Re: [Shorewall-users] providers track option and rtrules

Tom Eastep Mon, 14 Sep 2015 07:22:47 -0700

On 9/12/2015 3:59 PM, Vieri Di Paola wrote:
> 
> 
>> We still need the iptrace output. That output is directed according to
> 
>> the current setting of LOG_BACKEND. If you want the output to be handled
>> by syslog-ng, use LOG_BACKEND=LOG.
> 
> 
> 
> My LOG_BACKEND= is blank and I wrongly thought the default was LOG.
> So before I read your reply I ran:
> sysctl net.netfilter.nf_log.2=nf_log_ipv4
> because it was set to nfnetlink_log.
> 
> So now I finally have TRACE messages.
> 
> The only change from my previous post is in the mangle file:
> 
> MARK(2):P       10.215.144.0/22 10.215.224.0/20 all
> MARK(2):P       10.215.246.0/23 10.215.224.0/20 all
> MARK(2):P       10.215.248.0/24 10.215.224.0/20 all
> MARK(3):P       10.215.247.194  10.215.236.221 all
> 
> and I'm ping'ing from 10.215.246.24 to 10.215.237.237 (failed).
> 
> The TRACE messages follow:
> 
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: raw:PREROUTING:policy:13 IN=enp5s3 
> OUT= MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp5s3 
> OUT= MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:PREROUTING:rule:8 IN=enp5s3 
> OUT= MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcpre:rule:2 IN=enp5s3 OUT= 
> MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcpre:return:5 IN=enp5s3 OUT= 
> MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938 MARK=0x2
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:PREROUTING:policy:9 IN=enp5s3 
> OUT= MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938 MARK=0x2
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: nat:PREROUTING:policy:2 IN=enp5s3 OUT= 
> MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938 MARK=0x2
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:FORWARD:rule:1 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938 MARK=0x2
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:FORWARD:rule:2 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcfor:return:1 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:FORWARD:policy:3 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:FORWARD:rule:2 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:lan_frwd:rule:2 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:lan-lan:rule:1 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:dynamic:return:1 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:lan-lan:return:4 IN=enp5s3 
> OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
> DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP 
> TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= 
> OUT=enp5s3 SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 
> TTL=127 ID=1387 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcpost:return:1 IN= OUT=enp5s3 
> SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 
> ID=1387 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= 
> OUT=enp5s3 SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 
> TTL=127 ID=1387 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
> Sep 13 00:43:13 inf-fw3 kernel: TRACE: nat:POSTROUTING:policy:1 IN= 
> OUT=enp5s3 SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 
> TTL=127 ID=1387 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
> 
> Anyway, I'm attaching a shorewall dump.
>


The traffic is being routed back out of enp5s3 as a result of this route
in the main table:

10.215.0.0/16 dev enp5s3 proto kernel scope link src 10.215.144.91

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] providers track option and rtrules

Reply via email to