[Shorewall-users] Shorewall: 4.6.3. Traffic shaping (using mangle table) not working.

Tue, 04 Jun 2019 01:52:21 -0700 

Hi:
  We have three lines connected to a server that has Shorewall 4.6.3 running. 
The three lines are 'ACTBB', 'TATALEASEDLINE' and 'Net4India'. The requirement 
is that any SMTP traffic originating from the server itself should go only on 
'TATALEASEDLINE' line.
  We have set the following in 'providers' table.
** STARTTATALEASEDLINE    1       254     main            eth1            
61.12.X.X     balance=20,track       eth0,eth2Net4india    2       253     main 
           eth3            202.71.X.X     balance=50,track       eth0,eth2ACTBB 
   3       252     main            eth4            106.51.X.X     
balance=60,track       eth0,eth2** END

  The 'mangle' table specifies this:
** STARTMARK(254)       $FW     0.0.0.0/0       tcp     25MARK(254)       $FW   
  0.0.0.0/0       udp     25** END
  However, we find that some SMTP traffic originating from the server still 
goes through other lines.
 
   Doing a 'shorewall iptrace', for a SMTP traffic that goes through wrong 
line, we get this:

** START
Jun  3 15:10:13 mail kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4 
SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF 
PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK 
URGP=0 OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001Jun  3 15:10:13 mail 
kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001Jun  3 15:10:13 mail kernel: 
TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 
LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP SPT=50281 DPT=25 
SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 OPT 
(0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: security:OUTPUT_direct:return:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: security:OUTPUT:policy:2 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44646 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576619 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A00619FD1CF6EF222) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001Jun  3 15:10:13 mail kernel: 
TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 
TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 
ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) 
UID=1005 GID=1001Jun  3 15:10:13 mail kernel: TRACE: mangle:OUTPUT:policy:3 IN= 
OUT=eth4 SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 
ID=44647 DF PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 
RES=0x00 ACK URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 
MARK=0xfcJun  3 15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4 
SRC=106.51.X.X DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF 
PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: security:OUTPUT_direct:return:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: security:OUTPUT:policy:2 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44647 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK URGP=0 
OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 15:10:13 mail 
kernel: TRACE: raw:OUTPUT:policy:13 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001Jun  3 15:10:13 mail 
kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001Jun  3 15:10:13 mail 
kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: filter:fw2net:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: security:OUTPUT_direct:return:1 IN= OUT=eth4 
SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF 
PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK 
PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: security:OUTPUT:policy:2 IN= OUT=eth4 
SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF 
PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK 
PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth4 
SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF 
PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK 
PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth4 SRC=106.51.X.X 
DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF PROTO=TCP 
SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK PSH 
URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfcJun  3 
15:10:13 mail kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth4 
SRC=106.51.X.X DST=74.125.68.27 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=44648 DF 
PROTO=TCP SPT=50281 DPT=25 SEQ=663892427 ACK=4171576673 WINDOW=115 RES=0x00 ACK 
PSH URGP=0 OPT (0101080A0061A089CF6EF2DB) UID=1005 GID=1001 MARK=0xfc** END
  Even though we have asked SMTP traffic from Firewall to be marked 0xfe (254), 
it is marking them as 0xfc and therefore packet is going through wrong line.
  Pl advise on finding what is wrong.
Thanks,-Krishnan.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to