mario.almeida |
03-03-2012 07:45 AM |
Linux Firewall with policy base routing - unable to connect
Dear All,
OS= Centos 5.7 x86_64, iptables
My network setup
Code:
(10.20.20.254) ADSL LeaseLine (203.189.66.89)
\ /
\ /
\ /
\ /
eth3(10.20.20.10)-> \_______________/ <- eth0 (203.189.66.90, default)
| |
| Linux/VLAN |
| IPtables FW |
|______________|
|<- vlan10 (10.20.10.1)
|
|
|
|
|
________|________
| |
| Client |
| 10.20.10.10 |
|________________|
I am building PBR on our office firewall.
In the above example, by default all traffic should use lease line connection.
I want only http (80) to dst any from client 10.20.10.10 to use the adsl connection.
Below are my PBR steps
Code:
echo 201 webToadsl.out >> /etc/iproute2/rt_tables
iptables -t mangle -A PREROUTING -i vlan10 -s 10.20.10.10/32 -d 0/0 -p tcp --dport 80 -j MARK --set-mark 1
ip rule add from 10.20.10.10/32 fwmark 1 table webToadsl.out
ip route add default via 10.20.20.254 dev eth3 table webToadsl.out
ip route flush cache
iptables -I forward -p tcp -s 10.20.10.10/32 -i vlan10 -o eth3 -d 0/0 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -o eth3 -s 10.20.10.10/32 -d 0/0 -j SNAT --dport 80 --to-source 10.20.20.10
Problem: unable to connect
Traffic is going out from client to firewall, also going out from firewall via eth3 and coming back but not forwarded to client's IP.
Traffice sent from Client:
Quote:
tcpdump -vv -nn -i eth0 host 173.194.66.99 and tcp port 80
|
Code:
18:51:50.791467 IP (tos 0x10, ttl 64, id 52305, offset 0, flags [DF], proto TCP (6), length 60)
10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x15bc (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51404197 ecr 0,nop,wscale 6], length 0
18:51:53.788820 IP (tos 0x10, ttl 64, id 52306, offset 0, flags [DF], proto TCP (6), length 60)
10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x12ce (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51404947 ecr 0,nop,wscale 6], length 0
18:51:59.788810 IP (tos 0x10, ttl 64, id 52307, offset 0, flags [DF], proto TCP (6), length 60)
10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x0cf2 (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51406447 ecr 0,nop,wscale 6], length 0
Traffic received on Firewall from client on interface vlan10
Quote:
tcpdump -nn -vv -i vlan10 host 173.194.66.99 and tcp
|
Code:
18:57:06.013285 IP (tos 0x10, ttl 64, id 52305, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x15bc (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404197 0,nop,wscale 6>
18:57:09.010288 IP (tos 0x10, ttl 64, id 52306, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x12ce (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404947 0,nop,wscale 6>
18:57:15.009577 IP (tos 0x10, ttl 64, id 52307, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x0cf2 (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51406447 0,nop,wscale 6>
Traffic sent out from firewall via eth3 and return back to firewall
Quote:
tcpdump -nn -vv -i eth3 host 173.194.66.99 and tcp
|
Code:
18:57:06.014288 IP (tos 0x10, ttl 63, id 52305, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x0bbc (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404197 0,nop,wscale 6>
18:57:06.296841 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xc172 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318532186 51404197,nop,wscale 6>
18:57:06.765125 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xbf9e (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318532654 51404197,nop,wscale 6>
18:57:07.366241 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xbd45 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318533255 51404197,nop,wscale 6>
18:57:08.565382 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xb895 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318534455 51404197,nop,wscale 6>
18:57:09.010303 IP (tos 0x10, ttl 63, id 52306, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x08ce (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404947 0,nop,wscale 6>
18:57:09.291874 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xb5bf (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318535181 51404197,nop,wscale 6>
18:57:10.965485 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xaf35 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318536855 51404197,nop,wscale 6>
18:57:15.009592 IP (tos 0x10, ttl 63, id 52307, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x02f2 (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51406447 0,nop,wscale 6>
18:57:15.292470 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0x9e4e (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318541182 51404197,nop,wscale 6>
18:57:15.824162 IP (tos 0x10, ttl 41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0x9c3a (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318541714 51404197,nop,wscale 6>
Return traffic comes upto firewall interface eth3 but not forwarded to client's IP
Can someone help me in this?
Thanks in advance.
|