On 3/23/2020 10:39 AM, Eddie wrote: > Hi, > > Firstly some background. Some time ago Tom helped me in setting up my > system to use a VPN client in a way that allowed me full control over > which destination IPs were sent via the VPN, the remainder of traffic > leaving via my normal internet connection. When starting the VPN, I > suppress all attempts at it modifying my existing routing and in the > "up" script generate the following before restarting the firewall: > > cat /etc/shorewall/providers > # > # Shorewall version 4 - Providers File > # > # For information about entries in this file, type "man > shorewall-providers" > # > # For additional information, see http://shorewall.net/MultiISP.html > # > ############################################################################################ > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > > # Set up the two provider masks > net 1 0x10000 - eno1 detect track,primary > vpn 2 0x20000 - tun0 10.8.1.1 track,fallback > > This generates the following routing: > > shorewall show routing > Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Mon Mar 23 > 10:05:56 PDT 2020 > > > Routing Rules > > 0: from all lookup local > 999: from all lookup main > 10000: from all fwmark 0x10000/0xf0000 lookup net > 10001: from all fwmark 0x20000/0xf0000 lookup vpn > 20000: from 76.91.xxx.yyy lookup net > 20000: from 10.8.1.20 lookup vpn > 32765: from all lookup balance > 32767: from all lookup default > > Table balance: > > default via 76.91.192.1 dev eno1 > > Table default: > > 10.8.1.1 dev tun0 scope link > default via 10.8.1.1 dev tun0 src 10.8.1.20 metric 2 > > Table local: > > --snip-- Not needed for this question > > Table main: > > --snip-- Not needed for this question > > Table net: > > 76.91.192.1 dev eno1 scope link src 76.91.xxx.yyy > default via 76.91.192.1 dev eno1 src 76.91.xxx.yyy > > Table vpn: > > 10.8.1.1 dev tun0 scope link src 10.8.1.20 > default via 10.8.1.1 dev tun0 src 10.8.1.20 > > Following this, I then have a second script that builds a new routing > table, which directs the required destination IPs to the tun0 gateway. > This table is then added to the rules thus: > > 0: from all lookup local > 500: from all lookup 100 > 999: from all lookup main > 10000: from all fwmark 0x10000/0xf0000 lookup net > 10001: from all fwmark 0x20000/0xf0000 lookup vpn > 20000: from 76.91.204.161 lookup net > 20000: from 10.8.1.20 lookup vpn > 32765: from all lookup balance > 32767: from all lookup default > > > As I'm about to make some major changes to that 2nd script, I started to > look at (maybe) consolidating everything into the VPN's "up" script and > investigated the use of shorewall/routes as that appeared to offer what > I wanted. Here's that file after rewriting my "up" script to do what I > need today (before embarking on the substantial updates I need): > > cat /etc/shorewall/routes > # > # Shorewall -- /etc/shorewall/routes > # > # For information about entries in this file, type "man shorewall-routes" > # > # For additional information, see http://www.shorewall.net/MultiISP.html > # > ############################################################################### > > #PROVIDER DEST GATEWAY DEVICE OPTIONS > > # Force the VPN IP out via our external interface > main 84.17.44.81 76.91.192.1 > > # Now force the DoD stuff out via the vpn > vpn 131.77.0.0/16 > vpn 131.78.0.0/16 > vpn 156.112.0.0/16 > vpn 214.0.0.0/8 > vpn 215.0.0.0/8 > > Restarting the firewall showed this: > > shorewall show routing > Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Mon Mar 23 > 10:22:45 PDT 2020 > > > Routing Rules > > 0: from all lookup local > 999: from all lookup main > 10000: from all fwmark 0x10000/0xf0000 lookup net > 10001: from all fwmark 0x20000/0xf0000 lookup vpn > 20000: from 76.91.204.161 lookup net > 20000: from 10.8.0.32 lookup vpn > 32765: from all lookup balance > 32767: from all lookup default > > Table balance: > > default via 76.91.192.1 dev eno1 > > Table default: > > 10.8.0.1 dev tun0 scope link > default via 10.8.0.1 dev tun0 src 10.8.0.32 metric 2 > > Table local: > > --snip-- Not needed for this question > > Table main: > > 84.17.44.81 via 76.91.192.1 dev eno1 > --snip-- Not needed for this question > > Table net: > > 76.91.192.1 dev eno1 scope link src 76.91.xxx.yyy > default via 76.91.192.1 dev eno1 src 76.91.xxx.yyy > > Table vpn: > > 10.8.0.1 dev tun0 scope link src 10.8.0.32 > 156.112.0.0/16 dev tun0 scope link > 131.78.0.0/16 dev tun0 scope link > 131.77.0.0/16 dev tun0 scope link > 215.0.0.0/8 dev tun0 scope link > 214.0.0.0/8 dev tun0 scope link > default via 10.8.0.1 dev tun0 src 10.8.0.32 > > Looking at this, it's obviously not going to do what I wanted. The > table "vpn" is only going to be used for packets either already marked > as destined for the VPN or those who were sourced from there. Not what > I was looking for in routing locally generated outbound traffic. > > Inserting that table at the point in the rules where I was previously > adding my additions also will not work, because of the "default" routing. > > I guess what I was expecting from the use of shorewall/routes is that it > would have not modified any of the existing routing tables being > generated (well, apart from my use of "main") but created a brand new > table to be inserted between 0 and 999. > > I can see that as a workaround, I can force all the entries to be added > to the "main" table instead. > > Have I misunderstood how this was supposed to work or is it (kinda) broken. >
You have misunderstood how it works. The 'routes' file simply allows you to add routes in any of the existing tables and that's all. You have two choices: a) Add the routes to the main tables (which is essentially what your scripts are doing). b) Add entries in rtrules to direct the traffic to the 'vpn' table. Note that these rules don't really need priorities < 1000; they simply need priorities < 32765 because only the 'balance' and 'default' tables will ever have default routes in them (when Shorewall is started). I recommend the latter, because the rules will be added when the VPN provider is enabled and deleted when it is disabled. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
