Re: [Shorewall-users] ip Rule Table Duplicated and/or Misplaced

Sun, 01 Jul 2018 08:54:01 -0700 

On 06/27/2018 07:06 PM, Eddie wrote:
> Hi,
> 
> I just updated my Nethserver CentOS system to 7.5, which did NOT update
> the version of Shorewall I'm using.  After the update, I noticed that
> the ip rule table "main" is now duplicated, and I think in the wrong
> position after starting an OpenVPN client.  I will add that I haven't
> seen any problems with the rules/routes (so far), other that it looking
> wrong.
> 
> Here's what I see immediately after boot:
> 
> [root@Nethserver ~]# shorewall show routing
> Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
> 18:12:39 PDT 2018
> 
> 
> Routing Rules
> 
> 0:      from all lookup local
> 32766:  from all lookup main
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> Table default:
> 
> 
> Table local:
> 
> local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
> local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
> local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
> broadcast 76.91.207.255 dev eno1 proto kernel scope link src 76.91.194.242
> broadcast 76.91.192.0 dev eno1 proto kernel scope link src 76.91.194.242
> broadcast 192.168.150.255 dev wg0 proto kernel scope link src 192.168.150.1
> broadcast 192.168.150.0 dev wg0 proto kernel scope link src 192.168.150.1
> broadcast 192.168.0.255 dev br0 proto kernel scope link src 192.168.0.254
> broadcast 192.168.0.0 dev br0 proto kernel scope link src 192.168.0.254
> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
> broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
> 
> Table main:
> 
> 192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
> 76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
> default via 76.91.192.1 dev eno1
> [root@Nethserver ~]#

Has Shorewall been started at this point?

> 
> At this point, there obviously won't be any issues with the table being
> duplicated.  But after then starting an OpenVPN client session:
> 
> [root@Nethserver ~]# shorewall show routing
> Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
> 18:14:06 PDT 2018
> 
> 
> Routing Rules
> 
> 0:      from all lookup local
> 999:    from all lookup main
> 5000:   from all lookup spectrum
> 10000:  from all fwmark 0x10000/0xf0000 lookup net
> 10001:  from all fwmark 0x20000/0xf0000 lookup vpn
> 20000:  from 76.91.194.242 lookup net
> 20000:  from 10.18.2.170 lookup vpn
> 32765:  from all lookup balance
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> Table balance:
> 
> default via 76.91.192.1 dev eno1
> 
> Table default:
> 
> 10.18.2.169 dev tun0 scope link
> default via 10.18.2.169 dev tun0 src 10.18.2.170 metric 2
> 
> Table local:
> 
> local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
> local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
> local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
> local 10.18.2.170 dev tun0 proto kernel scope host src 10.18.2.170
> broadcast 76.91.207.255 dev eno1 proto kernel scope link src 76.91.194.242
> broadcast 76.91.192.0 dev eno1 proto kernel scope link src 76.91.194.242
> broadcast 192.168.150.255 dev wg0 proto kernel scope link src 192.168.150.1
> broadcast 192.168.150.0 dev wg0 proto kernel scope link src 192.168.150.1
> broadcast 192.168.0.255 dev br0 proto kernel scope link src 192.168.0.254
> broadcast 192.168.0.0 dev br0 proto kernel scope link src 192.168.0.254
> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
> broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
> 
> Table main:
> 
> 76.91.192.1 dev eno1 scope link src 76.91.194.242
> 104.238.32.102 via 76.91.192.1 dev eno1
> 10.18.2.169 dev tun0 scope link src 10.18.2.170
> 192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
> 76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
> 
> Table net:
> 
> 76.91.192.1 dev eno1 scope link src 76.91.194.242
> default via 76.91.192.1 dev eno1 src 76.91.194.242
> 
> Table spectrum:
> 
> 216.55.149.49 via 10.18.2.169 dev tun0
> 214.3.118.39 via 10.18.2.169 dev tun0
> 214.16.193.213 via 10.18.2.169 dev tun0
> 214.16.193.199 via 10.18.2.169 dev tun0
> 205.73.236.4 via 10.18.2.169 dev tun0
> 195.201.14.99 via 10.18.2.169 dev tun0
> 155.22.160.15 via 10.18.2.169 dev tun0
> 155.22.160.12 via 10.18.2.169 dev tun0
> 131.78.212.84 via 10.18.2.169 dev tun0
> 131.78.211.149 via 10.18.2.169 dev tun0
> 131.78.204.149 via 10.18.2.169 dev tun0
> 131.78.200.85 via 10.18.2.169 dev tun0
> 131.78.200.62 via 10.18.2.169 dev tun0
> 104.25.36.116 via 10.18.2.169 dev tun0
> 104.25.35.116 via 10.18.2.169 dev tun0
> 
> Table vpn:
> 
> 10.18.2.169 dev tun0 scope link src 10.18.2.170
> default via 10.18.2.169 dev tun0 src 10.18.2.170
> [root@Nethserver ~]#
> 
> Notice now, that one of the "main" entries is one of the first tables
> referenced, before any of the rules introduced by the VPN.

This looks normal for a multi-ISP Shorewall configuration (with the
exception of the second 'lookup main' rule). What is your setting of
RESTORE_DEFAULT_ROUTE in shorewall.conf?

> 
> Also, I thought (from memory), that previously the second "main" table
> was ahead of "balance", because that table is used to force out all the
> packets that made it that far through the routing out via my ethernet
> card and not via the (split routed) VPN.
> 
> Is this an issue just with the updates between CentOS 7 -> 7.5 or are
> they influencing how Shorewall is constructing the rules/routes.
> 

The way in which Shorewall constructs rules/routes is dependent only
upon the Shorewall configuration.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to