Re: [Shorewall-users] ip Rule Table Duplicated and/or Misplaced

[Eddie]

On 7/2/2018 7:58 AM, Tom Eastep wrote:
On 07/01/2018 05:04 PM, Eddie wrote:
Tom,

Sorry, I realised that I didn't send my last reply to the list.  I also
used the wrong e-mail address, so even if I had, it would have bounced:

On 7/1/2018 12:51 PM, Tom Eastep wrote:
On 07/01/2018 12:36 PM, Eddie Atherton wrote:
Tom,


On 7/1/2018 8:52 AM, Tom Eastep wrote:
On 06/27/2018 07:06 PM, Eddie wrote:
Hi,

I just updated my Nethserver CentOS system to 7.5, which did NOT
update
the version of Shorewall I'm using.  After the update, I noticed that
the ip rule table "main" is now duplicated, and I think in the wrong
position after starting an OpenVPN client.  I will add that I haven't
seen any problems with the rules/routes (so far), other that it
looking
wrong.

Here's what I see immediately after boot:

[root@Nethserver ~]# shorewall show routing
Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
18:12:39 PDT 2018


Routing Rules

0:      from all lookup local
32766:  from all lookup main
32766:  from all lookup main
32767:  from all lookup default

Table default:


Table local:

local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 76.91.207.255 dev eno1 proto kernel scope link src
76.91.194.242
broadcast 76.91.192.0 dev eno1 proto kernel scope link src
76.91.194.242
broadcast 192.168.150.255 dev wg0 proto kernel scope link src
192.168.150.1
broadcast 192.168.150.0 dev wg0 proto kernel scope link src
192.168.150.1
broadcast 192.168.0.255 dev br0 proto kernel scope link src
192.168.0.254
broadcast 192.168.0.0 dev br0 proto kernel scope link src
192.168.0.254
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
default via 76.91.192.1 dev eno1
[root@Nethserver ~]#
Has Shorewall been started at this point?
Yes.
Then who is setting up policy routing when the VPN is active?

Firstly a number of Shorewall files are updated (via the e-smith 
template system) and then Shorewall is restarted.

This is followed by a (temporary) script that builds the "Spectrum" 
table, adds it to the rules, plus adds the VPN end-point to table "main".


At this point, there obviously won't be any issues with the table
being
duplicated.  But after then starting an OpenVPN client session:

[root@Nethserver ~]# shorewall show routing
Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
18:14:06 PDT 2018


Routing Rules

0:      from all lookup local
999:    from all lookup main
5000:   from all lookup spectrum
10000:  from all fwmark 0x10000/0xf0000 lookup net
10001:  from all fwmark 0x20000/0xf0000 lookup vpn
20000:  from 76.91.194.242 lookup net
20000:  from 10.18.2.170 lookup vpn
32765:  from all lookup balance
32766:  from all lookup main
32767:  from all lookup default

Table balance:

default via 76.91.192.1 dev eno1

Table default:

10.18.2.169 dev tun0 scope link
default via 10.18.2.169 dev tun0 src 10.18.2.170 metric 2

Table local:

local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.18.2.170 dev tun0 proto kernel scope host src 10.18.2.170
broadcast 76.91.207.255 dev eno1 proto kernel scope link src
76.91.194.242
broadcast 76.91.192.0 dev eno1 proto kernel scope link src
76.91.194.242
broadcast 192.168.150.255 dev wg0 proto kernel scope link src
192.168.150.1
broadcast 192.168.150.0 dev wg0 proto kernel scope link src
192.168.150.1
broadcast 192.168.0.255 dev br0 proto kernel scope link src
192.168.0.254
broadcast 192.168.0.0 dev br0 proto kernel scope link src
192.168.0.254
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

76.91.192.1 dev eno1 scope link src 76.91.194.242
104.238.32.102 via 76.91.192.1 dev eno1
10.18.2.169 dev tun0 scope link src 10.18.2.170
192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242

Table net:

76.91.192.1 dev eno1 scope link src 76.91.194.242
default via 76.91.192.1 dev eno1 src 76.91.194.242

Table spectrum:

216.55.149.49 via 10.18.2.169 dev tun0
214.3.118.39 via 10.18.2.169 dev tun0
214.16.193.213 via 10.18.2.169 dev tun0
214.16.193.199 via 10.18.2.169 dev tun0
205.73.236.4 via 10.18.2.169 dev tun0
195.201.14.99 via 10.18.2.169 dev tun0
155.22.160.15 via 10.18.2.169 dev tun0
155.22.160.12 via 10.18.2.169 dev tun0
131.78.212.84 via 10.18.2.169 dev tun0
131.78.211.149 via 10.18.2.169 dev tun0
131.78.204.149 via 10.18.2.169 dev tun0
131.78.200.85 via 10.18.2.169 dev tun0
131.78.200.62 via 10.18.2.169 dev tun0
104.25.36.116 via 10.18.2.169 dev tun0
104.25.35.116 via 10.18.2.169 dev tun0

Table vpn:

10.18.2.169 dev tun0 scope link src 10.18.2.170
default via 10.18.2.169 dev tun0 src 10.18.2.170
[root@Nethserver ~]#

Notice now, that one of the "main" entries is one of the first tables
referenced, before any of the rules introduced by the VPN.
This looks normal for a multi-ISP Shorewall configuration (with the
exception of the second 'lookup main' rule). What is your setting of
RESTORE_DEFAULT_ROUTE in shorewall.conf?
RESTORE_DEFAULT_ROUTE=No
Try RESTORE_DEFAULT_ROUTE=Yes -- you should see the extra 'main' rule go
away.
Making that change and restarting, nope, I get this still:

Routing Rules

0:      from all lookup local
999:    from all lookup main
5000:   from all lookup 100
10000:  from all fwmark 0x10000/0xf0000 lookup net
10001:  from all fwmark 0x20000/0xf0000 lookup vpn
20000:  from 76.91.194.242 lookup net
20000:  from 10.18.2.170 lookup vpn
32765:  from all lookup balance
32766:  from all lookup main
32767:  from all lookup default


Hmmm.  My memory was that the tables were in the order:

from 76.91.194.242 lookup net
from 10.18.2.170 lookup vpn
from all lookup main
from all lookup balance
from all lookup default

That would be the case when USE_DEFAULT_RT=No.
Also adding that to the change above, gives:

Routing Rules

0:      from all lookup local
5000:   from all lookup 100
10000:  from all fwmark 0x10000/0xf0000 lookup net
10001:  from all fwmark 0x20000/0xf0000 lookup vpn
20000:  from 76.91.194.242 lookup net
20000:  from 10.18.2.170 lookup vpn
32766:  from all lookup main
32766:  from all lookup main
32767:  from all lookup default

Which really breaks my split VPN routing.

I wasn't suggesting that you change that.

-Tom
Cheers.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users