I've been trying without success on and off for some while to modify an existing Shorewall configuration for the purposes of a school lesson on Internet routing, using traceroute.
I originally set up the firewall to protect the school network from a bunch of Raspberry Pis, operated "headless" from school PCs using VNC or ssh, thus we had 3 zones: #ZONE TYPE OPTIONS IN OUT fw firewall schl ipv4 pinet ipv4 The idea is to run traceroute from the Pis, but since since traceroute is blocked by the school firewall/proxy I've added a mobile data dongle and a new zone giving me unfiltered Internet access: inet ipv4 My interfaces file now looks like this: schl eno1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet enp2s0 tcpflags,nosmurfs,routefilter,logmartians inet ppp0 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional In my providers file I've defined a provider "raw" for the unfiltered mobile data interface: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS raw 1 1 - ppp0 I've been trying both regular traceroute (udp/33434-33523) and traceroute -P 253 (protocol 253), and so I'm using mangle to mark all such packets coming from the Pi network (and from the firewall while I'm at it, for testing purposes): #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST # PORT(S) MARK(1) enp2s0 - udp 33434:33523 - - - MARK(1) enp2s0 - 253 - - - - MARK(1) $FW - udp 33434:33523 - - - MARK(1) $FW - 253 - - - - And in rtrules I'm directing marked packets at provider raw: SOURCE DEST PROVIDER PRIORITY MARK enp2s0 - raw 11000 1 lo - raw 11000 1 In my rules file I've allowed traceroute from pinet and $FW to inet: # # pinet -> inet # Allow traceroute only # ACCEPT pinet inet udp 33434:33523 ACCEPT pinet inet 253 # # $FW -> inet # #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP ACCEPT $FW inet udp 33434:33523 ACCEPT $FW inet 253 Since the mobile data dongle hasn't connected by the time Shorewall starts on a reboot, I have to do a shorewall restart, and also if I plug in the dongle at any time after booting. However, there still seems to be an error or omission in my logic as traceroute on the firewall Pi still shows it routing through the school network, as evidenced by the ip addresses reported (as far as they go), and traceroute on a Pi shows nothing beyond the pinet firewall interface. Perhaps you can provide me with that lightbulb moment which seems to be evading me. Regards - Philip ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
