On 06/08/2016 03:33 AM, Holger Schramm wrote: > Hi there, > > i am struggeling with the setup of mangle and rtrules. > > Current state: > - provider 1: mark 256 > - provider 2: mark 512 > - ip based routing via rtrules works > - port/app based routing via marking does not work > > Error behavior: > i connect to an ip via ssh and port 47238 > i get a connection but it is stalled and unusable. > it feels like the backroute is not working, or packages are lost > > > Preferred routing: > mangle superseeds rtrules > > if port 47238: > mark 256 > route via provider 1 > > if ip in rtrules: > route via provider given in rtrules > > > I have added a shorewall dump to this mail and appreciate your help. >
You need to disable rp_filter route filtering; I suspect that your system log is full of martian messages. Set ROUTE_FILTER=No in shorewall.conf and be sure that *routefilter* isn't specified on your provider interfaces. Also check /etc/sysctl.conf to be sure that it isn't enabling rp_filter (net.ipv4.conf.all.rp_filter=1). If you want route filtering on those interfaces, use the *rpfilter* option instead. One word of caution -- you have a large number of rtrules with priority < 10000. If the hosts in those rules connect to your network via an interface other than the one specified in the rule, the connection will not work because the replies will go out of the rule-specified interface rather than the interface that accepted the connection. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
