Matt Harrison wrote:
> Shorewall Geek wrote:
>> When marking rules don't work as expected, it is usually the result of
>> failing to take into account which direction the packets are flowing
>> relative to which way the connections were originally made. Your rules
>> above will only mark outgoing packets from connections that originate
>> behind the firewall. Outgoing packets from connections that originate on
>> the net and connect to SSH servers behind the firewall will have SOURCE
>> PORT == 22 rather than DEST PORT == 22.
>
> Thanks for the replies,
>
> That makes sense. I was only trying for connections originating inside
> the network, but when that's working I will look at the other way.
>
>> If that is not the problem in your case, please submit the output of
>> 'shorewall dump' collected as described at
>> http://www.shorewall.net/support.htm#Guidelines.
>
> Please see attached status.txt.bz2
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
607 160K CLASSIFY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 CLASSIFY set 1:12
12 1488 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0xa/0xff CLASSIFY set 1:110
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
261 15876 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 MARK set 0x1
You are setting the mark to 1 for outgoing SSH to 1. 261 packets
destined for TCP port 22 entered PREROUTING. Note, however that only 12
of them exited through eth1; those were correctly classified to class 1:11.
>From further down in the dump, we see:
class htb 1:11 parent 1:1 leaf 11: prio 1 quantum 1500 rate 40000bit
ceil 512000bit burst 1504b/8 mpu 0b overhead 0b cburst 1563b/8 mpu 0b
overhead 0b level 0
Sent 1656 bytes 12 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 12 borrowed: 0 giants: 0
tokens: 284570 ctokens: 23132
So exactly 12 packets were sent through class 1:11.
PS -- you are running a very old and unsupported version of Shorewall.
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
