LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Linux Firewall with policy base routing - unable to connect (http://www.linuxquestions.org/questions/linux-server-73/linux-firewall-with-policy-base-routing-unable-to-connect-932495/)

mario.almeida 03-03-2012 07:45 AM

Linux Firewall with policy base routing - unable to connect
 
Dear All,

OS= Centos 5.7 x86_64, iptables

My network setup

Code:

        (10.20.20.254) ADSL                        LeaseLine (203.189.66.89)
                        \                        /
                        \                      /
                          \                      /
                          \                    /
        eth3(10.20.20.10)-> \_______________/ <- eth0 (203.189.66.90, default)
                            |                    |
                            | Linux/VLAN  |
                            | IPtables FW  |
                            |______________|
                                    |<- vlan10 (10.20.10.1)
                                    |
                                    |
                                    |
                                    |
                                    |
                            ________|________
                            |                    |
                            | Client            |
                            | 10.20.10.10    |
                            |________________|

I am building PBR on our office firewall.
In the above example, by default all traffic should use lease line connection.
I want only http (80) to dst any from client 10.20.10.10 to use the adsl connection.

Below are my PBR steps

Code:

echo 201        webToadsl.out >> /etc/iproute2/rt_tables

iptables -t mangle -A PREROUTING -i vlan10 -s 10.20.10.10/32 -d 0/0 -p tcp --dport 80 -j MARK --set-mark 1

ip rule add from 10.20.10.10/32 fwmark 1 table webToadsl.out

ip route add default via 10.20.20.254 dev eth3 table webToadsl.out

ip route flush cache

iptables -I forward -p tcp -s 10.20.10.10/32 -i vlan10 -o eth3 -d 0/0 --dport 80 -j ACCEPT

iptables -t nat -A POSTROUTING -p tcp -o eth3 -s 10.20.10.10/32 -d 0/0 -j SNAT --dport 80 --to-source 10.20.20.10

Problem: unable to connect
Traffic is going out from client to firewall, also going out from firewall via eth3 and coming back but not forwarded to client's IP.


Traffice sent from Client:
Quote:

tcpdump -vv -nn -i eth0 host 173.194.66.99 and tcp port 80
Code:

18:51:50.791467 IP (tos 0x10, ttl 64, id 52305, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x15bc (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51404197 ecr 0,nop,wscale 6], length 0
18:51:53.788820 IP (tos 0x10, ttl 64, id 52306, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x12ce (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51404947 ecr 0,nop,wscale 6], length 0
18:51:59.788810 IP (tos 0x10, ttl 64, id 52307, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x0cf2 (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51406447 ecr 0,nop,wscale 6], length 0


Traffic received on Firewall from client on interface vlan10
Quote:

tcpdump -nn -vv -i vlan10 host 173.194.66.99 and tcp
Code:

18:57:06.013285 IP (tos 0x10, ttl  64, id 52305, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x15bc (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404197 0,nop,wscale 6>
18:57:09.010288 IP (tos 0x10, ttl  64, id 52306, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x12ce (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404947 0,nop,wscale 6>
18:57:15.009577 IP (tos 0x10, ttl  64, id 52307, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x0cf2 (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51406447 0,nop,wscale 6>

Traffic sent out from firewall via eth3 and return back to firewall
Quote:

tcpdump -nn -vv -i eth3 host 173.194.66.99 and tcp
Code:

18:57:06.014288 IP (tos 0x10, ttl  63, id 52305, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x0bbc (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404197 0,nop,wscale 6>
18:57:06.296841 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xc172 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318532186 51404197,nop,wscale 6>
18:57:06.765125 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xbf9e (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318532654 51404197,nop,wscale 6>
18:57:07.366241 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xbd45 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318533255 51404197,nop,wscale 6>
18:57:08.565382 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xb895 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318534455 51404197,nop,wscale 6>
18:57:09.010303 IP (tos 0x10, ttl  63, id 52306, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x08ce (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404947 0,nop,wscale 6>
18:57:09.291874 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xb5bf (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318535181 51404197,nop,wscale 6>
18:57:10.965485 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xaf35 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318536855 51404197,nop,wscale 6>
18:57:15.009592 IP (tos 0x10, ttl  63, id 52307, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x02f2 (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51406447 0,nop,wscale 6>
18:57:15.292470 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0x9e4e (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318541182 51404197,nop,wscale 6>
18:57:15.824162 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0x9c3a (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318541714 51404197,nop,wscale 6>

Return traffic comes upto firewall interface eth3 but not forwarded to client's IP

Can someone help me in this?

Thanks in advance.

mario.almeida 03-04-2012 03:54 PM

Dear All,

Can anyone provide a hint to this?

mario.almeida 03-05-2012 02:06 PM

Hi All,

Can someone guide me?

If I remove "fwmark 1" and add ip rule just like below
Quote:

ip rule add from 10.20.10.10/32 table webToadsl.out
this works fine. How can I get fwmark working?

mario.almeida 03-05-2012 03:19 PM

hummmmm, big relax.

Finally got it fixed.

Had to disable source route verification on ADSL interface, in my case it is eth3 which is the non-default route interface.

Quote:

net.ipv4.conf.eth3.rp_filter = 0


All times are GMT -5. The time now is 02:30 PM.