As I said, traceroute is being used on the Pis, not the firewall, so
after leaving a raw socket on a Pi they should still hit the IP stack on
the firewall and get filtered and routed by Shorewall like anything
else. My question remains.
Useful to know about traceroute and raw sockets though - like many
things, obvious when you think about it. I was going to set up similar
rules with $FW as source purely for testing and diagnostics.
Regards - Philip
On 27/10/2016 19:04, Tom Eastep wrote:
> On 10/27/2016 08:10 AM, Philip Le Riche wrote:
> > I'm using Shorewall to separate a bunch of Raspberry Pis on a
> > local network (enp2s0 - pinet) from the school network (eno1 -
> > schl). The ruleset allows the Pis to be controlled from school PCs
> > using PuTTy or VNC and to access the web through the school
> > network. I added a 3rd NIC (enp3s0 - inet) to the firewall
> > connected to an unfiltered Internet connection to allow students to
> > use traceroute on the Pis for the purposes of a lesson on Internet
> > routing. The idea is to use the fact that traceroute uses udp
> > 33434-33523 to route traceroute traffic only to inet.
>
> > In providers I have: #NAME NUMBER MARK DUPLICATE
> > INTERFACE GATEWAY OPTIONS raw 1 1 - enp3s0
> > 172.18.57.254
>
> > I mark traceroute traffic in mangle with: #ACTION SOURCE DEST
> > PROTO PORT(S) SOURCE USER TEST #
> > PORT(S) MARK(1) enp2s0 - udp 33434:33523 - -
> > -
>
> > and I route them in rtrules with: #SOURCE DEST PROVIDER
> > PRIORITY MARK enp2s0 - raw 11000 1
>
> > Relevent rules are: #ACTION SOURCE DEST PROTO DEST
> > SOURCE RATE USER/ #
> > PORT(S) PORT(S) LIMIT GROUP ACCEPT pinet inet
> > udp 33434:33523
>
> > yet traceroute shows the next hop as 172.16 (schl) not 172.18
> > (inet).
>
> > I also tried traceroute -P 253, replacing udp 33434:33523 with 253
> > in mangle and rules, with no greater success.
>
> > Is there something obvious I'm doing wrong?
>
>
> Traceroute uses raw sockets which don't go through the IP stack.
>
> -Tom
> >
------------------------------------------------------------------------------
> The Command Line: Reinvented for Modern Developers > Did the
resurgence of CLI tooling catch you by surprise? > Reconnect with the
command line and become more productive. > Learn the new .NET and
ASP.NET CLI. Get your free copy! > http://sdm.link/telerik >
_______________________________________________ > Shorewall-users
mailing list > [email protected] >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
