Hi,
Firstly some background. Some time ago Tom helped me in setting up my
system to use a VPN client in a way that allowed me full control over
which destination IPs were sent via the VPN, the remainder of traffic
leaving via my normal internet connection. When starting the VPN, I
suppress all attempts at it modifying my existing routing and in the
"up" script generate the following before restarting the firewall:
cat /etc/shorewall/providers
#
# Shorewall version 4 - Providers File
#
# For information about entries in this file, type "man shorewall-providers"
#
# For additional information, see http://shorewall.net/MultiISP.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
# Set up the two provider masks
net 1 0x10000 - eno1 detect track,primary
vpn 2 0x20000 - tun0 10.8.1.1 track,fallback
This generates the following routing:
shorewall show routing
Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Mon Mar 23
10:05:56 PDT 2020
Routing Rules
0: from all lookup local
999: from all lookup main
10000: from all fwmark 0x10000/0xf0000 lookup net
10001: from all fwmark 0x20000/0xf0000 lookup vpn
20000: from 76.91.xxx.yyy lookup net
20000: from 10.8.1.20 lookup vpn
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via 76.91.192.1 dev eno1
Table default:
10.8.1.1 dev tun0 scope link
default via 10.8.1.1 dev tun0 src 10.8.1.20 metric 2
Table local:
--snip-- Not needed for this question
Table main:
--snip-- Not needed for this question
Table net:
76.91.192.1 dev eno1 scope link src 76.91.xxx.yyy
default via 76.91.192.1 dev eno1 src 76.91.xxx.yyy
Table vpn:
10.8.1.1 dev tun0 scope link src 10.8.1.20
default via 10.8.1.1 dev tun0 src 10.8.1.20
Following this, I then have a second script that builds a new routing
table, which directs the required destination IPs to the tun0 gateway.
This table is then added to the rules thus:
0: from all lookup local
500: from all lookup 100
999: from all lookup main
10000: from all fwmark 0x10000/0xf0000 lookup net
10001: from all fwmark 0x20000/0xf0000 lookup vpn
20000: from 76.91.204.161 lookup net
20000: from 10.8.1.20 lookup vpn
32765: from all lookup balance
32767: from all lookup default
As I'm about to make some major changes to that 2nd script, I started to
look at (maybe) consolidating everything into the VPN's "up" script and
investigated the use of shorewall/routes as that appeared to offer what
I wanted. Here's that file after rewriting my "up" script to do what I
need today (before embarking on the substantial updates I need):
cat /etc/shorewall/routes
#
# Shorewall -- /etc/shorewall/routes
#
# For information about entries in this file, type "man shorewall-routes"
#
# For additional information, see http://www.shorewall.net/MultiISP.html
#
###############################################################################
#PROVIDER DEST GATEWAY DEVICE OPTIONS
# Force the VPN IP out via our external interface
main 84.17.44.81 76.91.192.1
# Now force the DoD stuff out via the vpn
vpn 131.77.0.0/16
vpn 131.78.0.0/16
vpn 156.112.0.0/16
vpn 214.0.0.0/8
vpn 215.0.0.0/8
Restarting the firewall showed this:
shorewall show routing
Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Mon Mar 23
10:22:45 PDT 2020
Routing Rules
0: from all lookup local
999: from all lookup main
10000: from all fwmark 0x10000/0xf0000 lookup net
10001: from all fwmark 0x20000/0xf0000 lookup vpn
20000: from 76.91.204.161 lookup net
20000: from 10.8.0.32 lookup vpn
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via 76.91.192.1 dev eno1
Table default:
10.8.0.1 dev tun0 scope link
default via 10.8.0.1 dev tun0 src 10.8.0.32 metric 2
Table local:
--snip-- Not needed for this question
Table main:
84.17.44.81 via 76.91.192.1 dev eno1
--snip-- Not needed for this question
Table net:
76.91.192.1 dev eno1 scope link src 76.91.xxx.yyy
default via 76.91.192.1 dev eno1 src 76.91.xxx.yyy
Table vpn:
10.8.0.1 dev tun0 scope link src 10.8.0.32
156.112.0.0/16 dev tun0 scope link
131.78.0.0/16 dev tun0 scope link
131.77.0.0/16 dev tun0 scope link
215.0.0.0/8 dev tun0 scope link
214.0.0.0/8 dev tun0 scope link
default via 10.8.0.1 dev tun0 src 10.8.0.32
Looking at this, it's obviously not going to do what I wanted. The
table "vpn" is only going to be used for packets either already marked
as destined for the VPN or those who were sourced from there. Not what
I was looking for in routing locally generated outbound traffic.
Inserting that table at the point in the rules where I was previously
adding my additions also will not work, because of the "default" routing.
I guess what I was expecting from the use of shorewall/routes is that it
would have not modified any of the existing routing tables being
generated (well, apart from my use of "main") but created a brand new
table to be inserted between 0 and 999.
I can see that as a workaround, I can force all the entries to be added
to the "main" table instead.
Have I misunderstood how this was supposed to work or is it (kinda) broken.
Cheers.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
