extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update Multi-ISP doc with my current config

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-10-27 20:28:52 -07:00
parent ef3652fc98
commit 8397244fd6
3 changed files with 196 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

362
docs/MultiISP.xml
View File

@ -776,7 +776,12 @@ DROP:info net:192.168.1.0/24 all</programlisting>
</section> </section>
<section id="Example1"> <section id="Example1">
<title id="Example">Example</title> <title id="Example">Legacy Example</title>
<para>This section describes the legacy method of configuring multiple
uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes
configuration described <link
linkend="USE_DEFAULT_RT">below</link>.</para>
<para>The configuration in the figure at the top of this section would <para>The configuration in the figure at the top of this section would
be specified in <filename>/etc/shorewall/providers</filename> as be specified in <filename>/etc/shorewall/providers</filename> as
@ -1276,6 +1281,16 @@ lillycat: #</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>The configuration in the figure at the top of this section would
be specified in <filename>/etc/shorewall/providers</filename> as
follows.</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 - eth0 206.124.146.254 track -
ISP2 2 2 - eth1 130.252.99.254 track - </programlisting>
<para>The remainder of the example is the same.</para>
<para>Although 'balance' is automatically assumed when <para>Although 'balance' is automatically assumed when
USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider
except when you explicitly direct it to use the other provider via except when you explicitly direct it to use the other provider via
@ -2317,7 +2332,7 @@ wlan0 192.168.0.0/24</programlisting><note>
<section id="Complete"> <section id="Complete">
<title>A Complete Working Example</title> <title>A Complete Working Example</title>
<para>This section describes the network at shorewall.net early in 2009. <para>This section describes the network at shorewall.net in late 2012.
The configuration is as follows:</para> The configuration is as follows:</para>
<itemizedlist> <itemizedlist>
@ -2326,196 +2341,237 @@ wlan0 192.168.0.0/24</programlisting><note>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Avvanta -- A slow (1.5mb/384kb) DSL service with 5 static IP <para>ComcastC -- A consumer-grade Comcast cable line with a
addresses.</para> dynamic IP address.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Comcast -- A fast (20mb/10mb) Cable circuit with a single <para>ComcastB -- A Comcast Business-class line with 5 static IP
<emphasis>dynamic</emphasis> address.</para> addresses.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>A local network consisting of wired and wireless client systems. <para>A local network consisting of wired and wireless client systems.
A Linksys WRT300N wireless router is used as an access point for the A wireless-N router is used as an access point for the wireless
wireless hosts.</para> hosts.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>A DMZ hosting a single server (lists.shorewall.net aka <para>A DMZ hosting a two servers (one has two public IP addresses -
www1.shorewall.net, ftp1.shorewall.net,etc.)</para> one for receiving email and one for sending) and a system dedicaed to
running irssi (usually via IPv6)</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The network is pictured in the following diagram:</para> <para>The network is pictured in the following diagram:</para>
<graphic align="center" fileref="images/Network2009.png"/> <graphic fileref="images/Network2012a.png"/>
<para>Because of the speed of the cable provider, all traffic uses that <para>The Business Gateway manages a gigabit local network with address
provider unless there is a specific need for the traffic to use the DSL 10.1.10.1/24. So The firewall is given address 10.1.10.11/24 and the
line.</para> gateway is configured to route the public IP block via that address. The
gateway's firewall is only enabled for the 10.1.10/0/24 network.</para>
<itemizedlist> <para>Because the business network is faster and more reliable, the
<listitem> configuration favors sending local network traffic via that uplink rather
<para>Responses to connections from the Internet to one of the DSL IP than the consumer line.</para>
addresses -- the <emphasis role="bold">track</emphasis> option takes
care of that.</para>
</listitem>
<listitem> <para>Here are the key entries in
<para>Connections initiated by the server and connections requested by <filename>/etc/shorewall/params</filename>:</para>
clients on the firewall that have bound their local socket to one of
the DSL IP addresses. Two entries in
<filename>/etc/shorewall/rtrules</filename> take care of that
traffic.</para>
</listitem>
</itemizedlist>
<para>As a consequence, I have disabled all route filtering on the <programlisting>LOG=NFLOG
firewall and only use the <emphasis role="bold">balance</emphasis> option
in <filename>/etc/shorewall/providers</filename> on the Comcast provider
whose default route in the main table is established by DHCP. By
specifying the <emphasis role="bold">fallback</emphasis> option on
Avvanta, I ensure that there is still a default route if Comcast is down.
<link linkend="lsm">lsm</link> is used to monitor the links.</para>
<para><filename>/etc/sysctl.conf</filename>:</para> INT_IF=eth2
TUN_IF=tun+
COMB_IF=eth1
COMC_IF=eth0
<programlisting>net.ipv4.conf.all.rp_filter = 0</programlisting> STATISTICAL=
PROXY=
FALLBACK=
PROXYDMZ=
SQUID2=</programlisting>
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para> <para>The last three variables are used to configure the firewall
differently to exercise various Shorewall features.</para>
<programlisting>ROUTE_FILTER=No <para>Here are the key entries in
RESTORE_DEFAULT_ROUTE=No</programlisting> <filename>/etc/shorewall/shorewall.conf</filename>:</para>
<para>RESTORE_DEFAULT_ROUTE=No causes the default route in the main table <programlisting>###############################################################################
to be deleted when the Comcast link is unavailable. That way, the default # F I R E W A L L O P T I O N S
route in the default table will be used until Comcast is available ###############################################################################
again.</para>
...
ACCOUNTING_TABLE=mangle
...
AUTOMAKE=Yes
BLACKLISTNEWONLY=Yes
...
EXPAND_POLICIES=No
EXPORTMODULES=Yes
FASTACCEPT=No
..
<emphasis role="bold">KEEP_RT_TABLES=Yes</emphasis>
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=Yes
...
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=Yes
OPTIMIZE=31
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
<emphasis role="bold">RESTORE_DEFAULT_ROUTE=No</emphasis>
RETAIN_ALIASES=No
<emphasis role="bold">ROUTE_FILTER=No</emphasis>
SAVE_IPSETS=
TC_ENABLED=No
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
<emphasis role="bold">TRACK_PROVIDERS=Yes</emphasis>
<emphasis role="bold">USE_DEFAULT_RT=Yes</emphasis>
<emphasis role="bold">USE_PHYSICAL_NAMES=Yes</emphasis>
ZONE2ZONE=-
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=8
<emphasis role="bold">PROVIDER_BITS=2</emphasis>
<emphasis role="bold">PROVIDER_OFFSET=16</emphasis>
MASK_BITS=8
ZONE_BITS=0</programlisting>
<para>I use USE_DEFAULT_RT=Yes and since there are only two providers, two
provider bits are all that are required.</para>
<para>Here is /etc/shorewall/zones:</para>
<programlisting>fw firewall
loc ip #Local Zone
net ip #Internet
smc:net ip #10.0.1.0/24
vpn ip #OpenVPN clients
dmz ip #LXC Containers</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE OPTIONS
loc INT_IF dhcp,physical=$INT_IF,required,wait=5,routefilter,nets=172.20.1.0/24
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
vpn TUN_IF+ physical=tun+,ignore=1
dmz br0 routeback,proxyarp=1
- lo ignore</programlisting>
<para><filename>/etc/shorewall/providers</filename>:</para> <para><filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,fallback eth2,eth4,tun* ?if $FALLBACK
Comcast 2 0x200 main eth3 detect track,balance eth2,eth4,tun* ComcastB 1 0x10000 - COMB_IF 70.90.191.126 loose,fallback
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> ComcastC 2 0x20000 - COMC_IF detect loose,fallback
?elsif $STATISTICAL
ComcastB 1 0x10000 - COMB_IF 70.90.191.126 loose,load=0.66666667
ComcastC 2 0x20000 - COMC_IF detect loose,load=0.33333333
?else
<emphasis role="bold">ComcastB 1 0x10000 - COMB_IF 70.90.191.126 loose,balance=2
ComcastC 2 0x20000 - COMC_IF detect loose,balance</emphasis>
?endif
?if $PROXY &amp;&amp; ! $SQUID
Squid 3 - - lo - tproxy
?endif
</programlisting>
<para>The <emphasis role="bold">loose</emphasis> option on Avvanta results <para>Notice that in the current balance mode, as in the STAISTICAL mode,
in fewer routing rules. The first two routing rules below insure that all the business line is favored 2:1 over the consumer line.</para>
traffic from Avvanta-assigned IP addresses is sent via the Avvanta
provider. The 'tun*' included in the COPY column is there because I run a
routed OpenVPN server on the firewall.</para>
<para><filename>/etc/shorewall/rtrules</filename>:</para> <para>Here is <filename>/etc/shorewall/rtrules</filename>:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY <programlisting>#SOURCE DEST PROVIDER PRIORITY
- 172.20.0.0/24 main 1000 # Addresses assigned by routed OpenVPN server 70.90.191.121 - ComcastB 1000
206.124.146.176/30 - Avvanta 26000 70.90.191.123 - ComcastB 1000
206.124.146.180 - Avvanta 26000 &amp;COMC_IF - ComcastC 1000
- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address 172.20.1.145 - ComcastC 1000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> 172.20.1.146 - ComcastC 1000
br0 - ComcastB 11000</programlisting>
<para>The <filename>/etc/shorewall/rtrules </filename>entries provide all <para>For reference, this configuration generates these routing
of the provider selection necessary so my rules:</para>
<filename>/etc/shorewall/tcrules</filename> file is used exclusively for
traffic shaping of the Avvanta line. Note that I still need to provide
values in the MARK colum of <filename>/etc/shorewall/providers</filename>
because I specify <emphasis role="bold">track</emphasis> on both
providers.</para>
<para>Here is the output of <command>shorewall show
routing</command>:</para>
<programlisting>Routing Rules
<programlisting>root@gateway:~# ip rule ls
0: from all lookup local 0: from all lookup local
1000: from all to 172.20.0.0/24 lookup main 999: from all lookup main
10000: from all fwmark 0x100 lookup Avvanta 1000: from 70.90.191.121 lookup Primary
10001: from all fwmark 0x200 lookup Comcast 1000: from 70.90.191.123 lookup Primary
20256: from 71.227.156.229 lookup Comcast 1000: from 67.170.121.6 lookup Backup
26000: from 206.124.146.176/30 lookup Avvanta 1000: from 172.20.1.145 lookup Backup
26000: from 206.124.146.180 lookup Avvanta 1000: from 172.20.1.146 lookup Backup
26000: from all to 216.168.3.44 lookup Avvanta 10000: from all fwmark 0x10000/0x30000 lookup Primary
32766: from all lookup main 10001: from all fwmark 0x20000/0x30000 lookup Backup
11000: from all iif br0 lookup Primary
32765: from all lookup balance
32767: from all lookup default 32767: from all lookup default
root@gateway:~# </programlisting>
Table Avvanta: <para><filename>/etc/shorewall/tcrules</filename> is not used to support
Multi-ISP:</para>
206.124.146.254 dev eth0 scope link src 206.124.146.176 <programlisting>#MARK SOURCE DEST PROTO DEST SOURCE
206.124.146.177 dev eth4 scope link # PORT(S) PORT(S)
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254 FORMAT 2
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176 TTL(+1):P INT_IF -
169.254.0.0/16 dev eth0 scope link SAME:P INT_IF - tcp 80,443
default via 206.124.146.254 dev eth0 src 206.124.146.176 ?if $PROXY &amp;&amp; ! $SQUID2
DIVERT COMB_IF - tcp - 80
Table Comcast: DIVERT COMC_IF - tcp - 80
DIVERT br0 172.20.1.0/24 tcp - 80
206.124.146.177 dev eth4 scope link TPROXY(3129,172.20.1.254) INT_IF - tcp 80
71.227.156.1 dev eth3 scope link src 71.227.156.229 ?if $PROXYDMZ
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254 TPROXY(3129,172.20.1.254) br0 - tcp 80
71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229 ?endif
default via 71.227.156.1 dev eth3 src 71.227.156.229 ?endof
</programlisting>
Table default:
default via 206.124.146.254 dev eth0 metric 1
Table local:
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.254
broadcast 206.124.146.255 dev eth0 proto kernel scope link src 206.124.146.176
local 206.124.146.179 dev eth0 proto kernel scope host src 206.124.146.176
local 206.124.146.178 dev eth0 proto kernel scope host src 206.124.146.176
local 206.124.146.176 dev eth0 proto kernel scope host src 206.124.146.176
local 206.124.146.176 dev eth4 proto kernel scope host src 206.124.146.176
broadcast 71.227.157.255 dev eth3 proto kernel scope link src 71.227.156.229
broadcast 71.227.156.0 dev eth3 proto kernel scope link src 71.227.156.229
local 172.20.1.254 dev eth2 proto kernel scope host src 172.20.1.254
local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.254
local 71.227.156.229 dev eth3 proto kernel scope host src 71.227.156.229
broadcast 206.124.146.0 dev eth0 proto kernel scope link src 206.124.146.176
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 206.124.146.180 dev eth0 proto kernel scope host src 206.124.146.176
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
206.124.146.177 dev eth4 scope link
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 71.227.156.1 dev eth3 </programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth2 detect dhcp,routeback
dmz eth4 detect
net eth0 detect dhcp,blacklist,tcpflags,optional
net eth3 detect dhcp,blacklist,tcpflags,optional
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
COMMENT Masquerade Local Network
eth3 0.0.0.0/0
eth0 !206.124.146.0/24 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>All traffic leaving eth3 must use the dynamic IP address assigned to
that interface as the SOURCE address. All traffic leaving eth0 that does
not have a SOURCE address falling within the Avvanta subnet
(206.124.146.0/24) must have its SOURCE address changed to
206.124.146.179.</para>
</section> </section>
</article> </article>

BIN
docs/images/Network2012a.dia Normal file
View File

Binary file not shown.

BIN
docs/images/Network2012a.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB