Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/11/2017 01:31 PM, Philip Le Riche wrote: > Great - thanks Tom! Removing routefilter from the 2 outbound > interfaces did the trick. I can now do both traceroute and http > from the Pi, and the -i option fixed traceroute on the firewall > itself. I would have given up long before stumbling across > routefilter. > > I haven't seen the dhcpd startup problem again so I assume that's > gone away. However the mobile dongle startup seems to be getting > more unreliable but that seems to be USB problem not a shorewall > one assuming the kernel USB and networking stacks are completely > disjoint. (/var/log/messages shows it sometimes recognising the > mass storeage device and/or the CDROM on the dongle but not the GSM > modem, or detecting it as a serial device but not doing anything > with it). > > Thanks again for excellent support. Glad to hear that it is working. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYdrdgAAoJEJbms/JCOk0Q1sAQAKOfPhntlJR5V2rqHeYhU0h/ NR5O6tQyr4LVUOWCmiD7SbujCy68WwZqKXxs+n3HBo4R3W4TSizK/f1+OEAAymq0 ZYWOhFB+0n2Pf3/kVY+29A0tZmgGLaAIvCj623JJ5EP0HbdOF6e3eRtcriDAvfax r3j1kN477UzaThurV7ogh4cOl9/l2TmHeaUMq7YmhhM/yzI5Zav4fyzYwhL0tHil X+54WwaLCfZWDudsh1TDp27Lh6yKsKGn94HHSpMJopDp9PvkYynTJ7yAd0d48adf SsHUWFHd3ET9HpBuvCs+4bJuQYMpYgXESHNxqwrI9qYFgqCuywI8PwRwDPcvogV4 9ms/4Hn/lWaKaEYLa/JvIbTAO8mEPnEYFyXdyGF6kEDaH3OrNHnyBriPlfs9kMeb vVPzdmZpFimvXGV64WnXCIqHQ33LGxiKCBxQpjvAHGdLZl5g/e2FWosNt30j/e1/ nfS4X3UkO14dlkWY3zRnCwsri4LmXZZo0AdznXsfcHC9Oe9HKBD5WxT8itRT9hBg SZRygrXlHA3QvP44cNitcx3hYBA+C8onWHed4wzfYP6Xcz8hfyRVM9GYR8teoky8 +zvL5eACbBq1s0IaQJVxJpB8ssOlrvs9C2bzmkdufAZELHzi84IYExlJU939A9Ye nkYMhI5JNS6J2MtF7BGp =fGsA -END PGP SIGNATURE- -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection
Great - thanks Tom! Removing routefilter from the 2 outbound interfaces did the trick. I can now do both traceroute and http from the Pi, and the -i option fixed traceroute on the firewall itself. I would have given up long before stumbling across routefilter. I haven't seen the dhcpd startup problem again so I assume that's gone away. However the mobile dongle startup seems to be getting more unreliable but that seems to be USB problem not a shorewall one assuming the kernel USB and networking stacks are completely disjoint. (/var/log/messages shows it sometimes recognising the mass storeage device and/or the CDROM on the dongle but not the GSM modem, or detecting it as a serial device but not doing anything with it). Thanks again for excellent support. Best regards - Philip On 11/01/2017 19:46, Tom Eastep wrote: > On 01/11/2017 03:21 AM, Philip Le Riche wrote: > > Hi Tom - > > > Several other problems which may or may not be related: 1. > > traceroute getting send: operation not permitted when run from the > > firewall itself. > > As pointed out in http://www.shorewall.org/MultiISP.html, packet > marking is unreliable when applied to connections originating from the > firewall. Try using the '-i' option of traceroute from the firewall. > > > 2. Mobile data dongle not starting with shorewall running - > > possibly the same problem as 1. > > No clue -- are there any 'Shorewall' messages logged when this occurs? > > > 3. dhcpd not starting reliably - possibly a startup sequence > > problem - it's worked the last twice and I didn't record the > > message but was something about no available NICs to serve on. > > Sounds like a startup sequencing issue. Can't tell without seeing the > messages. > > -Tom > > -- > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] iptables rule with hex pattern to shorewall rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/11/2017 12:47 PM, Wouter Deurholt wrote: > > Hi, > > I need a iptables rule translated in a shorewall rule that filters > on a port and a hex pattern. The rule is used to filter out packets > send to a specific port (udp 53) to a specific subdomain (the hex > pattern) to be forwarded it to another port where it will be > handled by a program that listens to that (other) port (5353). I > cannot seem to find out the right rule. Second, I'm unsure where to > place it in my 'rules' file. Please your help / advice. > > The rule: > > iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm > --from 20 --hex-string "|024a4a0364615000|" -j REDIRECT --to-ports > 5353 > > REDIRECT??? 5353udp 53 ;; -m string --algo bm \ --from 20 --hex-string "|024a4a0364615000|" (I have broken the rule into two lines because my mailer folds long lines. You don't need to do that. That syntax assumes that you are running a recent version of Shorewall. I'm unclear what the SOURCE should be in your case -- probably 'net'; your rule would be applied to all packets entering the Shorewall system. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYdqHBAAoJEJbms/JCOk0QQ2gQAIvvDnXKP78lSrIgKsKaGOZK 8CejPXn+PL4RYZgBwbYlrfjXPqhygUiZqYL16ZvqENjgDuCqdO89u9TiK+8Njt1H m4iC11yT6z+Xjf3ygoLeQfCwpwPPRwT37jl94k9vk9F8mPsdDMCt0T+exFLI8R48 zmIvQCWBPRRgJ/wi+DLVbmFst4JwdBTGF5ZzO5VaxUNN/sbtiMBFBY4du7Jw7Xpy tj2pIan6qu+9FddNgXDOFWKjoSAMr4T3qBc66N+AuNmbWASnFT+V/nmqi83uyKWo RjMoeBoiHGfdHvtl1tF1nnIO+MG+/IugTKPYCZO28CZVugGd2XVJYQDU/YWMvEYJ Z7CgRo3CHv0Eb6wEs6K4bBvz3G/alL/b13SdVf93tLjhmXLq5kz7mVw6fnIxDY6+ Nk8ZhbCIA0Cw9wZ/E5txo6eo3wxxIwp94B5k1Vf12tGNpqn5dn0ggDaZ/UnD7HZn sT+aNS2PskIXL1KvIpARanJkhftE4OWm0q0leKoyTmbARs6uahtHnxS4FnNE2otL u1UAs74wd3jj8xFv5JnEkcKZvuD+bJKFTg8S2b0ZY/UKZMPAau347B8mL0utVmu0 ylazyVAEaXlKa4qADDoN/Nx3u45Cj7E7XnBkYgLj40B6Avae3WJwmzWX8flGKOjw 5FXvHprPWoCi7KjbhQmq =cweg -END PGP SIGNATURE- -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] iptables rule with hex pattern to shorewall rule
Hi,
I need a iptables rule translated in a shorewall rule that filters on a port
and a hex pattern. The rule is used to filter out packets send to a specific
port (udp 53) to a specific subdomain (the hex pattern) to be forwarded it to
another port where it will be handled by a program that listens to that (other)
port (5353). I cannot seem to find out the right rule. Second, I'm unsure where
to place it in my 'rules' file. Please your help / advice.
The rule:
iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20
--hex-string "|024a4a0364615000|" -j REDIRECT --to-ports 5353
Thanks in advance,
Wouter
| Wouter Y. Deurholt | [wdeurh...@wdmail.nl](http://wdmail.nl) | Secured by
[ProtonMail](https://protonmail.com) |--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/11/2017 03:21 AM, Philip Le Riche wrote: > Hi Tom - > Several other problems which may or may not be related: 1. > traceroute getting send: operation not permitted when run from the > firewall itself. As pointed out in http://www.shorewall.org/MultiISP.html, packet marking is unreliable when applied to connections originating from the firewall. Try using the '-i' option of traceroute from the firewall. > 2. Mobile data dongle not starting with shorewall running - > possibly the same problem as 1. No clue -- are there any 'Shorewall' messages logged when this occurs? > 3. dhcpd not starting reliably - possibly a startup sequence > problem - it's worked the last twice and I didn't record the > message but was something about no available NICs to serve on. Sounds like a startup sequencing issue. Can't tell without seeing the messages. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYdouOAAoJEJbms/JCOk0Q1/kP/jvsVyUj7b60kJafHQ/9Iqaz NUbHO5kZP/6Wvk0WeRIywTmKdwXsRLnMEKsfqw8bPa2wOLBGFQA/W6N9EajW7EAY T2ts9geYSnTjQ62EyiRCahcuVndMU5RP2NzGiy2zqzgfaFfqsgrhl2QRYFYumkOy Sm37K9gPk1EWqB6tE0m4wo8SjhpT4/l0YJd2FfrocwxrnkHwLqRjGzhadgr6h4Jg /hOJ4ytyh18oFK1iHVgmrSQjrDWwVHR7SuX3TkRMIFTnsjRb+6KdR8h/WognoYfH JBRL2yHcStXHXfUp4ZvYJHNuGrwrNq4vxHR4II+cYCWnvYieQPoX4eF7D7zLSh9M bM7DE90ymhQ1shQ197I+Z7dK9aK2BfgegA185q2Z8RD5YZwexp3aBBUY0GLVARsR 0qTcTVqgV+cv/GSmygA2Uoz9G5sgpUVe7aNGW8PZBeYBaH4ABw67UHJBXeffdZhR OWPCqS37wpzkiLQSKV9t7bHIpMiNW3vny1TujeQRbe+OyUbCME0oh4xQECVYkdqi na13RfoLedlhWvD5Em8ZYRbOGsFoxBzOMMOX7FJyXygArL46j0ZJc8lkDNfY9LBJ 23BYhtphrLWIXJJt4mVRQPedY/OT1o/+sfg5nA3S6rPUzFPI4kjWAyxp2EeZZ5aP A7ptTrME8+ewamvsPELY =f27B -END PGP SIGNATURE- -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/11/2017 03:21 AM, Philip Le Riche wrote: > Hi Tom - > > Here are a couple of pcaps on ppp0 from wireshark, one with ppp0 > as fallback (traceroute from the Pi doesn't work but web does) and > with ppp0 with no options (traceroute works but web doesn't). > > In both cases you can see the udp packets going out and icmp > timeouts coming back but with fallback they don't seem to make it > back to the Pi. It looks like shorewall isn't opening the reverse > path. Hopefully the inconsistent web behaviour is another > consequence of the same problem. > > Several other problems which may or may not be related: 1. > traceroute getting send: operation not permitted when run from the > firewall itself. 2. Mobile data dongle not starting with shorewall > running - possibly the same problem as 1. 3. dhcpd not starting > reliably - possibly a startup sequence problem - it's worked the > last twice and I didn't record the message but was something about > no available NICs to serve on. > Turn off route filtering. From the dump: /proc ... /proc/sys/net/ipv4/conf/eno1/rp_filter = 1 /proc/sys/net/ipv4/conf/ppp0/rp_filter = 1 You have 'routefilter' specified on both provider interfaces. From shorewall-interfaces(5): Note There are certain cases where routefilter cannot be used on an interface: If USE_DEFAULT_RT=Yes in shorewall.conf[12](5) and the interface is listed in shorewall-providers[18](5). If there is an entry for the interface in shorewall-providers[18](5) that doesn't specify the balance option. ... Set 'routefilter=0' for both interfaces. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYdmHYAAoJEJbms/JCOk0QzwMP/2rGXX/LAPadXWujdCvzGNEJ RXx/+kTBjIGT3XIbI6oU34jIgNEEmoxbsBUG5xPYT+9pWmryQ8eb5kv1N+AAmFnb L9TiukV7q92c4vHFXdW3doJ/7qrNdnuNtDK8th7qiRRYhDSkf+G5R4dEiZmcuK0C OVlt/DemVoHyDjmaxcZb8lmmyrMeuACpJ0BJq2bJqjsPiEsL5TacVXbCBwKQY7Xq NAn5rTeo3x4u/l2IxNQQtaH6a38jeehfei1xLx7Lx/Blh/pTTRkkyOJkq3RMMXNR i3izCyyEUibawwdkq1LlxnAgumYmsKqbyXYgZW+cjmpn3UIbEf8lkZ/wDZ9t3L6g 6E20gkClYLYDTYAbngDfKBGwPQM6Aceb/cp8mfWZ7T/hVUZWFy/Ni3zPlZetEiHt 5lSflBvOV/X3SxAhh8JRg7xxkQKGF5jQ5ShkSb9SRMOqH2cn0f/NQxc8M5k/RZus 8GzhNMZkMdAyCMa30YFQ8u5Yda4ForMmtI5M3AtZthwORUFdXfxUSuMyl/SmtfaP CsdmGc8ejqTENPk8Lhp/EndmMA7WB/dcK0CEAEneHJyXkoOtt352IXBtmon31+vh uSlacsl3L/h5egEbNph2SySlE9+gEbGuQK+gtF8KZ3FnsJReyyoV/1X1h93u5g03 g4PU7IhZP8AT5lbD7Agb =10yC -END PGP SIGNATURE- -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection
Hi Tom - Here are a couple of pcaps on ppp0 from wireshark, one with ppp0 as fallback (traceroute from the Pi doesn't work but web does) and with ppp0 with no options (traceroute works but web doesn't). In both cases you can see the udp packets going out and icmp timeouts coming back but with fallback they don't seem to make it back to the Pi. It looks like shorewall isn't opening the reverse path. Hopefully the inconsistent web behaviour is another consequence of the same problem. Several other problems which may or may not be related: 1. traceroute getting send: operation not permitted when run from the firewall itself. 2. Mobile data dongle not starting with shorewall running - possibly the same problem as 1. 3. dhcpd not starting reliably - possibly a startup sequence problem - it's worked the last twice and I didn't record the message but was something about no available NICs to serve on. Thanks again - Philip On 11/01/2017 00:38, Tom Eastep wrote: > On 01/10/2017 01:55 PM, Philip Le Riche wrote: > > Hi Tom - > > > Thanks for the greased-lightning response again, and here's the > > dump. > > > It looks to me like the traceroute packets are going out of ppp0 but > that there are no responses. Can you confirm that using tcpdump? > > Thanks, > -Tom > > -- > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ppp0-fallback.pcapng Description: Binary data ppp0-nofallback.pcapng Description: Binary data -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
