-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/03/2017 06:51 AM, Philip Le Riche wrote: > I've been trying without success on and off for some while to > modify an existing Shorewall configuration for the purposes of a > school lesson on Internet routing, using traceroute. > > I originally set up the firewall to protect the school network from > a bunch of Raspberry Pis, operated "headless" from school PCs using > VNC or ssh, thus we had 3 zones: > > #ZONE TYPE OPTIONS IN OUT fw > firewall schl ipv4 pinet ipv4 > > The idea is to run traceroute from the Pis, but since since > traceroute is blocked by the school firewall/proxy I've added a > mobile data dongle and a new zone giving me unfiltered Internet > access: inet ipv4 > > My interfaces file now looks like this: schl eno1 > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet > enp2s0 tcpflags,nosmurfs,routefilter,logmartians inet > ppp0 > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional > > In my providers file I've defined a provider "raw" for the > unfiltered mobile data interface: #NAME NUMBER MARK > DUPLICATE INTERFACE GATEWAY OPTIONS raw 1 1 > - ppp0 > > I've been trying both regular traceroute (udp/33434-33523) and > traceroute -P 253 (protocol 253), and so I'm using mangle to mark > all such packets coming from the Pi network (and from the firewall > while I'm at it, for testing purposes): #ACTION SOURCE DEST > PROTO PORT(S) SOURCE USER TEST # > PORT(S) MARK(1) enp2s0 - udp 33434:33523 - - > - MARK(1) enp2s0 - 253 - - - - MARK(1) > $FW - udp 33434:33523 - - - MARK(1) $FW > - 253 - - - - > > And in rtrules I'm directing marked packets at provider raw: SOURCE > DEST PROVIDER PRIORITY MARK enp2s0 - raw > 11000 1 lo - raw 11000 1 > > In my rules file I've allowed traceroute from pinet and $FW to > inet: # # pinet -> inet # Allow traceroute only # ACCEPT > pinet inet udp 33434:33523 ACCEPT pinet > inet 253 > > # # $FW -> inet # #ACTION SOURCE DEST PROTO DEST > SOURCE RATE USER/ # > PORT(S) PORT(S) LIMIT GROUP ACCEPT $FW inet udp > 33434:33523 ACCEPT $FW inet 253 > > Since the mobile data dongle hasn't connected by the time > Shorewall starts on a reboot, I have to do a shorewall restart, and > also if I plug in the dongle at any time after booting. > > However, there still seems to be an error or omission in my logic > as traceroute on the firewall Pi still shows it routing through the > school network, as evidenced by the ip addresses reported (as far > as they go), and traceroute on a Pi shows nothing beyond the pinet > firewall interface. Perhaps you can provide me with that lightbulb > moment which seems to be evading me. >
You need en01 to be the primary provider and ppp0 to be the fallback provider. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYa93HAAoJEJbms/JCOk0QKjMP/i6HqWorZqzrltfZi7DX2KaP qGV55dzPnxhwZnKR/hu6nGo+X/9gdZ/QVePJfWdONaQjLb2TfQNZApsZBe+idGHF /uzs2OOS0f+GX25m8H15cngn0H1xTT5py1i2l6PX/aXKJANzFm/MlLKM3JxtcYv3 DXYu7zypcqAwF4rokq4YEFSFuo5T+TfZnnoGx+DbR0nrCy6y3YiSGBVDinZLrBX7 x/WlcsuGWLV93wuWomb/gRhRQnLN58vWBs8c3FWwG93mnEY8U82J1kwoeGgWC5e4 GCfyflsoiA8bitCpH0rQkW7hE33zeHQ1Q5+B5m8z474AdDX9CzhReCf3P75hQkHI kDFIFkWeoqShEB8mC0hhWKu8EF6XytTHqzDJBsQtobvmCWtu4gDlWP/Pbb3xKIpO FV+aSRox0xtVhuc/oi4bPxWnqDEWYXed3P4rsRx8NesA2FzU/qBlfWR0o3c3wFhs +w+dG5QJAEQvfpN2K5DQF1+mIY4deQsye51g6MKp75iSCMcA9Jh5n3SDO3tKyl1v bq1cpkDiGHWL51Y6eoEsf4zNY+ef6c0MjrfxObAbCr93ieBI3akK1jeCVwZa5yLB dn/2atDp+m1Kfbb9SfPdLw5zJ4cDyfCU0y6cD5lvTQs/ddG8x4YFXFbGO6S1EcWo 1LX/8BMqLD+wsi0PD7Iv =bMiK -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
