Re: [Shorewall-users] shorewall mark and several providers

Thu, 24 Jan 2019 08:45:25 -0800 

On 1/24/19 3:13 AM, Vieri Di Paola wrote:
> Hi,
> 
> I'm trying to clear up my mangle configuration regarding packet
> marking because it doesn't seem to be working quite as I expect it to.
> 
> My LAN host at 10.215.144.48 is accessing Internet via a shorewall
> gateway with a MARK(1) action. Provider 1 (mark 1) is supposed to be
> accessed through interface ppp1.
> 
> I put the following line both at the top and bottom of the mangle file
> (just in case):
> 
> MARK(1)         10.215.144.48   0.0.0.0/0       all
> 
> After reloading I tried to access https://www.iplocation.net/ from the
> lan host at 10.215.144.48.
> However, I could not read ppp1's public IP address but that of ppp2 (I
> cleared the client browser's cache).
> In fact, I could run tcpdump on the shorewall gateway to see how the
> traffic was flowing through ppp2 instead of ppp1:
> # tcpdump -n -i ppp2 host 107.154.118.114
> IP 79.148.120.225.62087 > 107.154.118.114.443: Flags [P.], seq
> 3281967082:3281967487, ack 1044905512, win 260, length 405
> 
> I know there's the following action in between:
> MARK(2):P       10.215.144.0/23,10.215.246.0/23,10.215.248.0/24
> However, I take it the other should prevail.
> 
> The shorewall dump while connecting from 10.215.144.48 to
> 107.154.118.114:443 through ppp2 instead of ppp1 is here:
> https://drive.google.com/file/d/1SfWqdLPz2zbdJnRcBzN5K94qYChGz_F3/view?usp=sharing
> 
> Any ideas?
> 

Looks like the one at the end of the file is marking in the FORWARD
chain, not in the PREROUTING chain. As you point out, the one at the
front of the file is useless, as it is superseded by the /23 rule.

There is also another entry for that source IP in the file, but it only
deals with DEST=192.168.92.1.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to