Discussion:
[Shorewall-users] Shorewall and QoS for Voip
Dario Lesca
2017-07-03 12:43:46 UTC
Permalink
Hi, I must enable QoS in shorewall-4.5.4 on a Centos 6

I have setup a IPSEC tunnell with provider, in which must transit only
VoIP traffic.
Now I can Ping and access to the contact center, and it can access the
local phone, all now work fine, but I must enable the QoS because the
provider have asked to me 500kbps to reserve to VoIP traffic

I have found this shorewall how to:
http://shorewall.org/simple_traffic_shaping.html

It's this the way to go?

Or is something like this?
https://bonoboslr.wordpress.com/2010/08/19/shorewall-rate-limiting-or-q
os/

Someone can help me to the right way?

Many thanks
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)
Domibay - Hugo
2017-07-03 14:12:28 UTC
Permalink
Hi there,

On a Server that has its Firewall configured with Shorewall there is an
application running that dynamically inserts and deletes its own rules
in the Firewall.
To work properly it needs some configurations in the Firewall.
1) Some IPs that are directly configured to be prefered
2) A Custom Chain that holds Rules to define Actions on dynamically
inserted IPs

# shorewall show raw
Shorewall 5.0.14.1 RAW Table at dev-lan34.domibay.org - lun jul 3
14:50:09 WEST 2017
Counters reset lun jul 3 13:50:33 WEST 2017
Chain PREROUTING (policy ACCEPT 49746 packets, 2017K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0
0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0
Chain BLOCKLIST (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/sec burst 10 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 80.32.1.20 0.0.0.0/0
ACCEPT all -- 217.125.25.169 0.0.0.0/0

to achieve this configuration I wanted to create a "initdone" script
with the Shorewall-perl API

[2017-07-03 14:02:18 - ***@dev-lan34 shorewall]# cat initdone
use lib '/usr/share/shorewall';
use Shorewall::Chains;
use Data::Dump qw(dump);

my $chainpreroute = $chain_table{"raw"}{"PREROUTING"};
my $chaininput = $chain_table{"filter"}{"INPUT"};
#my $chainblocklist = new_chain "raw", "BLOCKLIST";
my $chainblocklist = new_manual_chain "BLOCKLIST";
#my $chainblocklist = $chain_table{"raw"}{"BLOCKLIST"};

print "nw mnl chn dmp:\n"
. dump($chainblocklist);
print "\n";

my $sipnet1 = "80.32.1.20";
my $sipnet2 = "217.125.25.169";

my $srulenet1accept = "-s $sipnet1 -j ACCEPT";
my $srulenet2accept = "-s $sipnet2 -j ACCEPT";
my $sruleblocklistlog = "-m limit --limit 10/sec --limit-burst 10 -j LOG";
my $sruleblocklistdrop = "-j DROP";

my $iscs = 1;

add_rule $chainpreroute, $srulenet1accept;
add_rule $chainpreroute, $srulenet2accept;
add_rule $chaininput, $srulenet1accept;
add_rule $chaininput, $srulenet2accept;

add_rule $chainblocklist, $sruleblocklistlog;
add_rule $chainblocklist, $sruleblocklistdrop;

print "tbl raw dmp:\n"
. dump($chain_table{"raw"});
print "\n";

print "tbl filter dmp:\n"
. dump($chain_table{"filter"});
print "\n";

return $iscs;

I found that the IPs from $srulenet1accept and $srulenet2accept were
published in the Firewall. but the Custom Chain was not published at all.

I was visualizing the Content of $chain_table to see how the Custom
Chain was created in Shorewall and I saw:

# shorewall check
Checking using Shorewall 5.0.14.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Interface "lan enp3s0 tcpflags,nosmurfs,logmartians" Validated
Determining Hosts in Zones...
fw (firewall)
lan (ipv4)
enp3s0:0.0.0.0/0
Locating Action Files...
Checking /etc/shorewall/policy...
Policy for lan to fw is DROP using chain lan-all
Policy for fw to lan is REJECT using chain fw-all
Running /etc/shorewall/initdone...

$chainblocklist
{
cmdlevel => 0,
filtered => 0,
log => 1,
loglevel => "",
manual => 1,
name => "BLOCKLIST",
optflags => 0,
origin => "",
referenced => 1,
references => {},
restriction => 0,
rules => [],
table => "filter",
}

$chain_table{"filter"}{"BLOCKLIST"}
and also was created and the rules where added
"BLOCKLIST" => {
cmdlevel => 0,
complete => 1,
filtered => 0,
log => 1,
loglevel => "",
manual => 1,
name => "BLOCKLIST",
optflags => 0,
origin => "",
referenced => 1,
references => {},
restriction => 0,
rules => [
{
cmdlevel => 0,
comment => "",
jump => "j",
limit => "--limit 10/sec
--limit-burst 10",
matches => ["limit",
"targetopts"],
mode => 1,
origin => "",
simple => 0,
target => "LOG",
targetopts => "",
},
{
cmdlevel => 0,
comment => "",
jump => "j",
matches => ["targetopts"],
mode => 1,
origin => "",
simple => 1,
target => "DROP",
targetopts => "",
},
],
table => "filter",
},

but finally the new Custom Chain was not published in the Firewall

Researching the Logs I found this notice:
# vi /var/log/shorewall-init.log
Jul 3 13:10:10 Chain BLOCKLIST deleted

You find added also the Shorewall Dump. There you can see additional
Details.

So I am wondering why was my Manual Chain deleted?

Please, let me know if you see how I can achieve this Firewall
Configuration I am looking for.

Best Regards,
Hugo
Tom Eastep
2017-07-03 15:25:49 UTC
Permalink
Post by Domibay - Hugo
Hi there,
On a Server that has its Firewall configured with Shorewall there is an
application running that dynamically inserts and deletes its own rules
in the Firewall.
To work properly it needs some configurations in the Firewall.
1) Some IPs that are directly configured to be prefered
2) A Custom Chain that holds Rules to define Actions on dynamically
inserted IPs
# shorewall show raw
Shorewall 5.0.14.1 RAW Table at dev-lan34.domibay.org - lun jul 3
14:50:09 WEST 2017
Counters reset lun jul 3 13:50:33 WEST 2017
Chain PREROUTING (policy ACCEPT 49746 packets, 2017K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0
0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0
Chain BLOCKLIST (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/sec burst 10 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 80.32.1.20 0.0.0.0/0
ACCEPT all -- 217.125.25.169 0.0.0.0/0
to achieve this configuration I wanted to create a "initdone" script
with the Shorewall-perl API
use lib '/usr/share/shorewall';
use Shorewall::Chains;
use Data::Dump qw(dump);
my $chainpreroute = $chain_table{"raw"}{"PREROUTING"};
my $chaininput = $chain_table{"filter"}{"INPUT"};
#my $chainblocklist = new_chain "raw", "BLOCKLIST";
my $chainblocklist = new_manual_chain "BLOCKLIST";
#my $chainblocklist = $chain_table{"raw"}{"BLOCKLIST"};
print "nw mnl chn dmp:\n"
. dump($chainblocklist);
print "\n";
my $sipnet1 = "80.32.1.20";
my $sipnet2 = "217.125.25.169";
my $srulenet1accept = "-s $sipnet1 -j ACCEPT";
my $srulenet2accept = "-s $sipnet2 -j ACCEPT";
my $sruleblocklistlog = "-m limit --limit 10/sec --limit-burst 10 -j LOG";
my $sruleblocklistdrop = "-j DROP";
my $iscs = 1;
add_rule $chainpreroute, $srulenet1accept;
add_rule $chainpreroute, $srulenet2accept;
add_rule $chaininput, $srulenet1accept;
add_rule $chaininput, $srulenet2accept;
add_rule $chainblocklist, $sruleblocklistlog;
add_rule $chainblocklist, $sruleblocklistdrop;
print "tbl raw dmp:\n"
. dump($chain_table{"raw"});
print "\n";
print "tbl filter dmp:\n"
. dump($chain_table{"filter"});
print "\n";
return $iscs;
I found that the IPs from $srulenet1accept and $srulenet2accept were
published in the Firewall. but the Custom Chain was not published at all.
I was visualizing the Content of $chain_table to see how the Custom
# shorewall check
Checking using Shorewall 5.0.14.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Interface "lan enp3s0 tcpflags,nosmurfs,logmartians" Validated
Determining Hosts in Zones...
fw (firewall)
lan (ipv4)
enp3s0:0.0.0.0/0
Locating Action Files...
Checking /etc/shorewall/policy...
Policy for lan to fw is DROP using chain lan-all
Policy for fw to lan is REJECT using chain fw-all
Running /etc/shorewall/initdone...
$chainblocklist
{
cmdlevel => 0,
filtered => 0,
log => 1,
loglevel => "",
manual => 1,
name => "BLOCKLIST",
optflags => 0,
origin => "",
referenced => 1,
references => {},
restriction => 0,
rules => [],
table => "filter",
}
$chain_table{"filter"}{"BLOCKLIST"}
and also was created and the rules where added
"BLOCKLIST" => {
cmdlevel => 0,
complete => 1,
filtered => 0,
log => 1,
loglevel => "",
manual => 1,
name => "BLOCKLIST",
optflags => 0,
origin => "",
referenced => 1,
references => {},
restriction => 0,
rules => [
{
cmdlevel => 0,
comment => "",
jump => "j",
limit => "--limit 10/sec
--limit-burst 10",
matches => ["limit",
"targetopts"],
mode => 1,
origin => "",
simple => 0,
target => "LOG",
targetopts => "",
},
{
cmdlevel => 0,
comment => "",
jump => "j",
matches => ["targetopts"],
mode => 1,
origin => "",
simple => 1,
target => "DROP",
targetopts => "",
},
],
table => "filter",
},
but finally the new Custom Chain was not published in the Firewall
# vi /var/log/shorewall-init.log
Jul 3 13:10:10 Chain BLOCKLIST deleted
You find added also the Shorewall Dump. There you can see additional
Details.
So I am wondering why was my Manual Chain deleted?
Please, let me know if you see how I can achieve this Firewall
Configuration I am looking for.
Best Regards,
Hugo,

There are no references to the chain, so by default the compiler simply
deletes it. So either, there must be a rule that jumps to the chain or
you need to set the "don't delete" flag on the chain. That flag is set
by the dont_delete() function in Chains.pm.

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Tom Eastep
2017-07-04 16:00:32 UTC
Permalink
Hi Tom,
Thank you for this hint. I was searching in every part of the
documentation and could not find any hint.
Even I started to study to sourcecode to understand the Classes better.
I also could not figure out from the Documentation in which scripts I
can use "run_iptables" and which ones "perl(Shorewall::Chains)"
The run-time scripts use run_iptables; the compile-time scripts use Perl.

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Dario Lesca
2017-07-04 10:17:22 UTC
Permalink
Post by Dario Lesca
Hi, I must enable QoS in shorewall-4.5.4 on a Centos 6
I have setup a IPSEC tunnell with provider, in which must transit
only VoIP traffic.
Now I can Ping and access to the contact center, and it can access
the local phone, all now work fine, but I must enable the QoS because
the provider have asked to me 500kbps to reserve to VoIP traffic 
http://shorewall.org/simple_traffic_shaping.html
It's this the way to go?
Or is something like this?
https://bonoboslr.wordpress.com/2010/08/19/shorewall-rate-limiting-or-qos/
Someone can help me to the right way?
Some suggest? some howto?

Many thanks
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)
Tom Eastep
2017-07-04 15:45:33 UTC
Permalink
Post by Dario Lesca
Hi, I must enable QoS in shorewall-4.5.4 on a Centos 6
I have setup a IPSEC tunnell with provider, in which must transit
only VoIP traffic.
Now I can Ping and access to the contact center, and it can access
the local phone, all now work fine, but I must enable the QoS because
the provider have asked to me 500kbps to reserve to VoIP traffic
http://shorewall.org/simple_traffic_shaping.html
It's this the way to go?
No. If you want to use Shorewall's builtin traffic shaping, you need
http://www.shorewall.org/traffic_shaping.htm.
Post by Dario Lesca
Or is something like this?
https://bonoboslr.wordpress.com/2010/08/19/shorewall-rate-limiting-or-qos/
That article is using the facilities described in the Shorewall.org
article above.

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Simon Hobson
2017-07-04 20:11:28 UTC
Permalink
Post by Dario Lesca
Hi, I must enable QoS in shorewall-4.5.4 on a Centos 6
I have setup a IPSEC tunnell with provider, in which must transit only
VoIP traffic.
Now I can Ping and access to the contact center, and it can access the
local phone, all now work fine, but I must enable the QoS because the
provider have asked to me 500kbps to reserve to VoIP traffic
OK, so the tunnel is dedicated for VoIP traffic - in that case I'd enable traffic shaping on the interface that the tunnel goes out through and simply reserve the required bandwidth for the tunnel traffic.
Note that you cannot traffic shape incoming traffic - but if the firewall is a 2 port router and all the traffic passes to other devices in your network then you can do a fairly good approximation by traffic shaping egress traffic on the internal interface. In my case I've done this where I've got public IPs on the inside - if you are doing NAT then it's more complicated !
Loading...