Shorewall users - Dec 2013 - Shorewall and mode statistic

Hi all,
  I''m tring to convert some manually written iptables rules into a
shorewall configuration but I''m facing some issue with mode statistic.
In our outgoing smtp we balance the source IP address of outgoing
connections originating from the firewall between 4 alias configured on
eth0 interface:

eth0 inet addr:xxx.xxx.xxx.18 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:1 inet addr:xxx.xxx.xxx.19 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:2 inet addr:xxx.xxx.xxx.28 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:3 inet addr:xxx.xxx.xxx.29 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0

using iptables we just add the following rules:

iptables -A POSTROUTING -m statistic --mode random --probability 0.25 -t
nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.19
iptables -A POSTROUTING -m statistic --mode random --probability 0.33 -t
nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.28
iptables -A POSTROUTING -m statistic --mode random --probability 0.5 -t nat
-o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.29

how can we achieve this with shorewall ?

Thanks
Davide


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

On 12/13/2013 7:53 AM, Davide Ferri wrote:
> Hi all,
>   I''m tring to convert some manually written iptables rules into a
> shorewall configuration but I''m facing some issue with mode
statistic.
> In our outgoing smtp we balance the source IP address of outgoing
> connections originating from the firewall between 4 alias configured on
> eth0 interface:
> 
> eth0 inet addr:xxx.xxx.xxx.18 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
> eth0:1 inet addr:xxx.xxx.xxx.19 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
> eth0:2 inet addr:xxx.xxx.xxx.28 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
> eth0:3 inet addr:xxx.xxx.xxx.29 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
> 
> using iptables we just add the following rules:
> 
> iptables -A POSTROUTING -m statistic --mode random --probability 0.25 -t
> nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.19
> iptables -A POSTROUTING -m statistic --mode random --probability 0.33 -t
> nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.28
> iptables -A POSTROUTING -m statistic --mode random --probability 0.5 -t
> nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.29
> 
> how can we achieve this with shorewall ?
The only way to do it with current Shorewall versions is to insert those
rules using your ''start'' extension script.

Beginning with Shorewall 4.6.0, you will be able to do something like
the following in /etc/shorewall/masq:

INLINE(eth0)	-	xxx.xxx.xxx.19	tcp	25 ; -m statistic --mode random
--probablilty 0.25
...

The attached patch can be applied to recent Shorewall 4.5 versions to
allow you do do that now.

   patch /usr/share/shorewall/Shorewall/Nat.pm < INLINEMASQ.patch

That command assumes that PERLLIB=/usr/share/shorewall/ in your
shorewallrc file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

We added our custom rules to the start script and it works very well.

Thanks for your support.

Davide


On Fri, Dec 13, 2013 at 5:38 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 12/13/2013 7:53 AM, Davide Ferri wrote:
> > Hi all,
> >   I''m tring to convert some manually written iptables rules
into a
> > shorewall configuration but I''m facing some issue with mode
statistic.
> > In our outgoing smtp we balance the source IP address of outgoing
> > connections originating from the firewall between 4 alias configured
on
> > eth0 interface:
> >
> > eth0 inet addr:xxx.xxx.xxx.18 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
> > eth0:1 inet addr:xxx.xxx.xxx.19 Bcast:xxx.xxx.xxx.255
Mask:255.255.255.0
> > eth0:2 inet addr:xxx.xxx.xxx.28 Bcast:xxx.xxx.xxx.255
Mask:255.255.255.0
> > eth0:3 inet addr:xxx.xxx.xxx.29 Bcast:xxx.xxx.xxx.255
Mask:255.255.255.0
> >
> > using iptables we just add the following rules:
> >
> > iptables -A POSTROUTING -m statistic --mode random --probability 0.25
-t
> > nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.19
> > iptables -A POSTROUTING -m statistic --mode random --probability 0.33
-t
> > nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.28
> > iptables -A POSTROUTING -m statistic --mode random --probability 0.5
-t
> > nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.29
> >
> > how can we achieve this with shorewall ?
>
> The only way to do it with current Shorewall versions is to insert those
> rules using your ''start'' extension script.
>
> Beginning with Shorewall 4.6.0, you will be able to do something like
> the following in /etc/shorewall/masq:
>
> INLINE(eth0)    -       xxx.xxx.xxx.19  tcp     25 ; -m statistic --mode
> random
> --probablilty 0.25
> ...
>
> The attached patch can be applied to recent Shorewall 4.5 versions to
> allow you do do that now.
>
>    patch /usr/share/shorewall/Shorewall/Nat.pm < INLINEMASQ.patch
>
> That command assumes that PERLLIB=/usr/share/shorewall/ in your
> shorewallrc file.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don''t have a clear picture of how application
performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
AppDynamics
> Pro!
>
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk