On 12/23/2015 09:47 AM, Nigel Quinn wrote: > > So, I have a server, eth0 WAN, eth1 LAN, tun10 is the tun interface > that CoovaChilli puts onto eth1 to capture all user traffic, then > authenticates it against a RADIUS server, and routes authenticated > traffic to eth0 to access the internet. > > The problem I am having is that Shorewall intermittently has issues > with the NATing of packets, so I see lots of SFILTER messages showing > return traffic coming into eth0 to the IP address of PCs on > tun10(192.168.200.0/24). So at times the clients can access the > internet and at other times they can't. So why the SFILTER messages, > if the masq file is configured correctly why is Shorewall not > translating the packets, or keeping track of the translation?
First of all, Shorewall neither translates packets nor does it keep track of translations. Shorewall is a tool for configuring various networking facilities within the Linux kernel. It is those facilities that are responsible for translation. The most common cause of the problem you describe happens with UDP; I notice that the 'sfilter' log messages in the dump all refer to UDP. The problem happens because UDP packets are received by your gateway before Shorewall has started (has configured the kernel based on the input that you have provided). This establishes an entry in the conntrack table that does not apply NAT. So, for as long as the client tries to use that stream, the packets sent as part of the stream will not have NAT applied. There are a couple of things that you can do to work around this issue: a) Install and configure Shorewall Init; or b) Install the 'conntrack' utility and configure STARTOPTIONS to include the '-p' option. That way, when Shorewall is started by init, it will purge the conntrack table so that all subsequent UDP packets will create new (natted) conntrack entries. STARTOPTIONS are specified in /etc/sysconfig/shorewall on Centos. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
