On 6/4/2019 10:49 AM, Srikrishnan Chitoor via Shorewall-users wrote: > Hi: > > We have three lines connected to a server that has Shorewall 4.6.3 > running. The three lines are 'ACTBB', 'TATALEASEDLINE' and 'Net4India'. > The requirement is that any SMTP traffic originating from the server > itself should go only on 'TATALEASEDLINE' line. > > We have set the following in 'providers' table. > > ** START > TATALEASEDLINE 1 254 main eth1 > 61.12.X.X balance=20,track eth0,eth2 > Net4india 2 253 main eth3 202.71.X.X > balance=50,track eth0,eth2 > ACTBB 3 252 main eth4 106.51.X.X > balance=60,track eth0,eth2 > ** END > > The 'mangle' table specifies this: > > ** START > MARK(254) $FW 0.0.0.0/0 tcp 25 > MARK(254) $FW 0.0.0.0/0 udp 25 > ** END > > However, we find that some SMTP traffic originating from the server > still goes through other lines. > > Doing a 'shorewall iptrace', for a SMTP traffic that goes through > wrong line, we get this: > > ** START > Jun 3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 > Jun 3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 > Jun 3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 > Jun 3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 > Jun 3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 > GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 > TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 > Jun 3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 > Jun 3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 > TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 > TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 > TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4 > SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 > ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 > WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) > UID=1005 GID=1001 MARK=0xfc > Jun 3 15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN= > OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 > TTL=64 ID=44648 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 > ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH URGP=0 OPT > (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc > ** END > > Even though we have asked SMTP traffic from Firewall to be marked 0xfe > (254), it is marking them as 0xfc and therefore packet is going through > wrong line. > > Pl advise on finding what is wrong. >
We don't support 4.6.3. If Shorewall 5.2.3.3 solves your issue, you might be able to backport the fix if you are required to stay on an EOL version, otherwise, have a look at (1). 1) http://shorewall.org/troubleshoot.htm -Matt -- Matt Darfeuille _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users