LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 03-03-2012, 08:45 AM   #1
mario.almeida
Member
 
Registered: May 2008
Location: India
Distribution: Ubuntu 10.04, CentOS
Posts: 179

Rep: Reputation: 27
Question Linux Firewall with policy base routing - unable to connect


Dear All,

OS= Centos 5.7 x86_64, iptables

My network setup

Code:
	(10.20.20.254) ADSL			LeaseLine (203.189.66.89)
			\			/
			 \		       /
			  \		      /
			   \		     /
	eth3(10.20.20.10)-> \_______________/ <- eth0 (203.189.66.90, default)
			     |	 	    |
			     | Linux/VLAN   |
			     | IPtables FW  |
			     |______________|
				    |<- vlan10 (10.20.10.1)
				    |
				    |
				    |
				    |
				    |
			    ________|________
			    |		     |
			    | Client	     |
			    | 10.20.10.10    |
			    |________________|
I am building PBR on our office firewall.
In the above example, by default all traffic should use lease line connection.
I want only http (80) to dst any from client 10.20.10.10 to use the adsl connection.

Below are my PBR steps

Code:
echo 201	webToadsl.out >> /etc/iproute2/rt_tables

iptables -t mangle -A PREROUTING -i vlan10 -s 10.20.10.10/32 -d 0/0 -p tcp --dport 80 -j MARK --set-mark 1

ip rule add from 10.20.10.10/32 fwmark 1 table webToadsl.out

ip route add default via 10.20.20.254 dev eth3 table webToadsl.out

ip route flush cache

iptables -I forward -p tcp -s 10.20.10.10/32 -i vlan10 -o eth3 -d 0/0 --dport 80 -j ACCEPT

iptables -t nat -A POSTROUTING -p tcp -o eth3 -s 10.20.10.10/32 -d 0/0 -j SNAT --dport 80 --to-source 10.20.20.10
Problem: unable to connect
Traffic is going out from client to firewall, also going out from firewall via eth3 and coming back but not forwarded to client's IP.


Traffice sent from Client:
Quote:
tcpdump -vv -nn -i eth0 host 173.194.66.99 and tcp port 80
Code:
18:51:50.791467 IP (tos 0x10, ttl 64, id 52305, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x15bc (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51404197 ecr 0,nop,wscale 6], length 0
18:51:53.788820 IP (tos 0x10, ttl 64, id 52306, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x12ce (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51404947 ecr 0,nop,wscale 6], length 0
18:51:59.788810 IP (tos 0x10, ttl 64, id 52307, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.10.10.46551 > 173.194.66.99.80: Flags [S], cksum 0x0cf2 (correct), seq 1851822580, win 5840, options [mss 1460,sackOK,TS val 51406447 ecr 0,nop,wscale 6], length 0

Traffic received on Firewall from client on interface vlan10
Quote:
tcpdump -nn -vv -i vlan10 host 173.194.66.99 and tcp
Code:
18:57:06.013285 IP (tos 0x10, ttl  64, id 52305, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x15bc (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404197 0,nop,wscale 6>
18:57:09.010288 IP (tos 0x10, ttl  64, id 52306, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x12ce (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404947 0,nop,wscale 6>
18:57:15.009577 IP (tos 0x10, ttl  64, id 52307, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.10.10.46551 > 173.194.66.99.80: S, cksum 0x0cf2 (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51406447 0,nop,wscale 6>
Traffic sent out from firewall via eth3 and return back to firewall
Quote:
tcpdump -nn -vv -i eth3 host 173.194.66.99 and tcp
Code:
18:57:06.014288 IP (tos 0x10, ttl  63, id 52305, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x0bbc (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404197 0,nop,wscale 6>
18:57:06.296841 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xc172 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318532186 51404197,nop,wscale 6>
18:57:06.765125 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xbf9e (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318532654 51404197,nop,wscale 6>
18:57:07.366241 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xbd45 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318533255 51404197,nop,wscale 6>
18:57:08.565382 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xb895 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318534455 51404197,nop,wscale 6>
18:57:09.010303 IP (tos 0x10, ttl  63, id 52306, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x08ce (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51404947 0,nop,wscale 6>
18:57:09.291874 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xb5bf (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318535181 51404197,nop,wscale 6>
18:57:10.965485 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0xaf35 (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318536855 51404197,nop,wscale 6>
18:57:15.009592 IP (tos 0x10, ttl  63, id 52307, offset 0, flags [DF], proto: TCP (6), length: 60) 10.20.20.10.46551 > 173.194.66.99.80: S, cksum 0x02f2 (correct), 1851822580:1851822580(0) win 5840 <mss 1460,sackOK,timestamp 51406447 0,nop,wscale 6>
18:57:15.292470 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0x9e4e (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318541182 51404197,nop,wscale 6>
18:57:15.824162 IP (tos 0x10, ttl  41, id 485, offset 0, flags [none], proto: TCP (6), length: 60) 173.194.66.99.80 > 10.20.20.10.46551: S, cksum 0x9c3a (correct), 4146312549:4146312549(0) ack 1851822581 win 14180 <mss 1400,sackOK,timestamp 318541714 51404197,nop,wscale 6>
Return traffic comes upto firewall interface eth3 but not forwarded to client's IP

Can someone help me in this?

Thanks in advance.
 
Old 03-04-2012, 04:54 PM   #2
mario.almeida
Member
 
Registered: May 2008
Location: India
Distribution: Ubuntu 10.04, CentOS
Posts: 179

Original Poster
Rep: Reputation: 27
Dear All,

Can anyone provide a hint to this?
 
Old 03-05-2012, 03:06 PM   #3
mario.almeida
Member
 
Registered: May 2008
Location: India
Distribution: Ubuntu 10.04, CentOS
Posts: 179

Original Poster
Rep: Reputation: 27
Hi All,

Can someone guide me?

If I remove "fwmark 1" and add ip rule just like below
Quote:
ip rule add from 10.20.10.10/32 table webToadsl.out
this works fine. How can I get fwmark working?
 
Old 03-05-2012, 04:19 PM   #4
mario.almeida
Member
 
Registered: May 2008
Location: India
Distribution: Ubuntu 10.04, CentOS
Posts: 179

Original Poster
Rep: Reputation: 27
hummmmm, big relax.

Finally got it fixed.

Had to disable source route verification on ADSL interface, in my case it is eth3 which is the non-default route interface.

Quote:
net.ipv4.conf.eth3.rp_filter = 0
 
  


Reply

Tags
firewall, pbr


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Managing A Single Firewall Policy For Multiple Servers Using Firewall Builder LXer Syndicated Linux News 0 12-06-2010 11:20 AM
Linux policy routing issue (am I tripping over a kernel bug?) bjsilva1 Linux - Networking 1 08-28-2008 06:05 AM
Roger Wilco Base Station - Unable to connect PhilHalf Linux - General 0 04-16-2007 03:33 PM
problem when emerging selinux-base-policy-20040906 Snerkel Linux - Distributions 0 10-24-2004 08:58 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM


All times are GMT -5. The time now is 11:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration