On 6/4/2019 10:49 AM, Srikrishnan Chitoor via Shorewall-users wrote:
> Hi:
> 
>   We have three lines connected to a server that has Shorewall 4.6.3
> running. The three lines are 'ACTBB', 'TATALEASEDLINE' and 'Net4India'.
> The requirement is that any SMTP traffic originating from the server
> itself should go only on 'TATALEASEDLINE' line.
> 
>   We have set the following in 'providers' table.
> 
> ** START
> TATALEASEDLINE    1       254     main            eth1           
> 61.12.X.X     balance=20,track       eth0,eth2
> Net4india    2       253     main            eth3            202.71.X.X 
>    balance=50,track       eth0,eth2
> ACTBB    3       252     main            eth4            106.51.X.X   
>  balance=60,track       eth0,eth2
> ** END
> 
>   The 'mangle' table specifies this:
> 
> ** START
> MARK(254)       $FW     0.0.0.0/0       tcp     25
> MARK(254)       $FW     0.0.0.0/0       udp     25
> ** END
> 
>   However, we find that some SMTP traffic originating from the server
> still goes through other lines.
>  
>    Doing a 'shorewall iptrace', for a SMTP traffic that goes through
> wrong line, we get this:
> 
> ** START
> Jun  3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001
> Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001
> Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001
> Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001
> Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64
> ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005
> GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001
> Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001
> Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00
> TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00
> TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00
> TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4
> SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64
> ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673
> WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB)
> UID=1005 GID=1001 MARK=0xfc
> Jun  3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN=
> OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00
> TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427
> ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT
> (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc
> ** END
> 
>   Even though we have asked SMTP traffic from Firewall to be marked 0xfe
> (254), it is marking them as 0xfc and therefore packet is going through
> wrong line.
> 
>   Pl advise on finding what is wrong.
> 

We don't support 4.6.3.

If Shorewall 5.2.3.3 solves your issue, you might be able to backport
the fix if you are required to stay on an EOL version, otherwise, have a
look at (1).


1)  http://shorewall.org/troubleshoot.htm

-Matt
-- 
Matt Darfeuille


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to