thr3ads.net - Shorewall users - Multi-ISP - struggling to get off the ground... [Aug 2011]

If this information is useful, please help other people find it:
Share via:

Ed W

2011-Aug-21 15:23 UTC

Multi-ISP - struggling to get off the ground...

Sorry to ask what is probably a basic question, but I''m struggling to
get my routing to do anything sensible.  I have simplified by config to
the bare minimum to experiment.

Roughly speaking my problem is that I have two interfaces (eth0 and
ppp1) and bringing each up individually passes traffic as expected. 
Setting both up prefers traffic through eth0, likely because of the
higher metric.  Attempting to set any TC mark to direct traffic through
ppp1 and I get no reply packets, netfilter logging suggests it''s still
trying to pass through eth0 also?


$ cat interfaces
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          
net     ppp1            detect          
loc     br0         detect        routeback,bridge,tcpflags,nosmurfs


$ cat providers
############################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
OPTIONS         COPY
peth0   1       0x10000 main            eth0            detect         
track           br0
pppp1   12      0xC0000 main            ppp1            -              
track           br0


$ cat tcrules
######################################################################################################################
#MARK                           SOURCE          DEST            PROTO  
DEST    SOURCE  USER    TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                                                      
PORT(S) PORT(S)
0xC0000                         $FW             0.0.0.0/0       ALL

$ cat masq
#############################################################################################
#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S)
IPSEC   MARK    USER/
eth0                    br0
ppp1                    br0

$ cat rules
####################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST   
SOURCE          ORIGINAL        RATE            USER/   MARK   
CONNLIMIT       TIME         HEADERS
#                                                       PORT   
PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# DEBUG: Any from firewall
LOG:info        $FW             any
LOG:info        any             $FW
LOG:info        any             any
ACCEPT          $FW             any
ACCEPT          any             $FW


$ shorewall show routing
Shorewall 4.4.22.3 Routing at localhost - Sun Aug 21 15:17:48 UTC 2011


Routing Rules

0:      from all lookup local
10000:  from all fwmark 0x10000/0xff0000 lookup peth0
10011:  from all fwmark 0xc0000/0xff0000 lookup pppp1
20000:  from 192.168.105.70 lookup peth0
22816:  from 10.49.134.86 lookup pppp1
32766:  from all lookup main
32767:  from all lookup default

Table default:


Table local:

local 10.49.134.86 dev ppp1  proto kernel  scope host  src 10.49.134.86
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.111.0 dev br0  proto kernel  scope link  src
192.168.111.254
broadcast 192.168.111.255 dev br0  proto kernel  scope link  src
192.168.111.254
broadcast 192.168.105.0 dev eth0  proto kernel  scope link  src
192.168.105.70
broadcast 192.168.105.255 dev eth0  proto kernel  scope link  src
192.168.105.70
local 192.168.111.254 dev br0  proto kernel  scope host  src
192.168.111.254
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 192.168.105.70 dev eth0  proto kernel  scope host  src 192.168.105.70
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

192.168.105.1 dev eth0  scope link  src 192.168.105.70
10.64.64.65 dev ppp1  proto kernel  scope link  src 10.49.134.86
192.168.111.0/24 dev br0  proto kernel  scope link  src 192.168.111.254
192.168.105.0/24 dev eth0  proto kernel  scope link  src 192.168.105.70 
metric 2
127.0.0.0/8 via 127.0.0.1 dev lo
default via 192.168.105.1 dev eth0  metric 2
default via 10.64.64.65 dev ppp1  metric 450

Table peth0:

192.168.105.1 dev eth0  scope link  src 192.168.105.70
192.168.111.0/24 dev br0  proto kernel  scope link  src 192.168.111.254
192.168.105.0/24 dev eth0  proto kernel  scope link  src 192.168.105.70 
metric 2
default via 192.168.105.1 dev eth0  src 192.168.105.70

Table pppp1:

10.64.64.65 dev ppp1  proto kernel  scope link  src 10.49.134.86
192.168.111.0/24 dev br0  proto kernel  scope link  src 192.168.111.254
default dev ppp1  scope link




Symptoms:
$ ping 91.220.24.0
... nothing...

$ tail /var/log/messages
Aug 21 15:07:04 localhost kern.info kernel: [67553.298873]
Shorewall:fw2net:LOG:IN= OUT=eth0 SRC=192.168.105.70 DST=91.220.24.20
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=34126 SEQ=2 MARK=0xc0000
Aug 21 15:07:04 localhost kern.info kernel: [67553.298941]
Shorewall:fw2net:LOG:IN= OUT=eth0 SRC=192.168.105.70 DST=91.220.24.20
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=34126 SEQ=2 MARK=0xc0000
Aug 21 15:07:05 localhost kern.info kernel: [67554.305747]
Shorewall:fw2net:LOG:IN= OUT=eth0 SRC=192.168.105.70 DST=91.220.24.20
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=34126 SEQ=3 MARK=0xc0000
Aug 21 15:07:05 localhost kern.info kernel: [67554.305815]
Shorewall:fw2net:LOG:IN= OUT=eth0 SRC=192.168.105.70 DST=91.220.24.20
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=34126 SEQ=3 MARK=0xc0000

But....

$ /etc/init.d/net.eth0 stop
net.eth0        | * Bringing down interface eth0
net.eth0        | *   Stopping dhcpcd on eth0 ... [ ok ]
$ ping 91.220.24.20
PING 91.220.24.20 (91.220.24.20): 56 data bytes
64 bytes from 91.220.24.20: seq=0 ttl=55 time=303.160 ms
64 bytes from 91.220.24.20: seq=1 ttl=55 time=306.027 ms
64 bytes from 91.220.24.20: seq=2 ttl=55 time=325.694 ms
64 bytes from 91.220.24.20: seq=3 ttl=55 time=308.614 ms
64 bytes from 91.220.24.20: seq=4 ttl=55 time=305.485 ms
$ tail /var/log/messages
Aug 21 15:21:28 localhost kern.info kernel: [68416.718263]
Shorewall:fw2net:LOG:IN= OUT=ppp1 SRC=10.49.134.86 DST=91.220.24.20
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=22609 SEQ=0 MARK=0xc0000
Aug 21 15:21:28 localhost kern.info kernel: [68416.718263]
Shorewall:fw2net:LOG:IN= OUT=ppp1 SRC=10.49.134.86 DST=91.220.24.20
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=22609 SEQ=0 MARK=0xc0000




What am I missing?

Thanks

Ed W


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Tom Eastep

2011-Aug-21 15:50 UTC

head link

Re: Multi-ISP - struggling to get off the ground...

On Aug 21, 2011, at 8:23 AM, Ed W wrote:
> Sorry to ask what is probably a basic question, but I''m struggling
to
> get my routing to do anything sensible.  I have simplified by config to
> the bare minimum to experiment.
> 
> Roughly speaking my problem is that I have two interfaces (eth0 and
> ppp1) and bringing each up individually passes traffic as expected. 
> Setting both up prefers traffic through eth0, likely because of the
> higher metric.  Attempting to set any TC mark to direct traffic through
> ppp1 and I get no reply packets, netfilter logging suggests it''s
still
> trying to pass through eth0 also?
> 
Please capture the output of ''shorewall dump'' as described at
http://www.shorewall.net/support.htm#Guidelines and forward it as an attachment.

Thanks,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Ed W

2011-Aug-21 16:06 UTC

head link

Re: Multi-ISP - struggling to get off the ground...

On 21/08/2011 16:50, Tom Eastep wrote:> On Aug 21, 2011, at 8:23 AM, Ed W wrote:
>
>> Sorry to ask what is probably a basic question, but I''m
struggling to
>> get my routing to do anything sensible.  I have simplified by config to
>> the bare minimum to experiment.
>>
>> Roughly speaking my problem is that I have two interfaces (eth0 and
>> ppp1) and bringing each up individually passes traffic as expected. 
>> Setting both up prefers traffic through eth0, likely because of the
>> higher metric.  Attempting to set any TC mark to direct traffic through
>> ppp1 and I get no reply packets, netfilter logging suggests
it''s still
>> trying to pass through eth0 also?
>>
> Please capture the output of ''shorewall dump'' as
described at http://www.shorewall.net/support.htm#Guidelines and forward it as
an attachment.
>
Sorry about that:

Some additional background that isn''t shown in the dump.  Kernel
2.6.38.4, but with grsec patches (and a couple of other thing such as
aufs).  iproute2 installed, but using busybox/uclibc. Just mentioning
for completeness?  I can''t quickly find what kernel config options are
needed for policy routing - can someone confirm what to check?



$ shorewall dump
Shorewall 4.4.22.3 Dump at localhost - Sun Aug 21 16:01:01 UTC 2011

Counters reset Sun Aug 21 15:14:58 UTC 2011

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
   93  6301 accountin  all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
   53  3205 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
   31  2501 net2fw     all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          
   40  3096 net2fw     all  --  ppp1   *       0.0.0.0/0           
0.0.0.0/0          
   22   704 loc2fw     all  --  br0    *       0.0.0.0/0           
0.0.0.0/0          
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0           
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:INPUT:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    1   396 accountfwd  all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    1   396 net_frwd   all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          
    0     0 net_frwd   all  --  ppp1   *       0.0.0.0/0           
0.0.0.0/0          
    0     0 loc2net    all  --  br0    ppp1    0.0.0.0/0           
0.0.0.0/0          
    0     0 loc2net    all  --  br0    eth0    0.0.0.0/0           
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:FORWARD:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
   67  5268 accountout  all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
   26  2088 fw2net     all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          
   41  3180 fw2net     all  --  *      ppp1    0.0.0.0/0           
0.0.0.0/0          
    0     0 fw2loc     all  --  *      br0     0.0.0.0/0           
0.0.0.0/0          
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0           
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:OUTPUT:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]

Chain Broadcast (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0           
224.0.0.0/4        

Chain Drop (3 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0            all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:113 /* Auth */
    0     0 Broadcast  all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0            icmptype 3 code 4 /* Needed ICMP types */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0            icmptype 11 /* Needed ICMP types */
    0     0 Invalid    all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            multiport dports 135,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp dpts:137:139 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp spt:137 dpts:1024:65535 /* SMB */
    0     0 DROP       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            multiport dports 135,139,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp dpt:1900 /* UPnP */
    0     0 NotSyn     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp spt:53 /* Late DNS Replies */

Chain Invalid (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID

Chain NotSyn (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 DROP       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            tcpflags:! 0x17/0x02

Chain Reject (6 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0            all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:113 /* Auth */
    0     0 Broadcast  all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0            icmptype 3 code 4 /* Needed ICMP types */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0            icmptype 11 /* Needed ICMP types */
    0     0 Invalid    all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 reject     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            multiport dports 135,445 /* SMB */
    0     0 reject     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp dpts:137:139 /* SMB */
    0     0 reject     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp spt:137 dpts:1024:65535 /* SMB */
    0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            multiport dports 135,139,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp dpt:1900 /* UPnP */
    0     0 NotSyn     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            udp spt:53 /* Late DNS Replies */

Chain accountfwd (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    1   396 ACCOUNT    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ACCOUNT addr 192.168.111.0/24 tname net-loc
    0     0            all  --  ppp1   *       0.0.0.0/0           
0.0.0.0/0          
    1   396            all  --  *      ppp1    0.0.0.0/0           
0.0.0.0/0          
    1   396            all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          
    0     0            all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          
    1   396            udp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          
    0     0            udp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          
    0     0            icmp --  eth0   *       0.0.0.0/0           
0.0.0.0/0          
    0     0            icmp --  *      eth0    0.0.0.0/0           
0.0.0.0/0          

Chain accountin (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
   40  3096            all  --  ppp1   *       0.0.0.0/0           
0.0.0.0/0          
   31  2501            all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          

Chain accountout (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
   67  5268 ACCOUNT    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ACCOUNT addr 192.168.111.0/24 tname net-loc
   41  3180            all  --  *      ppp1    0.0.0.0/0           
0.0.0.0/0          
   26  2088            all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          

Chain dynamic (7 references)
 pkts bytes target     prot opt in     out     source              
destination        

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:fw2loc:LOG:"
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:fw2loc:LOG:"
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:fw2loc:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]

Chain fw2net (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
    6   504 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate RELATED,ESTABLISHED
   61  4764 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:fw2net:LOG:"
   61  4764 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:fw2net:LOG:"
   61  4764 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:fw2net:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
   22   704 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate RELATED,ESTABLISHED
   22   704 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:loc2fw:LOG:"
   22   704 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:loc2fw:LOG:"
   22   704 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:loc2fw:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           [goto]

Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 sfilter    all  --  *      br0     0.0.0.0/0           
0.0.0.0/0           [goto]
    0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:loc2net:LOG:"
    0     0 Drop       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:loc2net:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain net2fw (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
   31  2501 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
   31  2501 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
   40  3096 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate RELATED,ESTABLISHED
   31  2501 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:net2fw:LOG:"
   31  2501 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:net2fw:LOG:"
   31  2501 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 Drop       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:net2fw:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:net2loc:LOG:"
    0     0 Drop       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:net2loc:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain net_frwd (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 sfilter    all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           [goto]
    1   396 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
    1   396 sfilter    all  --  *      ppp1    0.0.0.0/0           
0.0.0.0/0           [goto]
    0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ctstate INVALID,NEW
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          
    0     0 ACCEPT     all  --  *      ppp1    0.0.0.0/0           
0.0.0.0/0          
    0     0 net2loc    all  --  *      br0     0.0.0.0/0           
0.0.0.0/0          

Chain reject (13 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            ADDRTYPE match src-type BROADCAST
    0     0 DROP       all  --  *      *       224.0.0.0/4         
0.0.0.0/0          
    0     0 DROP       2    --  *      *       0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0            reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            reject-with icmp-host-prohibited

Chain sfilter (3 references)
 pkts bytes target     prot opt in     out     source              
destination        
    1   396 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0            LOG flags 0 level 6 prefix
"Shorewall:sfilter:DROP:"
    1   396 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source              
destination        

Log (/var/log/messages)

Aug 21 16:00:21 localhost kern.info Shorewall:net2fw:LOG:IN=eth0
OUTSRC=192.168.105.213 DST=192.168.105.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x10000
Aug 21 16:00:21 localhost kern.info Shorewall:net2fw:LOG:IN=eth0
OUTSRC=192.168.105.213 DST=192.168.105.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x10000
Aug 21 16:00:32 localhost kern.info Shorewall:net2fw:LOG:IN=eth0
OUTSRC=192.168.105.7 DST=255.255.255.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=3483 DPT=3483 LEN=24 MARK=0x10000
Aug 21 16:00:32 localhost kern.info Shorewall:net2fw:LOG:IN=eth0
OUTSRC=192.168.105.7 DST=255.255.255.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=3483 DPT=3483 LEN=24 MARK=0x10000
Aug 21 16:00:49 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=0 MARK=0xc0000
Aug 21 16:00:49 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=0 MARK=0xc0000
Aug 21 16:00:50 localhost kern.info Shorewall:net2fw:LOG:IN=eth0
OUTSRC=192.168.105.56 DST=192.168.105.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64
ID=23161 PROTO=UDP SPT=54501 DPT=137 LEN=58 MARK=0x10000
Aug 21 16:00:50 localhost kern.info Shorewall:net2fw:LOG:IN=eth0
OUTSRC=192.168.105.56 DST=192.168.105.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64
ID=23161 PROTO=UDP SPT=54501 DPT=137 LEN=58 MARK=0x10000
Aug 21 16:00:50 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=1 MARK=0xc0000
Aug 21 16:00:50 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=1 MARK=0xc0000
Aug 21 16:00:51 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=2 MARK=0xc0000
Aug 21 16:00:51 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=2 MARK=0xc0000
Aug 21 16:00:52 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=3 MARK=0xc0000
Aug 21 16:00:52 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=3 MARK=0xc0000
Aug 21 16:00:53 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=4 MARK=0xc0000
Aug 21 16:00:53 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=4 MARK=0xc0000
Aug 21 16:00:54 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=5 MARK=0xc0000
Aug 21 16:00:54 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=5 MARK=0xc0000
Aug 21 16:00:55 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=6 MARK=0xc0000
Aug 21 16:00:55 localhost kern.info Shorewall:fw2net:LOG:IN= OUT=eth0
SRC=192.168.105.70 DST=91.220.24.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40789 SEQ=6 MARK=0xc0000

NAT Table

Chain PREROUTING (policy ACCEPT 5 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain INPUT (policy ACCEPT 5 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain POSTROUTING (policy ACCEPT 4 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 eth0_masq  all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          
   50  3840 ppp1_masq  all  --  *      ppp1    0.0.0.0/0           
0.0.0.0/0          

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 MASQUERADE  all  --  *      *       192.168.111.0/24    
0.0.0.0/0          

Chain ppp1_masq (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 MASQUERADE  all  --  *      *       192.168.111.0/24    
0.0.0.0/0          

Mangle Table

Chain PREROUTING (policy ACCEPT 6 packets, 320 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
   32  1669 CONNMARK   all  --  *      *       0.0.0.0/0           
0.0.0.0/0            connmark match ! 0x0/0xff0000 CONNMARK restore mask
0xff0000
   27  2352 routemark  all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0            mark match 0x0/0xff0000
   35  2676 routemark  all  --  ppp1   *       0.0.0.0/0           
0.0.0.0/0            mark match 0x0/0xff0000
   94  6697 tcpre      all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain INPUT (policy ACCEPT 6 packets, 320 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
   93  6301 tcin       all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    1   396 tcfor      all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 10 packets, 816 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    6   504 CONNMARK   all  --  *      *       0.0.0.0/0           
0.0.0.0/0            connmark match ! 0x0/0xff0000 CONNMARK restore mask
0xff0000
   67  5268 tcout      all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain POSTROUTING (policy ACCEPT 10 packets, 816 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
   67  5268 tcpost     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          

Chain routemark (2 references)
 pkts bytes target     prot opt in     out     source              
destination        
   27  2352 MARK       all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0            MARK set 0x10000
   35  2676 MARK       all  --  ppp1   *       0.0.0.0/0           
0.0.0.0/0            MARK set 0xc0000
   62  5028 CONNMARK   all  --  *      *       0.0.0.0/0           
0.0.0.0/0            mark match ! 0x0/0xff0000 CONNMARK save mask 0xff0000

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source              
destination        

Chain tcin (1 references)
 pkts bytes target     prot opt in     out     source              
destination        

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
   67  5268 MARK       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            MARK set 0xc0000

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source              
destination        

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source              
destination        

Raw Table

Chain PREROUTING (policy ACCEPT 94 packets, 6697 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain OUTPUT (policy ACCEPT 67 packets, 5268 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Conntrack Table (4 out of 14864)

unknown  2 489 src=0.0.0.0 dst=224.0.0.1 packets=1129 bytes=36128
[UNREPLIED] src=224.0.0.1 dst=0.0.0.0 packets=0 bytes=0 mark=65536 use=2
icmp     1 24 src=192.168.105.70 dst=91.220.24.20 type=8 code=0 id=40789
packets=7 bytes=588 [UNREPLIED] src=91.220.24.20 dst=192.168.105.70
type=0 code=0 id=40789 packets=0 bytes=0 mark=0 use=2
udp      17 18 src=192.168.105.56 dst=192.168.105.255 sport=54501
dport=137 packets=1 bytes=78 [UNREPLIED] src=192.168.105.255
dst=192.168.105.56 sport=137 dport=54501 packets=0 bytes=0 mark=65536 use=2
udp      17 1 src=192.168.105.7 dst=255.255.255.255 sport=3483
dport=3483 packets=1 bytes=44 [UNREPLIED] src=255.255.255.255
dst=192.168.105.7 sport=3483 dport=3483 packets=0 bytes=0 mark=65536 use=2

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
    inet 192.168.105.70/24 brd 192.168.105.255 scope global eth0
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
    inet 192.168.111.254/24 brd 192.168.111.255 scope global br0
15: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 3
    inet 10.49.134.86 peer 10.64.64.65/32 scope global ppp1

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast  
    181011     1932     0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    181011     1932     0       0       0       0     
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
    link/ether 00:0d:b9:13:49:b4 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    1559836    23799    0       1221    0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    81541      796      0       0       0       0     
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN qlen 1000
    link/ether 00:0d:b9:13:49:b5 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc
pfifo_fast state DOWN qlen 1000
    link/ether 00:0d:b9:13:49:b6 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
5: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
    link/ether 3e:cf:69:a4:61:dc brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
6: teql0: <NOARP> mtu 1500 qdisc noop state DOWN qlen 100
    link/void
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
7: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/ipip 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
8: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
9: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN
    link/tunnel6 :: brd ::
    RX: bytes  packets  errors  dropped overrun mcast  
    0          0        0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0     
10: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:80:48:54:c0:ac brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    1499       11       0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    95504      1136     0       0       0       0     
11: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:1f:1f:cb:d0:e2 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    2392650    7401     0       219     0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    259353     2773     0       0       0       0     
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
    link/ether 00:0d:b9:13:49:b6 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    1363       14       0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    48972      570      0       0       0       0     
15: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 3
    link/ppp
    RX: bytes  packets  errors  dropped overrun mcast  
    4760       65       0       0       0       0     
    TX: bytes  packets  errors  dropped carrier collsns
    22980      295      0       0       0       0     

Bridges

bridge name     bridge id               STP enabled     interfaces
br0             8000.000db91349b6       no              eth2

Per-IP Counters

Showing table: net-loc


/proc

   /proc/version = Linux version 2.6.38.4-aufs-grsec-ipset (root@quad)
(gcc version 4.4.5 (Gentoo Hardened 4.4.5 p1.2, pie-0.4.5) ) #11 Mon Aug
15 21:40:28 BST 2011
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/br0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/br0/arp_filter = 0
   /proc/sys/net/ipv4/conf/br0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/br0/rp_filter = 0
   /proc/sys/net/ipv4/conf/br0/log_martians = 1
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/dummy0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/dummy0/arp_filter = 0
   /proc/sys/net/ipv4/conf/dummy0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/dummy0/rp_filter = 0
   /proc/sys/net/ipv4/conf/dummy0/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/log_martians = 1
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/log_martians = 1
   /proc/sys/net/ipv4/conf/ip6tnl0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/ip6tnl0/arp_filter = 0
   /proc/sys/net/ipv4/conf/ip6tnl0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter = 0
   /proc/sys/net/ipv4/conf/ip6tnl0/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1
   /proc/sys/net/ipv4/conf/ppp1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/ppp1/arp_filter = 0
   /proc/sys/net/ipv4/conf/ppp1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/ppp1/rp_filter = 0
   /proc/sys/net/ipv4/conf/ppp1/log_martians = 1
   /proc/sys/net/ipv4/conf/sit0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/sit0/arp_filter = 0
   /proc/sys/net/ipv4/conf/sit0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/sit0/rp_filter = 0
   /proc/sys/net/ipv4/conf/sit0/log_martians = 1
   /proc/sys/net/ipv4/conf/teql0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/teql0/arp_filter = 0
   /proc/sys/net/ipv4/conf/teql0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/teql0/rp_filter = 0
   /proc/sys/net/ipv4/conf/teql0/log_martians = 1
   /proc/sys/net/ipv4/conf/tunl0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/tunl0/arp_filter = 0
   /proc/sys/net/ipv4/conf/tunl0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/tunl0/rp_filter = 0
   /proc/sys/net/ipv4/conf/tunl0/log_martians = 1
   /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0
   /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/wlan0/rp_filter = 0
   /proc/sys/net/ipv4/conf/wlan0/log_martians = 1
   /proc/sys/net/ipv4/conf/wlan1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/wlan1/arp_filter = 0
   /proc/sys/net/ipv4/conf/wlan1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/wlan1/rp_filter = 0
   /proc/sys/net/ipv4/conf/wlan1/log_martians = 1

Routing Rules

0:      from all lookup local
10000:  from all fwmark 0x10000/0xff0000 lookup peth0
10011:  from all fwmark 0xc0000/0xff0000 lookup pppp1
20000:  from 192.168.105.70 lookup peth0
22816:  from 10.49.134.86 lookup pppp1
32766:  from all lookup main
32767:  from all lookup default

Table default:


Table local:

local 10.49.134.86 dev ppp1  proto kernel  scope host  src 10.49.134.86
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.111.0 dev br0  proto kernel  scope link  src
192.168.111.254
broadcast 192.168.111.255 dev br0  proto kernel  scope link  src
192.168.111.254
broadcast 192.168.105.0 dev eth0  proto kernel  scope link  src
192.168.105.70
broadcast 192.168.105.255 dev eth0  proto kernel  scope link  src
192.168.105.70
local 192.168.111.254 dev br0  proto kernel  scope host  src
192.168.111.254
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 192.168.105.70 dev eth0  proto kernel  scope host  src 192.168.105.70
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

10.64.64.65 dev ppp1  proto kernel  scope link  src 10.49.134.86
192.168.111.0/24 dev br0  proto kernel  scope link  src 192.168.111.254
192.168.105.0/24 dev eth0  proto kernel  scope link  src 192.168.105.70 
metric 2
127.0.0.0/8 via 127.0.0.1 dev lo
default via 192.168.105.1 dev eth0  metric 2
default via 10.64.64.65 dev ppp1  metric 450

Table peth0:

192.168.111.0/24 dev br0  proto kernel  scope link  src 192.168.111.254

Table pppp1:

10.64.64.65 dev ppp1  proto kernel  scope link  src 10.49.134.86
192.168.111.0/24 dev br0  proto kernel  scope link  src 192.168.111.254
default dev ppp1  scope link

ARP


Modules

ip_set                 14689  3 ip_set_hash_ip,xt_set,ip_set_bitmap_ipmac
ip_set_bitmap_ipmac     3872  7
ip_set_hash_ip         12856  0
xt_ACCOUNT              8220  2
xt_IPMARK                695  0
xt_LOGMARK              1352  0
xt_set                  2707  0

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Extended Connection Tracking Match Support: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Extended MARK Target 2: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available
   Realm Match: Available
   Helper Match: Available
   Connlimit Match: Available
   Time Match: Available
   Goto Support: Available
   LOGMARK Target: Available
   IPMARK Target: Available
   LOG Target: Available
   Persistent SNAT: Available
   TPROXY Target: Available
   FLOW Classifier: Available
   fwmark route mask: Available
   Mark in any table: Available
   Header Match: Not available
   ACCOUNT Target: Available
   AUDIT Target: Not available
   ipset V5: Available

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name   
tcp        0      0 0.0.0.0:53              0.0.0.0:*              
LISTEN      21262/dnsmasq
tcp        0      0 :::53                   :::*                   
LISTEN      21262/dnsmasq
tcp        0      0 :::22                   :::*                   
LISTEN      10183/dropbear
udp        0      0 0.0.0.0:53             
0.0.0.0:*                           21262/dnsmasq
udp        0      0 0.0.0.0:67             
0.0.0.0:*                           21262/dnsmasq
udp        0      0 0.0.0.0:323            
0.0.0.0:*                           3143/chronyd
udp        0      0 0.0.0.0:123            
0.0.0.0:*                           3143/chronyd
udp        0      0 :::53                  
:::*                                21262/dnsmasq
udp        0      0 :::323                 
:::*                                3143/chronyd
udp        0      0 :::123                 
:::*                                3143/chronyd

Traffic Control

Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
 Sent 81541 bytes 796 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0


Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0


Device eth2:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0


Device wlan0:
qdisc mq 0: root
 Sent 75056 bytes 1136 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

class mq :1 root
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class mq :2 root
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class mq :3 root
 Sent 75056 bytes 1136 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class mq :4 root
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

Device wlan1:
qdisc mq 0: root
 Sent 203971 bytes 2774 pkt (dropped 0, overlimits 0 requeues 5)
 backlog 0b 0p requeues 5

class mq :1 root
 Sent 708 bytes 3 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class mq :2 root
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
class mq :3 root
 Sent 203263 bytes 2771 pkt (dropped 0, overlimits 0 requeues 5)
 backlog 0b 0p requeues 5
class mq :4 root
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

Device ppp1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
 Sent 22890 bytes 289 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0



TC Filters

Device eth0:

Device eth1:

Device eth2:

Device wlan0:

Device wlan1:

Device ppp1:

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Tom Eastep

2011-Aug-21 16:44 UTC

head link

Re: Multi-ISP - struggling to get off the ground...

On Aug 21, 2011, at 9:06 AM, Ed W wrote:
> On 21/08/2011 16:50, Tom Eastep wrote:
>> On Aug 21, 2011, at 8:23 AM, Ed W wrote:
>> 
>>> Sorry to ask what is probably a basic question, but I''m
struggling to
>>> get my routing to do anything sensible.  I have simplified by
config to
>>> the bare minimum to experiment.
>>> 
>>> Roughly speaking my problem is that I have two interfaces (eth0 and
>>> ppp1) and bringing each up individually passes traffic as expected.
>>> Setting both up prefers traffic through eth0, likely because of the
>>> higher metric.  Attempting to set any TC mark to direct traffic
through
>>> ppp1 and I get no reply packets, netfilter logging suggests
it''s still
>>> trying to pass through eth0 also?
>>> 
>> Please capture the output of ''shorewall dump'' as
described at http://www.shorewall.net/support.htm#Guidelines and forward it as
an attachment.
>> 
> 
> Sorry about that:
> 
> Some additional background that isn''t shown in the dump.  Kernel
> 2.6.38.4, but with grsec patches (and a couple of other thing such as
> aufs).  iproute2 installed, but using busybox/uclibc. Just mentioning
> for completeness?  I can''t quickly find what kernel config options
are
> needed for policy routing - can someone confirm what to check?
> 
> 
> 
> $ shorewall dump
> Shorewall 4.4.22.3 Dump at localhost - Sun Aug 21 16:01:01 UTC 2011
> 
> Counters reset Sun Aug 21 15:14:58 UTC 2011
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source              
> destination        
>   93  6301 accountin  all  --  *      *       0.0.0.0/0           
> 0.0.0.0/0          
>   53  3205 dynamic    all  --  *      *       0.0.0.0/0           
> 
Ed -- I specifically asked that the dump be forwarded as an attachment. Placing
it inline has caused your mailer to fold it until it is unreadable.

Please resend. If you mailer unconditionally inlines text attachments, then
please compress it first.

Thanks,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Ed W

2011-Aug-21 22:41 UTC

head link

Re: Multi-ISP - struggling to get off the ground...

On 21/08/2011 17:44, Tom Eastep wrote:> Ed -- I specifically asked that the dump be forwarded as an attachment.
Placing it inline has caused your mailer to fold it until it is unreadable.
Apologies you did indeed.  Mailing lists are a tricky fine line to
tread.  I have recently been posting to the kernel mailing list using
using my mailer (thunderbird on osx) and as a result it defaults to
plain text, no attachments...  (I wish we could just all agree that html
email is ok...)

Correctly attached this time I believe...  Note, I have recreated the
dump - I have scanned it by eye and I believe it shows the same
representative dump as before - obviously the previous dump still
available for correlation

Apologies - thanks for looking into this

Ed W


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Tom Eastep

2011-Aug-22 03:00 UTC

head link

Re: Multi-ISP - struggling to get off the ground...

On 8/21/11 3:41 PM, Ed W wrote:> On 21/08/2011 17:44, Tom Eastep wrote:
>> Ed -- I specifically asked that the dump be forwarded as an attachment.
Placing it inline has caused your mailer to fold it until it is unreadable.
> 
> Apologies you did indeed.  Mailing lists are a tricky fine line to
> tread.  I have recently been posting to the kernel mailing list using
> using my mailer (thunderbird on osx) and as a result it defaults to
> plain text, no attachments...  (I wish we could just all agree that html
> email is ok...)
> 
> Correctly attached this time I believe...  Note, I have recreated the
> dump - I have scanned it by eye and I believe it shows the same
> representative dump as before - obviously the previous dump still
> available for correlation
> 
> Apologies - thanks for looking into this
It appears that your /etc/shorewall/masq file isn''t doing what is
proscribed at http://www.shorewall.net/MultiISP.html#id36153819. So I
suspect that packets with the source IP of eth0 are leaving ppp1 and are
not being replied to.

Furthermore, the Shorewall rules compiler is issuing a warning on both
entries in /etc/shorewall/masq which you are obviously ignoring. Maybe
you should have done something about them.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

Ed W

2011-Aug-22 12:38 UTC

head link

Re: Multi-ISP - struggling to get off the ground...

On 22/08/2011 04:00, Tom Eastep wrote:> It appears that your /etc/shorewall/masq file isn''t doing what is
> proscribed at http://www.shorewall.net/MultiISP.html#id36153819. So I
> suspect that packets with the source IP of eth0 are leaving ppp1 and are
> not being replied to.
Hi, thanks for the answer.  I have changed masq to show 0.0.0.0/0
instead of using br0 and this appears to do what I expect for the
limited testing I have given so far.

> Furthermore, the Shorewall rules compiler is issuing a warning on both
> entries in /etc/shorewall/masq which you are obviously ignoring. Maybe
> you should have done something about them.
Curiously, I only see one error, I presume this is because of
"idiotcounter++" in the code that supresses display of the second?

Note, thank you for highlighting the problems with using an interface
here.  I just wanted to highlight that I didn''t think I was being a
total clutz though - I did check the code previously and it appeared
that the warning appears every time you use this form, so I had wrongly
presumed it was an information message. I do see now in the man page for
"masq" that this is deprecated, and with some thought I can see how it
wouldn''t match my "locally generated" packets either.

Perhaps the lines around 4462 in Shorewall/Chains.pm (sorry, probably
going to wrap..):

            if ( $table eq ''nat'' ) {                
                warning_message qq(Using an interface as the masq SOURCE
requires the interface to be up and configured when $Product
starts/restarts) unless $idiotcount++;
            } else {       
                warning_message qq(Using an interface as the SOURCE in a
T: rule requires the interface to be up and configured when $Product
starts/restarts) unless $idiotcount1+
            }

...could include a "Deprecation" note?  I can supply a patch if you
like, but probably it''s faster for you to adjust directly (and to your
liking) than to apply my patch?

Many thanks for putting me straight here - I have noticed a couple of
quirks - will send a separate email

Thanks

Ed W

------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

Shorewall users - Aug 2011 - Multi-ISP - struggling to get off the ground...

Multi-ISP - struggling to get off the ground...

Re: Multi-ISP - struggling to get off the ground...

Re: Multi-ISP - struggling to get off the ground...

Re: Multi-ISP - struggling to get off the ground...

Re: Multi-ISP - struggling to get off the ground...

Re: Multi-ISP - struggling to get off the ground...

Re: Multi-ISP - struggling to get off the ground...