Shorewall users - Jan 2006 - Re:Message 5 : How to force $FW traffic to a specific

Hi Dario,

I had the same problem you have and It was finaly resolved by Jerry and Tom
after many hours of trouble shooting. Here''s what has been done on my 
shorewall that
solved the problem, hope it works for you too.

BTW: I use Fedora Core 4 and Shorewall 3.0.3

Info:  What we achived with this configuration is that all $FW originating 
traffic goes out ISP1, and all
eth0 (LAN1) originating traffic goes out ISP2.

Here:

1st)  Init File

If your ISP''s are DHCP, define 2 variables: one representing the IP you
got from ISP1 and one representing ISP2.

Eg:
ETH2_IP=`find_first_interface_address eth2`
PPP0_IP=`find_first_interface_address ppp0`




2nd) Providers file

Define your respective MARKS

fwout         5          5         -             ppp0           detect
ISP1          1          1        main           ppp0           detect       
    balance,track      eth0
ISP2          2          2        main           eth2           detect       
    balance,track      eth0


(for this file, Jerry helped me out alot.  Im not sure if ISP1 rule is still 
nessesary... Is it Jerry/Tom?)


3rd) MASQ file

To make sure that traffic destined to to ISP2 is not sent with an ISP1 
source address, heres what you need:

ppp0            $ETH2_IP        $PPP0_IP        all
eth2            $PPP0_IP        $ETH2_IP        all
eth2            eth0            $ETH2_IP        all

This step is very important.


4th)  TCRULES

In this case, all my $FW originating traffic is sent to ISP1.  All eth0 
traffic is sent to ISP2.
So in the first part (mark 5) ALL traffic from $FW, nomather what SOURCE IP 
it comes from is marked 5.  Only then, other
mark rules will apply, in this case for my ETH0 interface I mark 2 (ISP2).  
Remember that the last matching marking rule
will apply.

5       $FW:$PPP0_IP    0.0.0.0/0        all             #PACKETS FROM 
$FW-IF-ppp0 TO "ALL" IS MARKED 5
5       $FW:$ETH2_IP    0.0.0.0/0        all             #PACKETS FROM 
$FW-IF-eth2 TO "ALL" IS MARKED 5
2:P     eth0            0.0.0.0/0        all             #PACKETS FROM eth0 
TO ALL IS MARKED 2 IN PREROUTING

The reason why it''s done like this is that some applications are BINDED
to a
specific IP (interface) on your
firewall.  So even if the source is the $FW, the source IP address could be 
anyone of your interfaces IP''s.



This is not the most detailed explanation, but I Hope this will help you get 
on the right track and save some of Jerry''s and Tom''s saliva.
You might need a little tweaking but it works fine for me now.


Good Luck.



-----------
This is in response to:

Message: 5
From: Dario Lesca <d.lesca@solinos.it>
To: Shorewal Users <shorewall-users@lists.sourceforge.net>
Content-Type: multipart/mixed; boundary="=-gyk6r1PPfLYGxm6VmKfq"
Date: Tue, 17 Jan 2006 19:02:50 +0100
Message-Id: <1137520970.3220.288.camel@lesca.home.solinos.it>
Mime-Version: 1.0
Subject: [Shorewall-users] Multiple ISPs: How to force $FW traffic to a 
specific
ISP (reprise)
Sender: shorewall-users-admin@lists.sourceforge.net
Precedence: bulk
Reply-To: shorewall-users@lists.sourceforge.net
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/shorewall-users>,
	<mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe>
List-Id: Shorewall Users <shorewall-users.lists.sourceforge.net>
List-Post: <mailto:shorewall-users@lists.sourceforge.net>
List-Help: 
<mailto:shorewall-users-request@lists.sourceforge.net?subject=help>
List-Subscribe: 
<https://lists.sourceforge.net/lists/listinfo/shorewall-users>,
	<mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum=shorewall-users>


--=-gyk6r1PPfLYGxm6VmKfq
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi!
I have reprise try to resolve this problem, suspended from 17 dec 2005

I have try to apply the suggest of Jerry (see above).

The problem still exist.

See attach shorewall config, dump and tcpdump when I check to exit whit
SSH from firewall...

In the masq file is reported the last my attempt in order to resolve my
problem, however I have test also the example reported in MultiISP.html,
but none is changed

Many thanks to All




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642