Re: [Shorewall-users] ip Rule Table Duplicated and/or Misplaced

Mon, 02 Jul 2018 08:00:02 -0700 

On 07/01/2018 05:04 PM, Eddie wrote:
> Tom,
> 
> Sorry, I realised that I didn't send my last reply to the list.  I also
> used the wrong e-mail address, so even if I had, it would have bounced:
> 
> On 7/1/2018 12:51 PM, Tom Eastep wrote:
>> On 07/01/2018 12:36 PM, Eddie Atherton wrote:
>>> Tom,
>>>
>>>
>>> On 7/1/2018 8:52 AM, Tom Eastep wrote:
>>>> On 06/27/2018 07:06 PM, Eddie wrote:
>>>>> Hi,
>>>>>
>>>>> I just updated my Nethserver CentOS system to 7.5, which did NOT
>>>>> update
>>>>> the version of Shorewall I'm using.  After the update, I noticed that
>>>>> the ip rule table "main" is now duplicated, and I think in the wrong
>>>>> position after starting an OpenVPN client.  I will add that I haven't
>>>>> seen any problems with the rules/routes (so far), other that it
>>>>> looking
>>>>> wrong.
>>>>>
>>>>> Here's what I see immediately after boot:
>>>>>
>>>>> [root@Nethserver ~]# shorewall show routing
>>>>> Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
>>>>> 18:12:39 PDT 2018
>>>>>
>>>>>
>>>>> Routing Rules
>>>>>
>>>>> 0:      from all lookup local
>>>>> 32766:  from all lookup main
>>>>> 32766:  from all lookup main
>>>>> 32767:  from all lookup default
>>>>>
>>>>> Table default:
>>>>>
>>>>>
>>>>> Table local:
>>>>>
>>>>> local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
>>>>> local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
>>>>> local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
>>>>> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
>>>>> broadcast 76.91.207.255 dev eno1 proto kernel scope link src
>>>>> 76.91.194.242
>>>>> broadcast 76.91.192.0 dev eno1 proto kernel scope link src
>>>>> 76.91.194.242
>>>>> broadcast 192.168.150.255 dev wg0 proto kernel scope link src
>>>>> 192.168.150.1
>>>>> broadcast 192.168.150.0 dev wg0 proto kernel scope link src
>>>>> 192.168.150.1
>>>>> broadcast 192.168.0.255 dev br0 proto kernel scope link src
>>>>> 192.168.0.254
>>>>> broadcast 192.168.0.0 dev br0 proto kernel scope link src
>>>>> 192.168.0.254
>>>>> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
>>>>> broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
>>>>> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
>>>>>
>>>>> Table main:
>>>>>
>>>>> 192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
>>>>> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
>>>>> 76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
>>>>> default via 76.91.192.1 dev eno1
>>>>> [root@Nethserver ~]#
>>>> Has Shorewall been started at this point?
>>> Yes.

Then who is setting up policy routing when the VPN is active?

>>>
>>>>> At this point, there obviously won't be any issues with the table
>>>>> being
>>>>> duplicated.  But after then starting an OpenVPN client session:
>>>>>
>>>>> [root@Nethserver ~]# shorewall show routing
>>>>> Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
>>>>> 18:14:06 PDT 2018
>>>>>
>>>>>
>>>>> Routing Rules
>>>>>
>>>>> 0:      from all lookup local
>>>>> 999:    from all lookup main
>>>>> 5000:   from all lookup spectrum
>>>>> 10000:  from all fwmark 0x10000/0xf0000 lookup net
>>>>> 10001:  from all fwmark 0x20000/0xf0000 lookup vpn
>>>>> 20000:  from 76.91.194.242 lookup net
>>>>> 20000:  from 10.18.2.170 lookup vpn
>>>>> 32765:  from all lookup balance
>>>>> 32766:  from all lookup main
>>>>> 32767:  from all lookup default
>>>>>
>>>>> Table balance:
>>>>>
>>>>> default via 76.91.192.1 dev eno1
>>>>>
>>>>> Table default:
>>>>>
>>>>> 10.18.2.169 dev tun0 scope link
>>>>> default via 10.18.2.169 dev tun0 src 10.18.2.170 metric 2
>>>>>
>>>>> Table local:
>>>>>
>>>>> local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
>>>>> local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
>>>>> local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
>>>>> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
>>>>> local 10.18.2.170 dev tun0 proto kernel scope host src 10.18.2.170
>>>>> broadcast 76.91.207.255 dev eno1 proto kernel scope link src
>>>>> 76.91.194.242
>>>>> broadcast 76.91.192.0 dev eno1 proto kernel scope link src
>>>>> 76.91.194.242
>>>>> broadcast 192.168.150.255 dev wg0 proto kernel scope link src
>>>>> 192.168.150.1
>>>>> broadcast 192.168.150.0 dev wg0 proto kernel scope link src
>>>>> 192.168.150.1
>>>>> broadcast 192.168.0.255 dev br0 proto kernel scope link src
>>>>> 192.168.0.254
>>>>> broadcast 192.168.0.0 dev br0 proto kernel scope link src
>>>>> 192.168.0.254
>>>>> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
>>>>> broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
>>>>> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
>>>>>
>>>>> Table main:
>>>>>
>>>>> 76.91.192.1 dev eno1 scope link src 76.91.194.242
>>>>> 104.238.32.102 via 76.91.192.1 dev eno1
>>>>> 10.18.2.169 dev tun0 scope link src 10.18.2.170
>>>>> 192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
>>>>> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
>>>>> 76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
>>>>>
>>>>> Table net:
>>>>>
>>>>> 76.91.192.1 dev eno1 scope link src 76.91.194.242
>>>>> default via 76.91.192.1 dev eno1 src 76.91.194.242
>>>>>
>>>>> Table spectrum:
>>>>>
>>>>> 216.55.149.49 via 10.18.2.169 dev tun0
>>>>> 214.3.118.39 via 10.18.2.169 dev tun0
>>>>> 214.16.193.213 via 10.18.2.169 dev tun0
>>>>> 214.16.193.199 via 10.18.2.169 dev tun0
>>>>> 205.73.236.4 via 10.18.2.169 dev tun0
>>>>> 195.201.14.99 via 10.18.2.169 dev tun0
>>>>> 155.22.160.15 via 10.18.2.169 dev tun0
>>>>> 155.22.160.12 via 10.18.2.169 dev tun0
>>>>> 131.78.212.84 via 10.18.2.169 dev tun0
>>>>> 131.78.211.149 via 10.18.2.169 dev tun0
>>>>> 131.78.204.149 via 10.18.2.169 dev tun0
>>>>> 131.78.200.85 via 10.18.2.169 dev tun0
>>>>> 131.78.200.62 via 10.18.2.169 dev tun0
>>>>> 104.25.36.116 via 10.18.2.169 dev tun0
>>>>> 104.25.35.116 via 10.18.2.169 dev tun0
>>>>>
>>>>> Table vpn:
>>>>>
>>>>> 10.18.2.169 dev tun0 scope link src 10.18.2.170
>>>>> default via 10.18.2.169 dev tun0 src 10.18.2.170
>>>>> [root@Nethserver ~]#
>>>>>
>>>>> Notice now, that one of the "main" entries is one of the first tables
>>>>> referenced, before any of the rules introduced by the VPN.
>>>> This looks normal for a multi-ISP Shorewall configuration (with the
>>>> exception of the second 'lookup main' rule). What is your setting of
>>>> RESTORE_DEFAULT_ROUTE in shorewall.conf?
>>> RESTORE_DEFAULT_ROUTE=No
>> Try RESTORE_DEFAULT_ROUTE=Yes -- you should see the extra 'main' rule go
>> away.
> 
> Making that change and restarting, nope, I get this still:
> 
> Routing Rules
> 
> 0:      from all lookup local
> 999:    from all lookup main
> 5000:   from all lookup 100
> 10000:  from all fwmark 0x10000/0xf0000 lookup net
> 10001:  from all fwmark 0x20000/0xf0000 lookup vpn
> 20000:  from 76.91.194.242 lookup net
> 20000:  from 10.18.2.170 lookup vpn
> 32765:  from all lookup balance
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> 
>>
>>> Hmmm.  My memory was that the tables were in the order:
>>>
>>> from 76.91.194.242 lookup net
>>> from 10.18.2.170 lookup vpn
>>> from all lookup main
>>> from all lookup balance
>>> from all lookup default
>>>
>> That would be the case when USE_DEFAULT_RT=No.
> 
> Also adding that to the change above, gives:
> 
> Routing Rules
> 
> 0:      from all lookup local
> 5000:   from all lookup 100
> 10000:  from all fwmark 0x10000/0xf0000 lookup net
> 10001:  from all fwmark 0x20000/0xf0000 lookup vpn
> 20000:  from 76.91.194.242 lookup net
> 20000:  from 10.18.2.170 lookup vpn
> 32766:  from all lookup main
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> Which really breaks my split VPN routing.
> 

I wasn't suggesting that you change that.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to