Axel Zöllich
2013-Oct-25 22:19 UTC
package marking problems? (two ISPs ipsec openvpn six ethernet interfaces 10 zones)
Hi there,
Two ISPs: one of them via pppoE (by pppd on router)
ipsec tunnels (shorewall); openvpn tunnels; several zones; bind server on
router
six ethernet interfaces
Shorewall Version is 4.5.5.3-3 with Debian 3.2.46-1+deb7u1 x86_64 Kernel.
I'm experiencing a bunch of evil problems.
What is working:
Internet access form 192.168.222.0/24 is working well. The ipsec tunnel via
netco (eth4, aaa.bbb.77.217) shows good perfomance.
The openvpn tunnels are working sometimes. The ipsec to jung reaches state
installed but no package is going through. The ge tunnels doesn't work at
all
(All of the tunnels worked before on a lancom router device/linux server)
Often the named (bind) complains : error (network unreachable) resolving [...]
The openvpn tunnels stop working: TLS Error: TLS key negotiation failed to
occur within 60 seconds (check your network connectivity)
shorewall restart sometimes get's openvpn running again.
A pppd reconnect requires a shorewall restart too.
I think my package marking and routing isn't configured correctly. But
meanwhile I'm slightly lost in the huge amount of possible adjustments.
Where to start?
Axel
#
# Shorewall version 4 - Hosts file
#
###############################################################################
#ZONE HOST(S) OPTIONS
pktgh eth4:192.168.223.0/24,aaa.bbb.77.202 ipsec
pktgh eth4:192.168.3.0/24,aaa.bbb.77.202 ipsec
jung ppp0:192.168.174.0/24 ipsec
ge ppp0:192.168.170.0/24 ipsec
#
# Shorewall version 4 - Interfaces File
#
###############################################################################
FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
pktd eth0
#Modem OberflÀche
pktd eth5
net ppp0
net eth4
smn eth3
cuga eth1
hoe tun_hoeher
mepa tun_media
zoe tun_volk
#
# Shorewall version 4 - Masq file
#
######################################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC
MARK USER/ SWITCH
# GROUP
#ppp0 192.168.222.0/24 ggg.hhh.162.192
#Ripp
#ppp0 eth3 ggg.hhh.162.192
#Cura
#ppp0 eth1 ggg.hhh.162.192
ppp0 192.168.122.0/24 ggg.hhh.162.192
#eth4 192.168.0.0/16 aaa.bbb.77.218
ppp0 192.168.222.0/24 ggg.hhh.162.192
eth4 192.168.222.0/24 aaa.bbb.77.218
ppp0 192.168.223.0/24 ggg.hhh.162.192
eth4 192.168.223.0/24 aaa.bbb.77.218
ppp0 10.8.0.0/16 ggg.hhh.162.192
eth4 10.8.0.0/16 aaa.bbb.77.218
#
# Shorewall version 4 - Params File
#
###############################################################################
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 4 - Policy File
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
$FW all ACCEPT
#$FW pktgh ACCEPT
pktd all ACCEPT
pktgh pktd ACCEPT
pktgh $FW ACCEPT
zoe pktd ACCEPT
smn net ACCEPT
cuga net ACCEPT
net all DROP
all all REJECT
#
# Shorewall version 4 - Providers File
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
COPY
#tcom 1 0x100 - ppp0 - -
tcom 1 0x100 - ppp0 - balance=2 -
netco 2 0x200 - eth4 aaa.bbb.77.217 balance=1 -
#
# Shorewall version 4 - route rules File
#
####################################################################################
#SOURCE DEST PROVIDER PRIORITY MASK
# openvpn RÃŒckweg
- 10.8.0.0/24 main 1000
#
# Shorewall version 4 - Rules File
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
RATE USER/ MARK CONNLIMIT TIME HEADERS
SWITCH
# PORT PORT(S) DEST LIMIT
GROUP
Ping(ACCEPT) net fw
ACCEPT pktgh:aaa.bbb.77.202 $FW
COMMENT ssh Zugang von aussen
ACCEPT net fw tcp 22
COMMENT Stop NETBIOS noise
REJECT pktd net tcp 137,445
REJECT pktd net udp 137:139
COMMENT
#
# Shorewall version 4 - Tcrules File
#
FORMAT 2
##########################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST
LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
# PORT(S) PORT(S)
#alles ÃŒber tcom:
0x100:P 0.0.0.0/0
0x100 $FW
#Meia via netco
0x200 - aaa.bbb.77.202
#
# Shorewall version 4 - Tunnels File
#
###############################################################################
#TYPE ZONE GATEWAY(S) GATEWAY
# ZONE(S)
openvpnserver:1304 net 0.0.0.0/0
openvpnserver:1300 net 0.0.0.0/0
#
# Shorewall version 4 - Zones File
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4 # Internet
smn ipv4 # Sond
pktd ipv4 # Praxis D
pktgh ipsec mode=tunnel mss=1024 # Praxis H
hoe ipv4 # Praxis Hh
zoe ipv4 # A
cuga ipv4 # Cu
mepa ipv4 # Med
jung ipsec mode=tunnel mss=1024 # jun
ge ipsec mode=tunnel mss=1024 # Gen
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
#
###############################################################################
STARTUP_ENABLED=Yes
VERBOSITY=1
BLACKLIST_LOGLEVELLOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEWLOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMITMACLIST_LOG_LEVEL=info
RELATED_LOG_LEVELSFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLESIPIPSETLOCKFILEMODULESDIRPATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TCACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTO_COMMENT=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
CLAMPMSS=Yes
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No
DONT_LOADDYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARKIMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=filter
MACLIST_TTLMANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No
ZONE2ZONE=2
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
TC_BITS=8
PROVIDER_BITS=8
PROVIDER_OFFSET=8
MASK_BITS=8
ZONE_BITS=0
IPSECFILE=zones
--
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users