On Sat, 2007-12-22 at 00:59 +0800, Terence Parker wrote: > I've got a working shorewall implementation - it starts and > everything, and i've also configured the traffic shaping rules. > > Everything *appears* to work, but the problem i'm having is that most > traffic appears to be escaping my marks - and go out via the default > rule. > > Built into the kernel i've already got the SIP conntrack module, and > the IPP2P module - but they don't seem to be tracking much. > > Is something wrong with my iptables? Or is it a configuration problem > with shorewall? Or is it actually working, but just outputting wrong? > > (evidence attached - renamed to .txt) > > Shorewall version 3.4.6 > Gentoo Linux 2.6.22-gentoo-r9 > > Any help appreciated, thanks.
Several things:
a) You are marking in the PREROUTING chain. That means that:
1. You are not marking traffic that originates on the
firewall.
2. You are marking traffic that enters the firewall on
your external interface (input traffic).
You might want to move your marking to the FORWARD chain where
you could mark P2P in both directions but only mark the other
traffic outbound.
You don't appear to have significant traffic generated by processes
running on the firewall itself so the first issue probably isn't a
big concern.
b) From the dump:
Mangle Table
Chain PREROUTING (policy ACCEPT 317K packets, 225M bytes)
pkts bytes target prot opt in out source
destination
317K 225M tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
So 317K packets entered your firewall (from all interfaces)
Chain POSTROUTING (policy ACCEPT 315K packets, 227M bytes)
pkts bytes target prot opt in out source
destination
315K 227M tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Hence, 315K packets left the firewall (on all interfaces)
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
23 2615 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8 MARK set 0x6
2 956 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0 MARK set 0x6
317K 225M CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xffff CONNMARK restore mask 0xff
306K 224M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xffff
11617 736K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK set 0x1
So of the 317K that entered your firewall, 306K of them had a
connection mark already or were echo-request/response. The remaining
11k got an initial mark of 1. They then went through the rest of the
rules where you've got ONE CHANCE to mark them. Because at the end,
you save the mark so that no packets from the connection will go
through the marking rules again.
I have three suggestions:
a) Move the marking to the FORWARD chain.
b) Get rid of the unconditional rule that marks all packets with 1.
c) Except for the ipp2p rule, you only want to execute the other marking
rules if the output interface is ppp0.
HTH,
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
