-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/27/2016 08:10 AM, Philip Le Riche wrote: > I'm using Shorewall to separate a bunch of Raspberry Pis on a > local network (enp2s0 - pinet) from the school network (eno1 - > schl). The ruleset allows the Pis to be controlled from school PCs > using PuTTy or VNC and to access the web through the school > network. I added a 3rd NIC (enp3s0 - inet) to the firewall > connected to an unfiltered Internet connection to allow students to > use traceroute on the Pis for the purposes of a lesson on Internet > routing. The idea is to use the fact that traceroute uses udp > 33434-33523 to route traceroute traffic only to inet. > > In providers I have: #NAME NUMBER MARK DUPLICATE > INTERFACE GATEWAY OPTIONS raw 1 1 - enp3s0 > 172.18.57.254 > > I mark traceroute traffic in mangle with: #ACTION SOURCE DEST > PROTO PORT(S) SOURCE USER TEST # > PORT(S) MARK(1) enp2s0 - udp 33434:33523 - - > - > > and I route them in rtrules with: #SOURCE DEST PROVIDER > PRIORITY MARK enp2s0 - raw 11000 1 > > Relevent rules are: #ACTION SOURCE DEST PROTO DEST > SOURCE RATE USER/ # > PORT(S) PORT(S) LIMIT GROUP ACCEPT pinet inet > udp 33434:33523 > > yet traceroute shows the next hop as 172.16 (schl) not 172.18 > (inet). > > I also tried traceroute -P 253, replacing udp 33434:33523 with 253 > in mangle and rules, with no greater success. > > Is there something obvious I'm doing wrong? >
Traceroute uses raw sockets which don't go through the IP stack. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYEkHHAAoJEJbms/JCOk0Qh+sQAKbM8xyn7BjeCysIv+eD9hye K67ke2hQc2X/CuhdCBeowkKgayCb0jkcBWap7klElaAGYFoT2obVWmnPInRvjks0 yCTTijnFNY3uLkZducx9ImGjgdiN+gqEpeXX4xCFQ+qLUo008srt4DJu5P/ck3C3 XzJxDZVVWOs2QRmM7xOYE98epkmV4CY/+4l9rhgrCcsrGS7zKd2peGpXdSwKgmSD JnsNTwpwvET6AXJPZyjwRnCrHcHhtB+fiWYg3ZpPsnpPbfQUAasmqmBczqIKAsmz TLMEYFQ0CnmItE+1QLTHJVk4DBNL8CW+eFFhIw4lezoRSXtOrmJZL0OweyV448Sx 2tUjZmDMAU5eMySz43PDycHkPfh1TK8b36vo86cZKc3JBEeypKQtrn2nbolETISm ePce8Kyilg5bL8u52H1d9W1hENBwU/wsEdBXb3lyQwSS+rcVWfw3yqZhvZnyDasa 60n+yi8fLPG8L0Q1Oo+xb66az67DYsmW0ghqxGuNAEyUb02rMfMGzrmkXu99ApWA dlhFhVBLywBT2Lq7CQVWYo2vxcUB6oFfRfOMxeVKRjV6dxwCQuTeOe96KEso+N3d vBPxew6bcmScpyy4Lq7FwNh8tZNgJeJTvQ/Dy8aGyjxe/zMuQWF+vTinjnIix/ae VHEj9y1iJSUwSm9Aogql =qnzi -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
