headers
Tom Eastep | 1 Aug 2008 01:37
Favicon

Re: shorewall dump on Multi-ISP traffic shaping problem

Roalt Zijlstra wrote:
>> Roalt Zijlstra wrote:
>>> Hi there,
>>>
>>> Here is the shorewall dump. It is a little messy with the number of connections, as it
>>> is a production server (non-fail-over).
>> Have you sent a problem report to the mailing list? We can do nothing with
>> the dump without knowing what problem you are reporting.
> 
> Yes I did send that one first, but here is a copy.
> 
> Hi there,
> 
> I have trouble getting traffic shaping to work with my Multi-ISP setup on
> shorewall
> 3.4.8 on a Debian Etch box. I upgraded the default 3.2.6 Debian package as I
> thought
> that maybe that would solve my problem. It did not, the rest of the box is
> using default
> Debian packages.
> 
> The situation I have is as follows:
> I have an ADSL connection and an Cable connection. The cable is the default
> Internet
> connection. The ADSL connection is used to access dedicated servers and
> receive company
> email etc. on a fixed IP. The cable has a dynamic IP.
> 
> The Multi-ISP setup works very well. I use the tcrules to manipulate which
> connection to
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Sparks | 1 Aug 2008 01:57

single provider, multiple CIDRs

I have multiple CIDRs from a single ISP connected to a single interface that
I'm trying to configure. The main usage pattern is round-robining outgoing
connections.  I have gotten both ISPs with a single CIDR per ISP working well 
(based off the MultiISP doc) so I think I have most of the config working.  I 
am just unable to get routing working on the extra CIDRs on the second interface.

The configuration is basically:

eth0 - lan
eth1 - ISP1 with single CIDR
eth2 - ISP2 with multiple CIDRs

Do I need the 4.2 MultiISP single interface support to handle the eth2 case?

 From the 4.2 README:
	b) You must specify the address on the interface that corresponds to
	a particular provider in the INTERFACE column by following the
	interface name with a colon (":") and the address.

What do I do with a CIDR -- are ranges supported here?  Or do I just put the
first IP in the range?

Many thanks from a big fan of Shorewall,

ds

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
(Continue reading)

Permalink | Reply | 1 comment |
headers
Tom Eastep | 1 Aug 2008 06:13
Favicon

Re: single provider, multiple CIDRs

David Sparks wrote:

> 
> What do I do with a CIDR -- are ranges supported here?  Or do I just put the
> first IP in the range?

You need a mind reader.

As far as I know, the multi-ISP implementation deals adequately with 
what I assume you mean by "multiple CIDRs" (multiple subnets accessed 
directly through the interface). So I don't know what problem you are 
trying to solve.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
(Continue reading)

Permalink | Reply | 0 comments |
headers
John Morris | 1 Aug 2008 07:50
Picon

Enabling multicast through shorewall

Dear list,

Our tomcat cluster is working on our DMZ, and we would like to protect the individual nodes with Shorewall.

Tomcat clustering uses multicast on the LAN for nodes to advertise that they are running and to join a cluster.  Here are two packets from two nodes at 192.168.200.11+17 captured by tcpdump:

19:53:00.695849 IP 192.168.200.11 > 224.0.0.22: igmp v3 report, 1 group record(s)
19:53:02.693806 IP 192.168.200.11.45564 > 228.0.0.4.45564: UDP, length 52
19:53:02.696124 IP 192.168.200.17.45564 > 228.0.0.4.45564: UDP, length 52

The first type of packet is seemingly only transmitted for some time after tomcat is first started.
The second type of packet is transmitted once a second from each node as long as the cluster is running.

There's a MULTICAST switch for shorewall.conf and a destonly flag for the shorewall-hosts file.  I understand these are for outgoing packets.  What kind of configuration should there be to allow the above types of incoming packets?

Thanks.

    John

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 1 comment |
headers
anebi@iguanait.com | 1 Aug 2008 12:01
Favicon

How to block forwarding by port 25?

Hi,

we have installed shorewall on centos 5 and the server is configured to
be like gateway and mail server.

We have a private network and we have problem with users on this
network. They use smtp forwarding and connect to different smtp servers
to send spam. How we can block this forwarding on port 25 and is there
some way to redirect all trafic for port 25 for example to our mail
server (in this case the same machine)?

The users should use only our mail server and should not be able to use
different smtp servers.

How i need to configure shorewall to do this?

Thanks in advanced!

Regards, Ali Nebi!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 2 comments |
headers
John Morris | 1 Aug 2008 12:20
Picon

Re: How to block forwarding by port 25?

Block:
REJECT  loc    net    tcp 25

Redirecting isn't a good idea for various reasons.  You should tell
your users the policy (don't connect to external SMTP servers, only
connect to the internal SMTP server) and tell them how to configure
that.  If you insist, put the 'routeback' option on your internal
network interface in /etc/shorewall/interfaces:

loc      eth1         detect       routeback

and do a DNAT in /etc/shorewall/rules:

DNAT    loc       loc:192.168.1.3   tcp    25    -     !192.168.1.0/24

(where 192.168.1.3 is your mailserver's IP, 192.168.1.0/24 is the
internal network and eth1 is the router's internal interface)

These redirection configs are just a guess cribbed from Shorewall FAQ
#2.  I've never done anything quite this bizarre before (close, but
not quite).

    John

On Fri, Aug 1, 2008 at 6:01 PM, anebi <at> iguanait.com <anebi <at> iguanait.com> wrote:
>
> Hi,
>
> we have installed shorewall on centos 5 and the server is configured to
> be like gateway and mail server.
>
> We have a private network and we have problem with users on this
> network. They use smtp forwarding and connect to different smtp servers
> to send spam. How we can block this forwarding on port 25 and is there
> some way to redirect all trafic for port 25 for example to our mail
> server (in this case the same machine)?
>
> The users should use only our mail server and should not be able to use
> different smtp servers.
>
> How i need to configure shorewall to do this?
>
> Thanks in advanced!
>
> Regards, Ali Nebi!
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 1 comment |
headers
John Morris | 1 Aug 2008 12:34
Picon

Re: Enabling multicast through shorewall

Ok, got it.  Here's what it took (and I was just misreading the Shorewall docs, as usual):

zones:
mc      ipv4

hosts:
mc      eth0:224.0.0.0/4        destonly

policy:
mc      all     REJECT  INFO
all     mc      REJECT  INFO

rules:
ACCEPT  $FW     mc      udp     45564
ACCEPT  loc     $FW     udp     45564

shorewall.conf:
MULTICAST=Yes

routing table:
be sure there's a route for net 224.0.0.0 netmask 240.0.0.0 dev eth0

As usual, get this working first before setting up Shorewall.

Easy.  This was non-intuitive for me because in this case, the dest IP for incoming packets is 228.0.0.4, not the IP address for eth0.

    John


On Fri, Aug 1, 2008 at 1:50 PM, John Morris <johnnymo <at> gmail.com> wrote:
> Dear list,
>
> Our tomcat cluster is working on our DMZ, and we would like to protect the
> individual nodes with Shorewall.
>
> Tomcat clustering uses multicast on the LAN for nodes to advertise that they
> are running and to join a cluster.  Here are two packets from two nodes at
> 192.168.200.11+17 captured by tcpdump:
>
> 19:53:00.695849 IP 192.168.200.11 > 224.0.0.22: igmp v3 report, 1 group
> record(s)
> 19:53:02.693806 IP 192.168.200.11.45564 > 228.0.0.4.45564: UDP, length 52
> 19:53:02.696124 IP 192.168.200.17.45564 > 228.0.0.4.45564: UDP, length 52
>
> The first type of packet is seemingly only transmitted for some time after
> tomcat is first started.
> The second type of packet is transmitted once a second from each node as
> long as the cluster is running.
>
> There's a MULTICAST switch for shorewall.conf and a destonly flag for the
> shorewall-hosts file.  I understand these are for outgoing packets.  What
> kind of configuration should there be to allow the above types of incoming
> packets?
>
> Thanks.
>
>     John
>
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 0 comments |
headers
Aidan Anderson | 1 Aug 2008 12:34
Picon

Connection tracking problem using providers

I'm having a problem setting up connection tracking using the providers 
file for a very specific scenario.  I'll try and be as brief as possible 
but I will give you some background first to give you an idea of what I 
am trying to achieve.

We have 2 data centres, we'll call them DC-A and DC-B.  These data 
centres run application servers that clients connect to from various 
locations via a hardware VPN solution.  For data centre redundancy, the 
VPN devices are duplicated over each data centre.  The clients, each on 
their own private 10.x.x.x/24 networks, have a hardware VPN device that 
maintains 2 tunnels, one to the VPN devices in each data centre.  The 
client end device is configured to use the tunnel into DC-A as the 
primary route and the tunnel into DC-B as backup route in the event that 
DC-A becomes unreachable.  There are about 300 client locations so there 
are 9 VPN devices at each data centre to cover the load.  The following 
diagram shows the layout of the network showing the 2 data centres and 
an example client:

 +------------+   +---------+                      +---------+   
+------------+ 
 |VPN Devs x 9+---+ VPN LAN |                      | VPN LAN +---|VPN 
Devs x 9|
 +------------+   +----+----+                      +----+----+   
+------------+
                       |eth4                        eth4|
                       |                                |
+-------+ bond0 +------+------+ eth2        eth2 +------+------+ bond0 
+-------+
|App LAN+-------+ DC-A Router +------------------+ DC-B Router 
+-------+App LAN|
+-------+       +------+------+      (neos)      +------+------+       
+-------+
                       |eth1                        eth1|
                       |                                |
                +------+--------------------------------+------+
                |                   Internet                   |
                +----------------------+-----------------------+
                                       |
                                       |
                                  +----+-----+
                                  |VPN Device|
                                  +----+-----+
                                       |
                                  +----+-----+
                                  |Client LAN|
                                  +----------+

Each of the routers are running Gentoo Linux, Kernel 2.6.18, and 
Shorewall 3.2.8

Here is what I am trying to achieve and the problems I am having:

As mentioned above, the clients will route via DC-A as the primary 
route.  I want client devices to be able to route to servers in both 
DC-A and DC-B.  There is a private (neos) link between the 2 data 
centres so that when clients connect to DC-A, they can reach servers in 
the App LAN in DC-B.    There is a static route for each client's 
10.x.x.x/24 subnet pointing to the VPN Device attached to eth4 at each 
data centre.

Traffic initiated from the servers (e.g. print jobs) works no problem.  
If the traffic is initiated from a server in DC-A's App LAN, it is 
routed via the local VPN device down to the client.  The client VPN 
device tracks the session to ensure that replies are routed back up the 
DC-A tunnel.  The same goes for traffic initiated from a server in DC-B, 
it is routed via the local VPN device at DC-B and session tracked by the 
client VPN device back to DC-B.

The problem am I having is with traffic initiated from the clients back 
to the server.  If the client is trying to reach a server in DC-A, I 
don't have problem.  Traffic comes into the data centre via eth4 to the 
server attached to bond0 and is routed back via eth4 down to client.  
If, however, the server is attached to bond0 at DC-B, the traffic 
arrives via eth4 in DC-A, is then routed via eth2 (private link to other 
data centre) but the route back is via the local eth4 interface in DC-B 
and this doesn't work.  I'm not sure why, but my guess is that I am 
breaking some fundamental routing rules, i.e. traffic arriving with a 
certain source on one interface being replied via another interface.  
When I do some tcpdumps on the routers, the traffic only gets as far as 
eth2 on DC-B's router so it is probably being stopped at that point.  
Rules are configured to allow this traffic but there is nothing in the 
Shorewall logs to indicated that this traffic is being dropped.

My thought then was to use the providers file to set up a provider 
against eth2 on DC-B and connection track the sessions to ensure that 
the replies are routed back via eth2 to DC-A.  My providers file on the 
router at DC-B is set up as follows:

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         
OPTIONS         COPY
neos    1       1       main            eth2            192.168.0.134   
track           bond0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

eth2 on DC-B has an IP of 192.168.0.133/30 and 192.168.0.134 is the IP 
of eth2 on DC-A.  I have only copied bond0 into the neos routing table 
so as not to include the various 10.x.x.x/24 routes set up against 
eth4.  There is a default static route on eth2 to route all 10.0.0.0/8 
traffic via 192.168.0.134 so in theory if the traffic is forced to use 
the neos routing table, it will always send any 10 traffic back to 
DC-A.  My routing tables are as follows:

main routing table:

192.168.0.132/30 dev eth2  proto kernel  scope link  src 192.168.0.133
xx.xx.xx.192/29 dev eth1  proto kernel  scope link  src xx.xx.xx.197
xx.xx.xx.208/28 dev eth4  proto kernel  scope link  src xx.xx.xx.222
172.30.16.0/24 dev bond0  proto kernel  scope link  src 172.30.16.254
10.1.0.0/24 via xx.xx.xx.216 dev eth4  metric 1
10.34.17.0/24 via xx.xx.xx.211 dev eth4  metric 1
10.38.1.0/24 via xx.xx.xx.217 dev eth4  metric 1
172.30.16.0/24 dev bond0  proto kernel  scope link  src 172.30.16.254
10.10.1.0/24 via xx.xx.xx.213 dev eth4  metric 1
10.0.0.0/24 via xx.xx.xx.210 dev eth4  metric 1
172.30.0.0/21 via 192.168.0.134 dev eth2  metric 1
192.168.192.0/18 via 192.168.0.134 dev eth2  metric 1
192.168.0.0/17 via 192.168.0.134 dev eth2  metric 1
172.31.0.0/16 via 192.168.0.134 dev eth2  metric 1
172.16.0.0/16 via 192.168.0.134 dev eth2  metric 1
10.0.0.0/8 via 192.168.0.134 dev eth2  metric 1
127.0.0.0/8 dev lo  scope link
default via xx.xx.xx.193 dev eth1

The first 3 parts of the public IPs have been replaced with xx to 
protect the innocent.  Public IPs are used on eth4 (VPN device LAN) and 
eth1 (Internet gateway).  I have removed most of the 10.x.x.x/24 routes 
from the output for clarity.

neos routing table:

192.168.0.134 dev eth2  scope link  src 192.168.0.133
192.168.0.132/30 dev eth2  proto kernel  scope link  src 192.168.0.133
172.30.16.0/24 dev bond0  proto kernel  scope link  src 172.30.16.254
172.30.0.0/21 via 192.168.0.134 dev eth2  metric 1
192.168.192.0/18 via 192.168.0.134 dev eth2  metric 1
192.168.0.0/17 via 192.168.0.134 dev eth2  metric 1
172.31.0.0/16 via 192.168.0.134 dev eth2  metric 1
172.16.0.0/16 via 192.168.0.134 dev eth2  metric 1
10.0.0.0/8 via 192.168.0.134 dev eth2  metric 1
default via 192.168.0.134 dev eth2

Unfortunately when I tested it, it didn't work.  The problem seems to be 
that the tracking isn't working for traffic arriving on eth2 in DC-B.  
When I run tcpdumps again, the traffic is getting as far as eth2 on DC-B 
but no further, which was the same result I got without running 
providers.  The version of Shorewall that I'm running also has the bug 
regarding the proper handling of PREROUTING marks when 
HIGH_ROUTE_MARKS=No.  I have patched the /usr/share/shorewall/complier 
script by commenting out the erroneous line and replacing with the 
correct line as follows:

    #
    # Route marks are restored in PREROUTING/OUTPUT prior to these 
rules. We only send
    # packets that are not part of a marked connection to the 
'tcpre/tcout' chains.
    #
    if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then
        #mark_part="-m mark --mark 0/0xFF00"
        [ -n "$HIGH_ROUTE_MARKS" ] && mark_part="-m mark --mark 
0/0xFF00" || mark_part="-m mark --mark 0/0xFF"
        #
        # But let marks in tcpre override those assigned by 'track'
        #
        for interface in $ROUTEMARK_INTERFACES; do
            run_iptables -t mangle -A PREROUTING -i $interface -j tcpre
        done
    fi

I restarted Shorewall but got the same problem.  I have had providers 
working in the past for multiple providers as explained in the docs so I 
know that the connection tracking works in that scenario, although in 
that scenario, there are no conflicting routes between the providers 
routing table and the main routing table so I'm maybe thinking that what 
I am trying to achieve is not possible.  Shorewall is also configured in 
the standard way to apply the packet marks in the pre-routing chain, 
which should apply the packet marks before the routing decision is made 
according to the "Shorewall and Routing" documentation.

I may also just be missing something fundamental.

Any pointers in the right direction would be greatly appreciated.  
Apologies for not being as brief as promised.

regards,
Aidan

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 3 comments |
headers
Jerome Blion | 1 Aug 2008 15:44
Picon
Favicon

Re: How to block forwarding by port 25?

On Fri, 1 Aug 2008 18:20:29 +0800, "John Morris" wrote: > Block: > REJECT loc net tcp 25 REJECT:info is even better to track down these users and contact them to learn them how to process. > Redirecting isn't a good idea for various reasons. You should tell > your users the policy (don't connect to external SMTP servers, only > connect to the internal SMTP server) and tell them how to configure > that. If you insist, put the 'routeback' option on your internal > network interface in /etc/shorewall/interfaces: > > loc eth1 detect routeback > > and do a DNAT in /etc/shorewall/rules: > > DNAT loc loc:192.168.1.3 tcp 25 - !192.168.1.0/24 I'd write: DNAT loc fw tcp smtp,submission,ssmtp fw will identify the firewall (and then the router), and loc will include all the LAN. This rule will process mails coming from the LAN trying to go through if I don't make any mistake.   John: Always reply AFTER the previous message. HTH. Jerome Blion. 
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 0 comments |
headers
Aidan Anderson | 1 Aug 2008 15:51
Picon

Re: Connection tracking problem using providers

The diagram appears to have wrapped on the right so I have attached it 
as a separate text file.

regards,
Aidan


 +------------+   +---------+                      +---------+   +------------+
 |VPN Devs x 9+---+ VPN LAN |                      | VPN LAN +---|VPN Devs x 9|
 +------------+   +----+----+                      +----+----+   +------------+
                       |eth4                        eth4|
                       |                                |
+-------+ bond0 +------+------+ eth2        eth2 +------+------+ bond0 +-------+
|App LAN+-------+ DC-A Router +------------------+ DC-B Router +-------+App LAN|
+-------+       +------+------+      (neos)      +------+------+       +-------+
                       |eth1                        eth1|
                       |                                |
                +------+--------------------------------+------+
                |                   Internet                   |
                +----------------------+-----------------------+
                                       |
                                       |
                                  +----+-----+
                                  |VPN Device|
                                  +----+-----+
                                       |
                                  +----+-----+
                                  |Client LAN|
                                  +----------+
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 0 comments |

Gmane