Anuj Singh | 2 Apr 17:05 2006
Picon

Re: multiple isp. masqueraded machines somtimes work and sometimes not

Hiii!
After working on the problem  I found that one of the dns entry was wrong (This is a remote network and basic configuratins were done by some other)  ... after entering the proper nameserves I checked the performance and so far there is no problem with both the isp's working.

now about ip failover I tried this script: called switch.sh
#vi switch.sh

#!/bin/sh
ISP1=61.95.234.1
ISP2=59.144.170.1
switch_dsl()
{
route del default
route add default gw $ISP2
}
switch_cable()
{
route del default
route add default gw $ISP1
}
if ping -c1 -q www.yahoo.com >/dev/null 2>&1; then
echo Gateway is alive.
ip route show
exit 0
else
if route -n | grep '^0.0.0.0' | grep "$ISP1"; then
switch_dsl
ip route flush cache
shorewall restart /shorewall2
route -n
else
switch_cable
fi
fi
The os is suse and I am still working on making a daemon on it. At the moment I added it's entry in the crontab to run in every 5 minutes.

I found that if i add my shorewall restart it again changes the default gateway to the 1st ISP defined in /etc/shorewall/providers file. which is unplugged ot not working ( it still works for a while .. probably due to ip route cache)
now to make it switching properly between the gateways I copied the whole /etc/shorewall directory to a different location say /shorewall2 with a change in providers file ...i.e. i defined just oppsite ISP's (changed 1st isp to 2 and 2nd ISP to 1)


#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
 OPTIONS         COPY
ISP1    1       1       main            eth0             59.144.170.1
    track,balance    eth2
ISP2    2       2       main            eth1           61.95.234.1
    track,balance    eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

and defined it in my script (showed above in the script with directory /shorewall2 )now it was switching the ISP's but i found it not working for local network...
By default after a shorewall restart command it makes default gw= ISP1 in providers file.


In the last  I made another change in the script is to make it to only chane the gateway and no shorewall restart. this time the internet was working on local network. Just checkd for few minutes after flushing the ip route cache.

#!/bin/sh
ISP1=61.95.234.1
ISP2=59.144.170.1
switch_dsl()
{
route del default
route add default gw $ISP2
}
switch_cable()
{
route del default
route add default gw $ISP1
}
if ping -c5 -q www.yahoo.com >/dev/null 2>&1; then
echo Gateway is alive.
ip route show
exit 0
else
if route -n | grep '^0.0.0.0' | grep "$ISP1"; then
switch_dsl
ip route flush cache
#shorewall restart /shorewall2
route -n
else
switch_cable
fi
fi

Tomorrow the load on the network will be full and going to check the performance.
Tom I would like to check other scripts too....if you can provide the links or more details related to ip failover.

I will update with more....
Thanks and regards
Anuj


On 3/28/06, Tom Eastep <teastep <at> shorewall.net> wrote:

On Mon, March 27, 2006 10:23, Anuj Singh wrote:
> Yes both are connected to the same switch.

That's your answer. If the two interfaces are on different IP networks and
you do not use Proxy ARP, it will be sufficient to specify 'arp_ignore=1'
on both interfaces (/etc/shorewall/interfaces). They cannot be on the same
IP network and you cannot use Proxy ARP with that physical network
topology without using ebtables. You will probably have to restart your
firewall after making this change to get the upstream router(s) to get the
correct ARP information.

>
> About the ip failover

Other folks have posted similar scripts, although most run the script as a
daemon rather than scheduling it via cron.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Jerry Vonau | 2 Apr 18:00 2006
Picon

Re: multiple isp. masqueraded machines somtimes work and sometimes not

Anuj Singh wrote:
> Hiii!
> After working on the problem  I found that one of the dns entry was wrong
> (This is a remote network and basic configuratins were done by some other)
> ... after entering the proper nameserves I checked the performance and so
> far there is no problem with both the isp's working.
> 
> now about ip failover I tried this script: called switch.sh
> #vi switch.sh
> 
> #!/bin/sh
> ISP1=61.95.234.1
> ISP2=59.144.170.1
> switch_dsl()
> {
> route del default
> route add default gw $ISP2
> }
> switch_cable()
> {
> route del default
> route add default gw $ISP1
> }
> if ping -c1 -q www.yahoo.com >/dev/null 2>&1; then
> echo Gateway is alive.
> ip route show
> exit 0
> else
> if route -n | grep '^0.0.0.0' | grep "$ISP1"; then
> switch_dsl
> ip route flush cache
> shorewall restart /shorewall2
> route -n
> else
> switch_cable
> fi
> fi
> 

You should really be using "ip route" here and not plain "route".
Try "ip route ls" to see the difference in the output from just using 
"route". Using just "route" you will be unable to observe the multi-hop 
gateways that would be present, for example from my 2 gateway box:

[root <at> shore jerry]# /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.10.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.3.0.10       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
10.3.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.5.0.0        10.10.0.2       255.255.255.0   UG    0      0        0 tun0
24.78.192.0     0.0.0.0         255.255.254.0   U     0      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         24.78.192.1     0.0.0.0         UG    0      0        0 eth2

and the same box:

[root <at> shore jerry]# /sbin/ip route ls
10.10.0.2 dev tun0  proto kernel  scope link  src 10.10.0.1
10.3.0.10 dev eth1  scope link  src 10.3.0.75
10.3.0.0/24 dev eth0  proto kernel  scope link  src 10.3.0.106
10.5.0.0/24 via 10.10.0.2 dev tun0
24.78.192.0/23 dev eth2  proto kernel  scope link  src 24.78.192.127
169.254.0.0/16 dev eth2  scope link
default
         nexthop via 24.78.192.1  dev eth2 weight 10
         nexthop via 10.3.0.1  dev eth0 weight 1

Note the 2 default gateways that are present when using "ip route"

> 
> The os is suse and I am still working on making a daemon on it. At the
> moment I added it's entry in the crontab to run in every 5 minutes.
> 
> I found that if i add my shorewall restart it again changes the default
> gateway to the 1st ISP defined in /etc/shorewall/providers file. which is
> unplugged ot not working ( it still works for a while .. probably due to ip
> route cache)

Yes, the route cache is playing games here. Those /proc entries, that 
you had re-posted from my earlier email, change the time it takes to 
declare a gateway unavailable and to try the other remaining available 
gateway.

> now to make it switching properly between the gateways I copied the whole
> /etc/shorewall directory to a different location say /shorewall2 with a
> change in providers file ...i.e. i defined just oppsite ISP's (changed 1st
> isp to 2 and 2nd ISP to 1)
>

I think you should leave the providers file alone and just use a 
different tcrules file to favor the working isp, in your second 
shorewall directory.

> 
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
>  OPTIONS         COPY
> ISP1    1       1       main            eth0            
> 59.144.170.1<http://61.95.234.1/>
>     track,balance    eth2
> ISP2    2       2       main            eth1          
> 61.95.234.1<http://59.144.170.1/>
>     track,balance    eth2
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> and defined it in my script (showed above in the script with directory
> /shorewall2 )now it was switching the ISP's but i found it not working for
> local network...
> By default after a shorewall restart command it makes default gw= ISP1 in
> providers file.
> 
You should be checking the gateway with "ip route ls"

> 
> In the last  I made another change in the script is to make it to only chane
> the gateway and no shorewall restart. this time the internet was working on
> local network. Just checkd for few minutes after flushing the ip route
> cache.
> 
> #!/bin/sh
> ISP1=61.95.234.1
> ISP2=59.144.170.1
> switch_dsl()
> {
> route del default
> route add default gw $ISP2
> }
> switch_cable()
> {
> route del default
> route add default gw $ISP1
> }
> if ping -c5 -q www.yahoo.com >/dev/null 2>&1; then
> echo Gateway is alive.
> ip route show
> exit 0
> else
> if route -n | grep '^0.0.0.0' | grep "$ISP1"; then
> switch_dsl
> ip route flush cache
> #shorewall restart /shorewall2
> route -n
> else
> switch_cable
> fi
> fi
> 
> 
Without restarting shorewall when both isp are up, the advanced routing 
tables will not be created or used, leaving you without access though 
both providers, just the one that you have the default gateway pointed 
to will work.

> 
> Tomorrow the load on the network will be full and going to check the
> performance.
> Tom I would like to check other scripts too....if you can provide the links
> or more details related to ip failover.
> 
> I will update with more....
> Thanks and regards
> Anuj
> 

Just my 2 cents worth.
Good luck,

Jerry

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Nick Mashchenko | 2 Apr 19:43 2006
Picon

Two ISP

Hello all.

First of all, please be a bit indulgent to my poor English :-).
Second, this message is "kinda" BIG, so if you don't like BIG
messages, simply don't read it :-).

I've read http://shorewall.net/2.0/Shorewall_and_Routing.html
and http://shorewall.net/MultiISP.html, however I still a bit confused how
to organize what I need :-).

I've a simple "layout" like a lot of people here have:

                                       eth0
LAN (192.168.1.0/24) ------ Shorewall --- eth1 --- DSL --- SVR
                                                       |
                                                      +--- eth2 --- DSL ---  
OGO

"Shorewall" box is a RH 7.3, Shorewall itself is version 2.4.7.

Preface :-).

1. SVR is very good, but expensive ISP. However, all kind of local
(Ukranian) traffic is free of charge.
2. OGO is not so good as SVR, but its cheap. However, it doesn't make
a difference between local and foreign traffic -- it charges any traffic.
3. There is an URL, where I can grab current version of local subnets list.
That list changes frequently, so we do grabbing every 15 mins.
4. I don't need any kind of load balancing! :-)

What do I need?

1. For most LAN default route is OGO.
1.1. All local traffic should be routed to SVR.
1.2. Traffic from some IPs in the LAN (192.168.1.2, 3 and 4) should be
routed only over SVR (CIO, CEO and other "officers" :-).

2. If OGO is down, all traffic (not only local) from the LAN (including
"officer's" traffic) should go over SVR.
2.1. Otherwise, if SVR is down, all traffic including 192.168.1.2, 3 and
4's, should go over OGO.
2.2. Once we detects that OGO is up again, all traffic from LAN goes
over OGO again, local traffic goes over SVR, "officer's" traffic over SVR.

How do I plan to implement that and what questions I have?

1. Set default gw to OGO :-).
1.1. Grab the list of local subnets via bash script every 15 min and then
implement proper "route" command for every row in that list in order to
point local traffic over SVR.
1.2. Here is Q: is that possible to do with Shorewall itself? Or I need to
do that via "ip route" manually? Tom says: "As of this writing, I know of
no distribution that is shipping a kernel or iptables with the ROUTE target
patch included. This means that you must patch and build your own kernel
and iptables in order to be able to use the feature described in this
section.
This code remains experimental since there is no intent by the Netfilter
team to ever submit the ROUTE target patch for inclusion in the official
kernels from kernel.org. This support may also be removed from Shore-
wall in a future release." And this is my "shorewall show capabilities":

[root <at> k9-66 root]# shorewall show capabilities
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Not available
   Packet Type Match: Not available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Not available
   Recent Match: Not available
   Owner Match: Available
   Ipset Match: Not available

   ROUTE Target: Not available
   ^^^^^^^^^^^^ -- so /etc/shorewall/routes is not for me! :-(

   Extended MARK Target: Not available

   CONNMARK Target: Not available
   ^^^^^^^^^^^^ -- so "track" option in the /etc/shorewall/providers
   also not for me :-(     (w/o recompiling kernel/iptables).

   Connmark Match: Not available
   Raw Table: Not available
[root <at> k9-66 root]#

2, 2.1 and 2.2 I plan to implement via bash script (not a topic to
discuss here :-).

Finally, I think my /etc/shorewall should be like that:

- interfaces:

svr eth1  detect norfc1918,nobogons,routefilter,blacklist,tcpflags,
                        routeback,nosmurfs
ogo eth2 detect norfc1918,nobogons,routefilter,blacklist,tcpflags,
                        routeback,nosmurfs
loc eth0  detect  tcpflags,nosmurfs

- masq:

eth1    eth0
eth2    eth0

Using the above masq file means that PBR for so called officers is organized
via "ip route" by the script and can be switched off by the script, if
needed.

- policy:

loc    fw    ACCEPT
loc    svr    ACCEPT
loc    ogo    ACCEPT

fw    loc    ACCEPT
fw    svr    ACCEPT
fw    ogo    ACCEPT

all    all    DROP

- providers:

SVR    1    1    main    eth1    IP.OF.SVR.GW    track (?)    eth0
OGO    2    2    main    eth2    IP.OF.OGO.GW    track (?)    eth0

- zones:

svr    svr    svr
ogo    ogo    ogo
loc    loc    loc

- rules:

AllowPing    svr    fw
AllowSSH    svr    fw
AllowFTP    svr    fw
AllowSMTP    svr    fw

AllowPing    ogo    fw
AllowSSH    ogo    fw
AllowFTP    ogo    fw
AllowSMTP    ogo    fw

So, the main Q is: if I use PBR via "ip route" command from the script,
will the above files do exactly what I want? I think, no :-). Any help is
appreciated. Thanks.

--
MNV-UANIC

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Cristian Rodriguez | 2 Apr 22:41 2006
Picon

Re: Two ISP

Nick Mashchenko escribi├│:

> [root <at> k9-66 root]# shorewall show capabilities
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Shorewall has detected the following iptables/netfilter capabilities:
>   NAT: Available
>   Packet Mangling: Available
>   Multi-port Match: Available
>   Extended Multi-port Match: Not available
>   Connection Tracking Match: Not available
>   Packet Type Match: Not available
>   Policy Match: Not available
>   Physdev Match: Not available
>   IP range Match: Not available
>   Recent Match: Not available
>   Owner Match: Available
>   Ipset Match: Not available
> 
>   ROUTE Target: Not available
>   ^^^^^^^^^^^^ -- so /etc/shorewall/routes is not for me! :-(
> 
>   Extended MARK Target: Not available
> 
>   CONNMARK Target: Not available
>   ^^^^^^^^^^^^ -- so "track" option in the /etc/shorewall/providers
>   also not for me :-(     (w/o recompiling kernel/iptables).
> 
>   Connmark Match: Not available
>   Raw Table: Not available
> [root <at> k9-66 root]#
> 

Please, do not expect Mutli ISP to work in RH 7.3 sorry, Tom deployed
Multi ISP support when he was using FC4 and SUSE 9.3 (READ 6 (!) distro
versions after RH 7.3)

We simple do not support that, sorry, it will take you significant
amount of work ( recompiling kernel, iptables, and other) and I kindly
reccommend you **DONT DO THAT**, it's not worth the hassle.

upgrade your distro, (FC% is out) and try again. ;-)

Henrique | 3 Apr 00:02 2006
X-Face
Picon

Help with Webmin Module

Hello People

I'm new here, so forgive-me for any "newbie talk".

My client is running Debian Sarge (Stable), with Shorewall and Webmin. I want 
to make things easier for them and tried to use the webmin-shorewall module.

The thing is - the installed shorewall is 3.0.5 (package from testing) but the 
webmin module only understands (and builds) the old shorewall 2.x file 
format. The webmin module is from testing too.

Is there anyplace where I can get a webmin module for shorewall that can 
handle the 3.0 branch?

Thanks in advance
--

-- 
Henrique Cesar Ulbrich
henrique.ulbrich <at> gmail.com

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Cristian Rodriguez | 3 Apr 00:29 2006
Picon

Re: Help with Webmin Module

Henrique escribi├│:
> Hello People
> 
> I'm new here, so forgive-me for any "newbie talk".
> 
> My client is running Debian Sarge (Stable), with Shorewall and Webmin. I want 
> to make things easier for them and tried to use the webmin-shorewall module.
> 
> The thing is - the installed shorewall is 3.0.5 (package from testing) but the 
> webmin module only understands (and builds) the old shorewall 2.x file 
> format. The webmin module is from testing too.
> 
> Is there anyplace where I can get a webmin module for shorewall that can 
> handle the 3.0 branch?
> 
> Thanks in advance

Henrique:

Nobody at shorewall.net is involved in webmin module development
(AFAIK), and yes, last time I saw it, it only understand shorewall 2.4.x
configurations.

I have no idea, if you can get a compatible module via webmin
update,usually webmin module is ages from current shorewall development,.

if your specific problem is the "zones" file, you can use

IPSECFILE=ipsec

in shorewall.conf and then you will be able to write the zone file in
the old format.

Henrique | 3 Apr 01:34 2006
X-Face
Picon

Re: Help with Webmin Module

Historians believe that, 
in April 2, 2006 19:29, Cristian Rodriguez wrote:
> Nobody at shorewall.net is involved in webmin module development
> (AFAIK), and yes, last time I saw it, it only understand shorewall 2.4.x
> configurations.

Thank you for answering, Christian.
Yes, I know the webmin module is not maintained by anyone at Shorewall.net.

> I have no idea, if you can get a compatible module via webmin
> update,usually webmin module is ages from current shorewall development,.

I was just asking if someone had a clue on what to do.

I thoght about the compat-mode you described:

> if your specific problem is the "zones" file, you can use
>
> IPSECFILE=ipsec
>
> in shorewall.conf and then you will be able to write the zone file in
> the old format.

Thanks for the tip. I was thinking about doing it (it's described in the 
sample file), but before that I decided to ask.

I'll try to figure out who is maintaining it at webmin.com and work with 
him/her to fix/update the thing. It's a useful tool, specially for dummies 
(some people frown at having to edit text files...).

Thanks again for your kind answer.

--

-- 
Henrique Cesar Ulbrich
henrique.ulbrich <at> gmail.com

Chuck Norris uses Debian, Shorewall and Webmin

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Rune Kock | 3 Apr 12:03 2006
Picon

Re: Help with Webmin Module

Hi Henrique

> My client is running Debian Sarge (Stable), with Shorewall and
> Webmin. I want to make things easier for them and tried to
> use the webmin-shorewall module.

Actually, I find using Webmin a lot more difficult than editing the
Shorewall configuration files.  This is because the files themselves
have lots of useful comments -- in Webmin, there are no explanations
of what you are doing.

By the way, Webmin has been removed from Debian (Etch/unstable)
because the maintainer didn't feel the adaption to Debian was of a
reasonable quality.  So I wouldn't put my money on the Debian/Webmin
combination.

Rune

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
Asim Ahmed Khan | 3 Apr 13:17 2006
Picon

Blocking applications using shorewall

Hi all,
 
I have a little experience with windows based firewall .. Kerio Winroute. In that i was able to block applications using packet header contents instead of port they use since modern p2p apps change ports if they find one blocked. Is that possible in shorewall that i can:
 
1. Block all downloading attempts using file extensions. for example i can block all *.mp3 files from downloading.
2. Can i check packet header to check if it belongs to kaaza / msn messenger then block it ?
 
Thanks in advance,
 
Asim.--
Sr. System Engineer
Folio3  Pvt. Ltd
URL   : http://www.clickmarks.com
email   : asimak77 <at> gmail.com
MSN  : asimak77 <at> hotmail.com
Asim Ahmed Khan | 3 Apr 13:41 2006
Picon

Re: Help with Webmin Module

you can try out latest version of webmin from this location http://prdownloads.sourceforge.net/webadmin/webmin-1.260-1.noarch.rpm ... i did this too and it solved many of my problems.

On 4/3/06, Henrique <henrique.ulbrich <at> gmail.com> wrote:
Hello People

I'm new here, so forgive-me for any "newbie talk".

My client is running Debian Sarge (Stable), with Shorewall and Webmin. I want
to make things easier for them and tried to use the webmin-shorewall module.

The thing is - the installed shorewall is 3.0.5 (package from testing) but the
webmin module only understands (and builds) the old shorewall 2.x file
format. The webmin module is from testing too.

Is there anyplace where I can get a webmin module for shorewall that can
handle the 3.0 branch?

Thanks in advance
--
Henrique Cesar Ulbrich
henrique.ulbrich <at> gmail.com


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Sr. System Engineer
Folio3  Pvt. Ltd
URL   : http://www.clickmarks.com
email   : asimak77 <at> gmail.com
MSN  : asimak77 <at> hotmail.com

Gmane