Hello list, I have two questions. The first: I have a box that has eth0, tun0, tun1 and ppp0, where tun0 and tun1 are VPN clients and ppp0 is a gateway. I would like the box to use eth0 for all its own defaultroute, but the vpn clients must use ppp0 as the defaultroute. How can I accomplish this? Second question for a different box (xen dom0): I want to add rules for certain public IPs that have the form of iptables -t mangle -d $dest -j TTL --ttl-inc 1 -- this would hide the firewall from traceroute etc. to domU''s. How can this be done? Thank you, -Mark ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
On Sat, 2011-09-24 at 17:14 +0200, Mark van Dijk wrote:> I have two questions. > > The first: I have a box that has eth0, tun0, tun1 and ppp0, where tun0 > and tun1 are VPN clients and ppp0 is a gateway. I would like the box to > use eth0 for all its own defaultroute, but the vpn clients must use > ppp0 as the defaultroute. How can I accomplish this?See http://www.shorewall.net/MultiISP.html.> > Second question for a different box (xen dom0): I want to add rules for > certain public IPs that have the form of iptables -t mangle -d $dest -j > TTL --ttl-inc 1 -- this would hide the firewall from traceroute etc. to > domU''s. How can this be done?You will have to use an Action that either has an associated extension script or that uses BEGIN PERL...END PERL and generates the rule in Perl. /usr/share/shorewall/action.Invalid would be a good example to follow. See also http://www.shorewall.net/Actions.html. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
On Sat, 2011-09-24 at 09:00 -0700, Tom Eastep wrote:> > Second question for a different box (xen dom0): I want to add rules for > > certain public IPs that have the form of iptables -t mangle -d $dest -j > > TTL --ttl-inc 1 -- this would hide the firewall from traceroute etc. to > > domU''s. How can this be done? > > You will have to use an Action that either has an associated extension > script or that uses BEGIN PERL...END PERL and generates the rule in > Perl. /usr/share/shorewall/action.Invalid would be a good example to > follow. See also http://www.shorewall.net/Actions.html. >I should note that to use this approach, you must invoke the action in the ALL section of the rules file and your iptables/kernel must allow mangling in the filter chain. If you can''t do that, then you will have to use the ''start'' extension script and add the rule to the appropriate chain using iptables directly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
On Sep 24, 2011, at 9:14 AM, Tom Eastep wrote:> On Sat, 2011-09-24 at 09:00 -0700, Tom Eastep wrote: > >>> Second question for a different box (xen dom0): I want to add rules for >>> certain public IPs that have the form of iptables -t mangle -d $dest -j >>> TTL --ttl-inc 1 -- this would hide the firewall from traceroute etc. to >>> domU''s. How can this be done? >> >> You will have to use an Action that either has an associated extension >> script or that uses BEGIN PERL...END PERL and generates the rule in >> Perl. /usr/share/shorewall/action.Invalid would be a good example to >> follow. See also http://www.shorewall.net/Actions.html. >> > > I should note that to use this approach, you must invoke the action in > the ALL section of the rules file and your iptables/kernel must allow > mangling in the filter table. >Just tried this and, although the MARK targets are allowed in the filter table, ''TTL'' is not. So you will have to place the command in the ''start'' extension script. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
Hi Tom,> >>> Second question for a different box (xen dom0): I want to add > >>> rules for certain public IPs that have the form of iptables -t > >>> mangle -d $dest -j TTL --ttl-inc 1 -- this would hide the > >>> firewall from traceroute etc. to domU''s. How can this be done? > >> > >> You will have to use an Action that either has an associated > >> extension script or that uses BEGIN PERL...END PERL and generates > >> the rule in Perl. /usr/share/shorewall/action.Invalid would be a > >> good example to follow. See also > >> http://www.shorewall.net/Actions.html. > >> > > > > I should note that to use this approach, you must invoke the action > > in the ALL section of the rules file and your iptables/kernel must > > allow mangling in the filter table. > > > > Just tried this and, although the MARK targets are allowed in the > filter table, ''TTL'' is not. So you will have to place the command in > the ''start'' extension script.Thanks for helping out by trying this. I also have not been able to get this to work via your suggested method, I saw the same results. Then I started to experiment a bit with action files, and, following the simpler SSHKnock file and the more difficult variant, I wrote a pretty lousy perl action file called TTLINC. Unfortunately all it does is add a chain -- trivial. I could not get it to add rules for every destination IP. Maybe it needs a ''foreach'' statement, but I''m not sure. Initially I thought that I could perhaps stick this into rules but later I realised that mangle rules probably should reside in tcrules, and not rules, am I correct? Anyway, this is all probably overkill. I''ll go with the start extension script. Thanks again though, Mark ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
On Sep 24, 2011, at 2:04 PM, Mark van Dijk wrote:> Anyway, this is all probably overkill. I''ll go with the start extension > script.Shorewall 4.4.24 will include TTL support in the tcrules file. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2