming that Shorewall is started on the system, as root do the following:

root@ursa:~# shorewall show capabilities | grep -i CONNMARK
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
root@ursa:~#

If the first and third links of output other than the above, then your
kernel and/or iptables are missing the required support.

Workarounds are:

- Upgrade your distribution. Jaunty has the required support.
- Don''t use ''track''
- Build and install a kernel with the proper support.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com

On Fri, 2009-05-29 at 06:27 -0700, Tom Eastep wrote:
> 
> Assuming that Shorewall is started on the system, as root do the following:
> 
> root@ursa:~# shorewall show capabilities | grep -i CONNMARK
>    CONNMARK Target: Available
>    Extended CONNMARK Target: Available
>    Connmark Match: Available
>    Extended Connmark Match: Available
> root@ursa:~#
> 
> If the first and third links of output other than the above, then your
> kernel and/or iptables are missing the required support.
And may just need (a) module(s) to be loaded.  I think they are
nf_conntrack_ipv4 and nf_conntrack on Ubuntu Intrepid.

b.



------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com

Hi there

I have problems too with a MultiISP configuration + Ubuntu. Well, maybe
CONNMARK is not compiled with the kernel but is loaded like a module, I
checked that...

My output of "shorewall show capabilities | grep -i CONNMARK" is:

    CONNMARK Target: Available
    Extended CONNMARK Target: Available
    Connmark Match: Available
    Extended Connmark Match: Available

So, it''s correct, but my problems are going on... I have problems only
with
openvpn traffic (udp) and I created a tcrules file with the next to try to
redirect this traffic to one of my ISP''s but it isn''t work
properly...

2	$FW		0.0.0.0/0	udp	-	1194

Some idea? Should I recompile kernel to solve it?

Thank you

Laura


-----Mensaje original-----
De: Brian J. Murrell [mailto:brian@interlinx.bc.ca] 
Enviado el: viernes, 29 de mayo de 2009 15:35
Para: Shorewall Users
Asunto: Re: [Shorewall-users] CONNMARK target and connmark match support
inUbuntu kernel

On Fri, 2009-05-29 at 06:27 -0700, Tom Eastep wrote:
> 
> Assuming that Shorewall is started on the system, as root do the
following:
> 
> root@ursa:~# shorewall show capabilities | grep -i CONNMARK
>    CONNMARK Target: Available
>    Extended CONNMARK Target: Available
>    Connmark Match: Available
>    Extended Connmark Match: Available
> root@ursa:~#
> 
> If the first and third links of output other than the above, then your
> kernel and/or iptables are missing the required support.
And may just need (a) module(s) to be loaded.  I think they are
nf_conntrack_ipv4 and nf_conntrack on Ubuntu Intrepid.

b.



------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com

Hi Laura

I had the same problem a while ago. I had an UDP OpenVPN server on my
firewall, and 3 routes to the server. No matter which incoming route you
used, it only ever replied on the default route.

The only ways to fix this are either switching to TCP, or moving your Open
VPN to a host behind the firewall and DNAT''ing your OpenVPN traffic to
that
host.

ciao
Charl

 (\_/)  This is Bunny. Copy and paste Bunny
(=''.''=) into your signature to help him gain
(")_(") world domination.


2009/6/1 Laura Bartolomé <laurabsm@mayanssoft.com>
> Hi there
>
> I have problems too with a MultiISP configuration + Ubuntu. Well, maybe
> CONNMARK is not compiled with the kernel but is loaded like a module, I
> checked that...
>
> My output of "shorewall show capabilities | grep -i CONNMARK" is:
>
>    CONNMARK Target: Available
>    Extended CONNMARK Target: Available
>    Connmark Match: Available
>    Extended Connmark Match: Available
>
> So, it''s correct, but my problems are going on... I have problems
only with
> openvpn traffic (udp) and I created a tcrules file with the next to try to
> redirect this traffic to one of my ISP''s but it isn''t
work properly...
>
> 2       $FW             0.0.0.0/0       udp     -       1194
>
> Some idea? Should I recompile kernel to solve it?
>
> Thank you
>
> Laura
>
>
> -----Mensaje original-----
> De: Brian J. Murrell [mailto:brian@interlinx.bc.ca]
> Enviado el: viernes, 29 de mayo de 2009 15:35
> Para: Shorewall Users
> Asunto: Re: [Shorewall-users] CONNMARK target and connmark match support
> inUbuntu kernel
>
> On Fri, 2009-05-29 at 06:27 -0700, Tom Eastep wrote:
> >
> > Assuming that Shorewall is started on the system, as root do the
> following:
> >
> > root@ursa:~# shorewall show capabilities | grep -i CONNMARK
> >    CONNMARK Target: Available
> >    Extended CONNMARK Target: Available
> >    Connmark Match: Available
> >    Extended Connmark Match: Available
> > root@ursa:~#
> >
> > If the first and third links of output other than the above, then your
> > kernel and/or iptables are missing the required support.
>
> And may just need (a) module(s) to be loaded.  I think they are
> nf_conntrack_ipv4 and nf_conntrack on Ubuntu Intrepid.
>
> b.
>
>
>
>
>
------------------------------------------------------------------------------
> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
> is a gathering of tech-side developers & brand creativity
professionals.
> Meet
> the minds behind Google Creative Lab, Visual Complexity, Processing, &
> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com

CW Möller wrote:
> Hi Laura
> 
> I had the same problem a while ago. I had an UDP OpenVPN server on my
> firewall, and 3 routes to the server. No matter which incoming route you
> used, it only ever replied on the default route.
It actually replies on the first interface to receive a connection. And
you apparently didn''t read
http://www.shorewall.net/MultiISP.html#Local.
If you only want your server to accept connections through one of your
public interfaces, you simply specify the IP address of that interface
as the server''s ''local'' address.
> 
> The only ways to fix this are either switching to TCP, or moving your
> Open VPN to a host behind the firewall and DNAT''ing your OpenVPN
traffic
> to that host.
Actually, there is a third way (and IMHO, a better way), assuming that
you want your UDP clients to be able to connect through any of the
interfaces. Simply run multiple instances of the UDP OpenVPN server on
the firewall and tie each to a separate public interface using the
''local'' specification. I do that here -- works fine. Just be
sure that
the local subnets (specified in the ''server'' specification)
for the
instances are disjoint.


-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com