Shorewall and Routing
Tom
Eastep
2005-06-02
2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
Routing vs. Firewalling.
One of the most misunderstood aspects of Shorewall is its
releationship with routing. This article attempts to clear some of the fog
that surrounds this issue.
As a general principle:
Routing determines where packets are to be sent.
Once routing determines where the packet is to go, the firewall
(Shorewall) determines if the packet is allowed to go there.
There are ways that Shorewall can affect routing which are described
in the following sections.
Routing and Netfilter
The following diagram shows the relationship between routing
decisions and Netfilter.
The light blue boxes indicate where routing decisions are made. Upon
exit from one of these boxes, if the packet is being sent to another
system then the interface and the next hop have been uniquely
determined.
The green boxes show where Netfilter processing takes place (as
directed by Shorewall). You will notice that there are two different paths
through this maze, depending on where the packet originates. We will look
at each of these separately.
Packets Entering the Firewall from Outside
When a packet arrives from outside, it first undergoes Netfilter
PREROUTING processing. In Shorewall terms:
Packets may be marked using entries in the /etc/shorewall/tcrules file. Entries in that file
containing ":P" in the mark column are applied here as are rules
that default to the MARK_IN_FORWARD_CHAIN=No setting in
/etc/shorewall/shorewall.conf. These marks may
be used to specify that the packet should be routed using an
alternate routing table; see the Shorewall Squid
documentation for examples.
Marking packets then using the fwmark
selector in your "ip rule add"
commands should NOT be your first choice. In most cases, you can
use the from or dev
selector instead.
The destination IP address may be rewritten as a consequence
of:
DNAT[-] rules.
REDIRECT[-] rules.
Entries in /etc/shorewall/nat.
So the only influence that Shorewall has over where these packets
go is via NAT or by marking them so that they may be routed using an
alternate routing table.
Packets Originating on the Firewall
Processing of packets that originate on the firewall itself are
initially routed using the default routing table then passed through the
OUTPUT chains. Shorewall can influence what happens here:
Packets may be marked using entries in the /etc/shorewall/tcrules file (rules with "$FW" in
the SOURCE column). These marks may be used to specify that the
packet should be re-routed using an alternate routing table.
The destination IP address may be rewritten as a consequence
of:
DNAT[-] rules that specify $FW as the SOURCE.
Entries in /etc/shorewall/nat that
have "Yes" in LOCAL column.
So again in this case, the only influence that Shorewall has over
the packet destination is NAT or marking.
Alternate Routing Table Configuration
The Shorewall Squid
documentation shows how alternate routing tables can be created
and used. That documentation shows how you can use logic in
/etc/shorewall/init to create and populate an
alternate table and to add a routing rule for its use. It is fine to use
that technique so long as you understand that you are basically just using
the Shorewall init script (/etc/init.d/shorewall) to
configure your alternate routing table at boot time and that other than as described in the previous section, there is no
connection between Shorewall and routing when using Shorewall versions
prior to 2.3.2.
Routing and Proxy ARP
There is one instance where Shorewall creates main routing table
entries. When an entry in /etc/shorewall/proxyarp
contains "No" in the HAVEROUTE column then Shorewall will create a host
route to the IP address listed in the ADDRESS column through the interface
named in the INTERFACE column. This is the only case
where Shorewall directly manipulates the main routing
table.
Example:
/etc/shorewall/proxyarp:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The above entry will cause Shorewall to execute the following
command:
ip route add 206.124.146.177 dev eth1
Multiple Internet Connection Support in Shorewall 2.3.2 and
Later
Beginning with Shorewall 2.3.2, support is included for multiple
internet connections.
Overview
Let's assume that a firewall is connected via two separate
ethernet interfaces to two different ISPs as in the following
diagram.
eth0 connects to ISP1. The IP address of eth0 is
206.124.146.176 and the ISP's gateway router has IP address
206.124.146.254.
eth1 connects to ISP 2. The IP address of eth1 is
130.252.99.27 and the ISP's gateway router has IP address
130.252.99.254.
Each of these providers is described in an
entry in the file /etc/shorewall/providers.
Entries in /etc/shorewall/providers can
specify that outgoing connections are to be load-balanced between the
two ISPs. Entries in /etc/shorewall/tcrules can be
used to direct particular outgoing connections to one ISP or the
other.
Connections from the internet are automatically routed back out of
the correct interface and through the correct ISP gateway. This works
whether the connection is handled by the firewall itself or if it is
routed or port-forwarded to a system behind the firewall.
Shorewall will set up the routing and will update the
/etc/iproute2/rt_tables to include the table names
and number of the tables that it adds.
This feature uses packet
marking to control the routing. As a consequence, there are
some restrictions concerning entries in
/etc/shorewall/tcrules:
Packet marking for traffic control purposes may not be done
in the PREROUTING table for connections involving providers with
'track' specified (see below).
You may not use the SAVE or RESTORE options.
You may not use connection marking.
Use of this feature requires that your kernel and iptables support
CONNMARK target and conntrack match support. It does NOT require the
ROUTE target extension.
The current version of iptables (1.3.1) is broken with respect
to CONNMARK and iptables-save/iptables-restore. This means that if you
configure multiple ISPs, shorewall restore may
fail. If it does, you may patch your iptables using the patch at
http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
The /etc/shorewall/providers file can also be
used in other routing scenarios. See the Squid documentation for an
example.
/etc/shorewall/providers File
Entries in this file have the following columns. As in all
Shorewall configuration files, enter "-" in a column if you don't want
to enter any value.
/etc/shorewall/providers:
NAME
The provider name. Must begin with a letter and consist of
letters and digits. The provider name becomes the name of the
generated routing table for this provider.
NUMBER
A number between 1 and 252. This becomes the routing table
number for the generated table for this provider.
MARK
A mark value used in your /etc/shorewall/tcrules file to
direct packets to this provider. Shorewall will also mark
connections that have seen input from this provider with this
value and will restore the packet mark in the PREROUTING
CHAIN.
DUPLICATE
Gives the name or number of a routing table to duplicate.
May be 'main' or the name or number of a previously declared
provider. For most applications, you want to specify 'main'
here.
INTERFACE
The name of the interface to the provider.
GATEWAY
The IP address of the provider's Gateway router.
You can enter detect here
and Shorewall will attempt to automatically determine the
gateway IP address.
OPTIONS
A comma-separated list from the following:
track
If specified, connections FROM this interface are to
be tracked so that responses may be routed back out this
same interface.
You want specify 'track' if internet hosts will be
connecting to local servers through this provider.
balance
The providers that have 'balance' specified will get
outbound traffic load-balanced among them. Balancing will
not be perfect, as it is route based, and routes are
cached. This means that routes to often-used sites will
always be over the same provider.
By default, each provider is given the same weight
(1) . Beginning with 2.4.0-RC3, you can change the weight
of a given provider by following
balance with "=" and the desired
weight (e.g., balance=2). The weights reflect the relative
bandwidth of the providers connections and should be small
numbers since the kernel actually creates additional
default routes for each weight increment.
What an entry in the Providers File Does
Adding another entry in the providers file simply creates an
alternate routing table for you. In addition:
An ip rule is generated for each IP address on the INTERFACE
that routes traffic from that address through the associated routing
table.
If you specify track, then
connections which have had at least one packet arrive on the
interface listed in the INTERFACE column have their connection mark
set to the value in the MARK column. In the PREROUTING chain,
packets with that connmark have their packet mark set to that value;
packets so marked then bypass any prerouting rules that you create
in /etc/shorewall/tcrules. This ensures that
packets associated with connections from outside are always routed
out of the correct interface.
If you specify balance, then
Shorewall will replace the 'default' route with weight 100 in the
'main' routing table with a load-balancing route among those
gateways where balance was
specified. So if you configure default routes, be sure that their
weight is less than 100 or the route added by Shorewall will not be
used.
That's all that these entries do.
You still have to follow the principle stated at the top of this
article:
Routing determines where packets are to be sent.
Once routing determines where the packet is to go, the
firewall (Shorewall) determines if the packet is allowed to go
there.
The bottom line is that if you want traffic to go out through a
particular provider then you must mark that traffic
with the provider's MARK value in
/etc/shorewall/tcrules and you must do that marking
in the PREROUTING chain.
Entries in /etc/shorewall/providers
permanently alter your firewall/gateway's routing; that is, the effect
of these changes is not reversed by shorewall stop
or shorewall clear. To restore routing to its
original state, you will have to restart your network. This can
usually be done by /etc/init.d/network restart or
/etc/init.d/networking restart. Check your
distribution's networking documentation.
You can mitigate the effect of the Shorewall-generated changes
to your routing table by specifying a metric for
each default route that you configure. Shorewall will generate a
load-balancing default route (assuming that balance has been specified for some of the
providers) that does not include a metric and that will therefore not
replace any existing route that has a non-zero metric.
Example
The configuration in the figure at the top of this section would
be specified in /etc/shorewall/providers as
follows:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
ISP1 1 1 main eth0 206.124.146.254 track,balance
ISP2 2 2 main eth1 130.252.99.254 track,balance
Other configuration files go something like this:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect …
net eth1 detect …
/etc/shorewall/policy:
#SOURCE DESTINATION POLICY LIMIT:BURST
net net DROP
If you have masqueraded hosts, be sure to update
/etc/shorewall/masq to masquerade to both ISPs. For
example, if you masquerade all hosts connected to eth2 then:
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth1 eth2 130.252.99.27
Now suppose that you want to route all outgoing SMTP traffic from
your local network through ISP 2. You would make this entry in /etc/shorewall/tcrules (and you would
set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf).
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
2:P <local network> 0.0.0.0/0 tcp 25
Experimental Routing with Shorewall 2.3.2 and Later
Beginning with Shorewall 2.3.2, Shorewall is integrated with the
ROUTE target extension available from Netfilter Patch-O-Matic-NG (http://www.netfilter.org).
As of this writing, I know of no distribution that is shipping a
kernel or iptables with the ROUTE target patch included. This means that
you must patch and build your own kernel and iptables in order to be
able to use the feature described in this section. This code remains experimental since there is no
intent by the Netfilter team to ever submit the ROUTE target patch for
inclusion in the official kernels from kernel.org.
See Shorewall FAQ 42 for
information about determining if your kernel and iptables have this
support enabled. You must be running Shorewall 2.3.2 or later to make this
determination.
Routing with Shorewall is specified through entries in
/etc/shorewall/routes. Note that entries in the
/etc/shorewall/routes file override the routing
specified in your routing tables. These rules generate Netfilter rules in
the mangle tables FORWARD chain or OUTPUT chain depending whether the
packets are being routed through the firewall or originate on the firewall
itself (see the flow diagram at the top of this article).
Columns in this file are as follows:
SOURCE
Source of the packet. May be any of the following:
A host or network address
A network interface name.
The name of an ipset prefaced with "+"
$FW (for packets originating on the firewall)
A MAC address in Shorewall format
A range of IP addresses (assuming that your kernel and
iptables support range match)
A network interface name followed by ":" and an address or
address range.
DEST
Destination of the packet. May be any of the following:
A host or network address
A network interface name (determined from routing
table(s))
The name of an ipset prefaced with "+"
A network interface name followed by ":" and an address or
address range.
PROTO
Protocol - Must be a protocol listed in /etc/protocols, a
number or "ipp2p", a number, or "all". "ipp2p" require ipp2p match
support in your kernel and iptables.
PORT(S)
Destination Ports. A comma-separated list of Port names (from
/etc/services), port numbers or port ranges; if the protocol is
"icmp", this column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is interpreted as an
ipp2p option without the leading "--" (example "bit" for
bit-torrent). If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but must be entered
if any of the following field is supplied. In that case, it is
suggested that this field contain "-"
SOURCE PORT(S)
Optional) Source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.
TEST
Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true. Tests have the
format
[!]<value>[/<mask>][:C]
where:
!
Inverts the test (not equal)
<value>
Value of the packet or connection mark.
<mask>
A mask to be applied to the mark before testing
:C
Designates a connection mark. If omitted, the packet
mark's value is tested
INTERFACE
The interface that the packet is to be routed out of. If you
do not specify this field then you must place "-" in this column and
enter an IP address in the GATEWAY column.
GATEWAY
The gateway that the packet is to be forwarded through.
The idea here is that traffic that matches the SOURCE, DEST, PROTO,
PORT(S), SOURCE PORT(S) and TEST columns is routed out of the INTERFACE
through the optional GATEWAY.
Example:
Your local interface is eth1 and your DMZ interface is eth2. You
want to run Squid as a transparent proxy for HTTP on 192.168.3.22 in
your DMZ. You would use the following entry in
/etc/shorewall/routes:
#SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY
# PORT(S)
eth1 0.0.0.0/0 tcp 80 - - eth1 192.168.3.22
This entry specifies that "traffic coming in through eth1 to TCP
port 80 is to be routed out of eth1 to gateway 192.168.3.22".