Shorewall users - Apr 2011 - Shorewall not tracking Connections

Hello all,

I have a server with shorewall set up but even though I have the
"track,balance" options set in /etc/shorewall/providers it seems that
traffic that comes into one interface (eth3) goes out through another
(eth0).

Here is my /etc/shorewall/providers content:

#NAME		NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY		OPTIONS		COPY
TELEFONICA	1	1	main		eth0		189.20.33.105	track,balance	eth1,eth2,eth4
INTELIG		2	2	main		eth3		201.12.64.145	track,balance	eth1,eth2,eth4

If I do a tcpdump on eth3 I can only see inbound requests:

root@fw3:/etc/shorewall# tcpdump -ni eth3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
17:10:07.864922 IP 200.189.220.44.15486 > 201.12.64.154.80: . ack
1898288175 win 54 <nop,nop,timestamp 829268567 37413999>
17:10:07.865250 IP 200.189.220.44.15486 > 201.12.64.154.80: F 0:0(0)
ack 2 win 54 <nop,nop,timestamp 829268567 37413999>
17:10:08.038494 IP 200.189.220.44.13186 > 201.12.64.154.80: S
3874904626:3874904626(0) win 5840 <mss 1460,sackOK,timestamp 829268610
0,nop,wscale 7>
17:10:08.040738 IP 200.189.220.44.32712 > 201.12.64.153.80: S
3876774490:3876774490(0) win 5840 <mss 1460,sackOK,timestamp 829268611
0,nop,wscale 7>
17:10:08.097260 IP 200.189.220.44.13186 > 201.12.64.154.80: . ack
26134815 win 46 <nop,nop,timestamp 829268624 0>
17:10:08.101706 IP 200.189.220.44.13186 > 201.12.64.154.80: P
0:832(832) ack 1 win 46 <nop,nop,timestamp 829268624 0>
17:10:08.102936 IP 200.189.220.44.32712 > 201.12.64.153.80: . ack
3656970449 win 46 <nop,nop,timestamp 829268626 0>


And if I do a tcpdump on eth0 I can see replies from addresses that
belong to eth3 there:

root@fw3:/etc/shorewall# tcpdump -ni eth0 host 201.12.64.154
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:11:08.228951 IP 201.12.64.154.80 > 200.189.220.44.11901: S
3472979647:3472979647(0) ack 3956578285 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:11:08.415117 IP 201.12.64.154.80 > 200.189.220.44.11901: P
1:521(520) ack 832 win 64704 <nop,nop,timestamp 37414604 829283661>
17:11:08.415944 IP 201.12.64.154.80 > 200.189.220.44.11901: F
521:521(0) ack 832 win 64704 <nop,nop,timestamp 37414604 829283661>
17:11:08.615615 IP 201.12.64.154.80 > 200.189.220.44.11901: . ack 833
win 64704 <nop,nop,timestamp 37414606 829283754>

Its a debian lenny server that supports CONNMARK:

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   New Connection Tracking Match Syntax: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available


Also the output of shorewall dump can be seen at
http://www.diegolima.org/arquivos/shdump.txt or
http://www.heypasteit.com/clip/VYO

-- 
Diego Lima
http://www.diegolima.org

------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On 04/07/2011 01:20 PM, Diego Lima wrote:
> Hello all,
> 
> I have a server with shorewall set up but even though I have the
> "track,balance" options set in /etc/shorewall/providers it seems
that
> traffic that comes into one interface (eth3) goes out through another
> (eth0).
As stated in the Shorewall 4.0/4.2 Multi-ISP documentation:

	We strongly recommend that you run Shorewall-perl 4.2 or later
        if you are going to use this feature.

You are running Shorewall-shell 4.0.15 which doesn''t clear out routing
rules and reestablish them during restart.

Here is my /etc/shorewall/providers content:

#NAME		NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY		OPTIONS		COPY
TELEFONICA	1	1	main		eth0		189.20.33.105	track,balance	eth1,eth2,eth4
INTELIG		2	2	main		eth3		201.12.64.145	track,balance	eth1,eth2,eth4

The dump looks as if the mark value for INTELIG is 5.

In short, Shorewall 4.0.15 isn''t a viable release to try to run a
multi-ISP configuration.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev