[Firehol-support] Strange problem when routing between many interface

Tsaousis, Costa costa at tsaousis.gr
Sun Mar 1 23:38:42 CET 2015 

Hi Simon,

I added the list, so that others may benefit from our discussion.

Regarding your proposal: Why don't you use variables like this:

dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"

...

interface4 "${dn42}" dn42

...

router4 dn422dn42 inface "${dn42}" outface "${dn42}"


Regarding the problem you face with masquerade, If you check the
manual you will see that the masquerade statement just uses the
outface from the router, nothing else. Your masquerade statement in
openvpn2dn42 is the same as having this at the top of firehol.conf
(below the definition of dn42):

masquerade4 "${dn42}"

Let's see it in explain mode:

 # firehol explain

FireHOL $Id: 853eac8359b2edd51d99ac6289e282ca8d6e39de $
(C) Copyright 2003-2015 Costa Tsaousis <costa at tsaousis.gr>
(C) Copyright 2012-2015 Phil Whineray <phil at firehol.org>
FireHOL is distributed under the GPL v2+.
Home Page: http://firehol.org

-------------------------------------------------------------------------
Get notified of new FireHOL releases by subscribing to the mailing list:
    http://lists.firehol.org/mailman/listinfo/firehol-support/
-------------------------------------------------------------------------

You can now start typing firehol configuration directives.
Special interactive commands: help, show, quit

# FireHOL [:] > dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 1 at Interactive User Input
# Command  : dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"

# > OK <
# FireHOL [:] > masquerade4 "${dn42}"
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 2 at Interactive User Input
# Command  : masquerade4 "${dn42}"

# Masquerade on interface 'tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8
tun9 tun10 tun11'
/sbin/iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun3 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun4 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun5 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun6 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun7 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun8 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun9 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun10 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

# > OK <

I understand you don't want this masquerade to take place for traffic
not coming from another dn42 interface.

Well, the problem is that iptables does not allow this. Let's see it:

 # /sbin/iptables -t nat -A POSTROUTING -i tun1 -o tun11 -j MASQUERADE
iptables v1.4.21: Can't use -i with POSTROUTING

So, it cannot be done like this.

One solution is to limit the masquerade statement by specifying the
'src' networks it is (or it is not) allowed to masquerade.
Just append: src "${networks_to_masquerade}" or src not
"${networks_not_to_masquerade}"
Of course you have to define these variables, before using them.

Using the above method, it would require from you to know all the network IPs.

To avoid this, another solution is to use marks, to mark the
connections that come from all ${dn42} interfaces and then in
masquerade limit the match to the packets marked.
For this you are going to need the latest version of firehol from
github (git checkout https://github.com/ktsaou/firehol.git
firehol.git; then firehol will be the file:
firehol.git/sbin/firehol.in).
It will work like this:

dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"

# add another mark, named masq with 2 possible values: 0 and 1
# we add a new mark, so that you can use all other marks for any other
purpose you may need them
# this mark will not interfere with the others.
markdef masq 2

# mark the packets when they are received from ${dn42} interfaces
custommark4 masq 1 PREROUTING inface "${dn42}"

# masquerade packets going out on ${dn42} interfaces, if they are
marked with masq 1
masquerade4 "${dn42}" custommark masq 1

Let's see what this does:

# ./sbin/firehol.in explain

FireHOL $Id: 48fee6298de463cd7e9d5dc1c738e40099c822e0 $
(C) Copyright 2003-2015 Costa Tsaousis <costa at tsaousis.gr>
(C) Copyright 2012-2015 Phil Whineray <phil at firehol.org>
FireHOL is distributed under the GPL v2+.
Home Page: http://firehol.org

-------------------------------------------------------------------------
Get notified of new FireHOL releases by subscribing to the mailing list:
    http://lists.firehol.org/mailman/listinfo/firehol-support/
-------------------------------------------------------------------------

You can now start typing firehol configuration directives.
Special interactive commands: help, show, quit

# FireHOL [:] > dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 1 at Interactive User Input
# Command  : dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"

# > OK <
# FireHOL [:] > markdef masq 2
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 2 at Interactive User Input
# Command  : markdef masq 2

# > OK <
# FireHOL [:] > custommark4 masq 1 PREROUTING inface "${dn42}"
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 3 at Interactive User Input
# Command  : custommark4 masq 1 PREROUTING inface "${dn42}"

# Rules for stateful MARK 0x00002000/0x00002000 on chain PREROUTING
/sbin/iptables -t mangle -A PREROUTING -i tun1 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun2 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun3 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun4 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun5 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun6 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun7 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun8 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun9 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun10 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000
/sbin/iptables -t mangle -A PREROUTING -i tun11 -m conntrack --ctstate
NEW -j MARK --set-mark 0x00002000/0x00002000

# > OK <
# FireHOL [:] > masquerade4 "${dn42}" custommark masq 1
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 4 at Interactive User Input
# Command  : masquerade4 "${dn42}" custommark masq 1

# Masquerade on interface 'tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8
tun9 tun10 tun11'
/sbin/iptables -t nat -A POSTROUTING -o tun1 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun2 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun3 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun4 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun5 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun6 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun7 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun8 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun9 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun10 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o tun11 -m conntrack --ctstate
NEW -m mark --mark 0x00002000/0x00002000 -j MASQUERADE

# > OK <

So, this way you don't need to define all the networks.

If you use an older version of firehol, you can use this:

dn42="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"

# mark the packets when they are received from ${dn42} interfaces
ipv4 mark 1 PREROUTING inface "${dn42}"

# masquerade packets going out on ${dn42} interfaces, if they are
marked with masq 1
ipv4 masquerade "${dn42}" mark 1

It looks simpler, but in older versions there was only one mark with
32bit values. So you just used it. You will not be able to use marks
for other purposes until you upgrade.

Costa


On Sun, Mar 1, 2015 at 11:07 PM, Simon Szustkowski <mail at simonszu.de> wrote:
> Hi,
>
> i am sorry to write you directly, but it seems that the mailman isn't storing and redistributing my initial mail although i am subscribed. So...
>
> I have the following setup:
>
> - A zone for the normal internet, interface eth0
> - A zone for one specific VPN connection, interface tun0
> - A zone for many VPN interfaces with dynamic routing protocols (BGP, OSPF) enabled between them. (tun1 to tun11), called the DN42
>
> I want to achieve the following:
>
> On the host are some services running which should be accessed via the internet, eth0
>
> Clients which connect via tun0 should be able to access the internet and also the zone with the dynamic routing, each forwarding should be masqueraded. The internet and the DN42 zone should not be able to access the clients that are connecting in this zone.
>
> In the DN42 zone, each interface should be connected to each other interface. They should not be able to access the internet, nor the clients on tun0, but they should be able to access some defined services on this host.
>
> So my config is now basically looking like this:
>
>> #
>> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
>> #
>>
>> version 6
>>
>> interface eth0 internet
>> (..some rules for the services accessable via the internet and for the vpn endpoints for the dn42 and the tun0 vpn)
>>
>> # Define the tun1 Interface for VPN zone
>> interface4 tun0 openvpn
>>
>> # Define DN42 zone. Accept Ping and BGP and OSPF
>> interface4 "tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11" dn42
>>       server icmp accept
>>       server bgp accept
>>       server OSPF accept
>>       server dns accept
>>       client OSPF accept
>>       client all accept
>>
>> # Allow forwarding between the dn42 peers
>> router4 dn422dn42 inface "tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11" outface "tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"
>>       route all accept
>>
>> # Masquerade all traffic originating from the CA-based OpenVPN into the DN42
>> router4 openvpn2dn42 inface tun0 outface "tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"
>>       route all accept
>>       masquerade
>>
>> router4 dn422openvpn inface "tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11" outface tun0
>>
>> # Masquerade all traffic originating from the CA-based OpenVPN into the Internet
>> router4 openvpn2internet inface tun0 outface eth0
>>       masquerade
>>       route all accept
>>
>> router4 internet2openvpn inface eth0 outface tun0
>
>
> The first question is: The inface and outface definitions for the DN42 zone are getting longer and longer with each peers. So i'd submit a feature proposal that you can define the in- and outface sections in router statements via their interface names, e.g. router4 dn422dn42 inface-grp dn42 outface-grp dn42.
>
> The main problem because i write this email however is: I have this masquerade-statement on the openvpn2internet router definition. For some reason, this masquerading statement applies to the dn422dn42 router definition as well. All DN42 traffic passing through my host is masqueraded, which is quite bad for a border gateway router. However, when i disable this masquerading-statement, the router dn422dn42 isn't forwarding any traffic, which is also quite bad for a border gateway router.
>
> So, why is my firewall masquerading traffic on routers which aren't configured to do so, and why is the masquerade statement mandatory (although in another router) for the dn422dn42 router to work? Isn't a route all accept sufficient to a router to work?
>
> Yours,
>
> Simon

More information about the Firehol-support mailing list