Thanks, Tom, for the rapid response.
I don't have easy access to the firewall in question so I've set up an
equivalent network at home. In the providers file I've added the primary
option to the school network and fallback to the mobile data, though I
don't actually want it to fall back.
Now, on starting Shorewall, I get WARNING: interface ppp0 is not useable.
Is ther a log file which will shed a little more light on that?
In fact Linux won't start the ppp0 session unless I do shorewall clear
before plugging the dongle in - I'm not sure I got that at school, but
with shorewall clear and if I set eno1 down (the "school" network) I can
browse the net through the dongle.
I now have interfaces:
schl eno1
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
pinet enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians
inet ppp0
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
raw 1 1 - ppp0 detect fallback
school 2 - - eno1 192.168.1.1 primary
mangle:
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
MARK(1) enx00e04c534458 - udp 33434:33523 - - -
MARK(1) enx00e04c534458 - 253 - - - -
MARK(1) lo - udp 33434:33523 - - -
MARK(1) lo - 253 - - - -
rtrules:
#SOURCE DEST PROVIDER PRIORITY MARK
enx00e04c534458 - raw 11000 1
lo - raw 11000 1
masq:
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK USER/ SWITCH ORIGINAL
# GROUP DEST
eno1 192.168.2.0/24 192.168.1.2
and in rules I simply modified the DNAT rules for the Pis to reflect the
different IP addressing scheme (I didn't mention that before).
Best regards - Philip
On 03/01/2017 17:22, Tom Eastep wrote:
> On 01/03/2017 06:51 AM, Philip Le Riche wrote:
> > I've been trying without success on and off for some while to
> > modify an existing Shorewall configuration for the purposes of a
> > school lesson on Internet routing, using traceroute.
>
> > I originally set up the firewall to protect the school network from
> > a bunch of Raspberry Pis, operated "headless" from school PCs using
> > VNC or ssh, thus we had 3 zones:
>
> > #ZONE TYPE OPTIONS IN OUT fw
> > firewall schl ipv4 pinet ipv4
>
> > The idea is to run traceroute from the Pis, but since since
> > traceroute is blocked by the school firewall/proxy I've added a
> > mobile data dongle and a new zone giving me unfiltered Internet
> > access: inet ipv4
>
> > My interfaces file now looks like this: schl eno1
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet
> > enp2s0 tcpflags,nosmurfs,routefilter,logmartians inet
> > ppp0
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
>
> > In my providers file I've defined a provider "raw" for the
> > unfiltered mobile data interface: #NAME NUMBER MARK
> > DUPLICATE INTERFACE GATEWAY OPTIONS raw 1 1
> > - ppp0
>
> > I've been trying both regular traceroute (udp/33434-33523) and
> > traceroute -P 253 (protocol 253), and so I'm using mangle to mark
> > all such packets coming from the Pi network (and from the firewall
> > while I'm at it, for testing purposes): #ACTION SOURCE DEST
> > PROTO PORT(S) SOURCE USER TEST #
> > PORT(S) MARK(1) enp2s0 - udp 33434:33523 - -
> > - MARK(1) enp2s0 - 253 - - - - MARK(1)
> > $FW - udp 33434:33523 - - - MARK(1) $FW
> > - 253 - - - -
>
> > And in rtrules I'm directing marked packets at provider raw: SOURCE
> > DEST PROVIDER PRIORITY MARK enp2s0 - raw
> > 11000 1 lo - raw 11000 1
>
> > In my rules file I've allowed traceroute from pinet and $FW to
> > inet: # # pinet -> inet # Allow traceroute only # ACCEPT
> > pinet inet udp 33434:33523 ACCEPT pinet
> > inet 253
>
> > # # $FW -> inet # #ACTION SOURCE DEST PROTO DEST
> > SOURCE RATE USER/ #
> > PORT(S) PORT(S) LIMIT GROUP ACCEPT $FW inet udp
> > 33434:33523 ACCEPT $FW inet 253
>
> > Since the mobile data dongle hasn't connected by the time
> > Shorewall starts on a reboot, I have to do a shorewall restart, and
> > also if I plug in the dongle at any time after booting.
>
> > However, there still seems to be an error or omission in my logic
> > as traceroute on the firewall Pi still shows it routing through the
> > school network, as evidenced by the ip addresses reported (as far
> > as they go), and traceroute on a Pi shows nothing beyond the pinet
> > firewall interface. Perhaps you can provide me with that lightbulb
> > moment which seems to be evading me.
>
>
> You need en01 to be the primary provider and ppp0 to be the fallback
> provider.
>
> -Tom
> >
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most >
engaging tech sites, SlashDot.org! http://sdm.link/slashdot >
_______________________________________________ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
