Hi, I''ve been running shorewall on a bering lrp firewall for a couple of years now, without any problems. The version I run there is 1.4.2. Now I''m upgrading to a later release of bering lrp, and the shorewall version is 2.4.7. I''m not sure what''s different and what I''m doing wrong, but settings which work fine in my other firewall are not working on the new firewall. I''ve set it up with a very simple config, basically doing dnat on port 80 to one internal server. I have 2 public IPs bound on the firewall, and dnat both of those to the one internal server. However, attempting to connect from the outside fails. I just get a connection failed when trying to telnet to port 80, on either of the IPs. Internally, I have no problem... I can connect from the firewall box to the internal server on port 80. I''m attaching a tgz with all of the details, including shorewall status, rules file, config, and ip/route information. Thank you for your help. Ricardo
On Friday 14 April 2006 08:14, Ricardo Kleemann wrote:> > I''ve set it up with a very simple config, basically doing dnat on port 80 > to one internal server. I have 2 public IPs bound on the firewall, and dnat > both of those to the one internal server. However, attempting to connect > from the outside fails. I just get a connection failed when trying to > telnet to port 80, on either of the IPs. > > Internally, I have no problem... I can connect from the firewall box to the > internal server on port 80. > > I''m attaching a tgz with all of the details, including shorewall status, > rules file, config, and ip/route information.Looks to me as though 192.168.111.247 does not have its default gateway set to 192.168.111.254. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom,> Looks to me as though 192.168.111.247 does not have its default gatewayset to> 192.168.111.254.Thanks. You have a good point. I''m not sure how to set that up. The "main" IP of that server is 192.168.1.247 and I have an alias for 192.168.111.247. The alias is setup with a gateway of 192.168.111.254. However, the default is indeed the 192.168.1.247. Internally, everything works, going from the fw to the server and vice-versa. But I''m guessing that when the server attempts to communicate back to the net, it attempts to use the default gateway rather than the aliased interface''s gateway. Is it possible to do what I''m trying to do (have an alias on a different network)? Would it work if I setup a vlan on the server? Or must I use separate nics for that? Ricardo ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Ricardo Kleemann" <ricardo@americasnet.com> Sent: Friday, April 14, 2006 8:30 AM Subject: Re: [Shorewall-users] Please help with dnat issues ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 14 April 2006 08:43, Ricardo Kleemann wrote:> > Is it possible to do what I''m trying to do (have an alias on a different > network)? Would it work if I setup a vlan on the server? Or must I use > separate nics for that? >For testing purposes, you could SNAT all traffic on the new box''s local interface. In /etc/shorewall/masq: #INTERFACE SUBNET(S) ADDRESS eth1 0.0.0.0/0 192.168.111.254 This will force the server to route replies back through 192.168.111.254. Note that from the server''s point of view, all connections coming through your new Shorewall box will look as though they originated from 192.168.111.254 rather than from somewhere on the net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> For testing purposes, you could SNAT all traffic on the new box''s local > interface. In /etc/shorewall/masq:As expected, this certainly worked... ;-) So is there a way to do this without static nat? Can it only be done if I bind the separate networks to separate nics? ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Ricardo Kleemann" <ricardo@americasnet.com> Cc: <shorewall-users@lists.sourceforge.net> Sent: Friday, April 14, 2006 8:49 AM Subject: Re: [Shorewall-users] Please help with dnat issues ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 14 April 2006 09:22, Ricardo Kleemann wrote:> > For testing purposes, you could SNAT all traffic on the new box''s local > > interface. In /etc/shorewall/masq: > > As expected, this certainly worked... ;-) > > So is there a way to do this without static nat? Can it only be done if I > bind the separate networks to separate nics? >This problem is exactly the same as the MultiISP problem only it is occuring on the server rather than on the firewall. So you need the same solution, only on the server -- multiple NIC (could be vlans) and policy routing using connection marking. -Tom PS -- actually, the multiple NICs are not strictly necessary for this to work although Shorewall''s policy routing requires them. And having them makes things much cleaner. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ricardo Kleemann wrote:>> For testing purposes, you could SNAT all traffic on the new box''s local >> interface. In /etc/shorewall/masq: > > As expected, this certainly worked... ;-) > > So is there a way to do this without static nat? Can it only be done if I > bind the separate networks to separate nics? >You would need to use iproute2 to install a multi-hop gateway on that server. Off the top of my head you would need to do something like this: ip route replace default nexthop via $GW1 weight 1 nexthop via $GW2 weight 1 This is a bit OT for the shorewall list, you may have to do a full iproute2 table setup, below are some note I made some time ago: ----------------- #!/bin/sh # Jerry''s script to install second ip address # and use 2 gateways on the same local LAN # Need some variables LAN=10.3.0.0 MASK=/24 BCAST=10.3.0.255 IP1=10.3.0.10 GW1=10.3.0.1 IP2=10.3.0.11 GW2=10.3.0.50 # Add second ip for use with second gateway echo " set second ip " /sbin/ip addr add $IP2$MASK broadcast $BCAST2 dev eth0 # This needs to be run once # echo 200 T1 >> /etc/iproute2/rt_tables # echo 201 T2 >> /etc/iproute2/rt_tables # add "table routes" from the ips to there own table echo " set ip to table routes " /sbin/ip route add $LAN$MASK src $IP1 dev eth0 table T1 /sbin/ip route add $LAN2$MASK2 src $IP2 dev eth0 table T2 # Add a host route for each gateway to their table # May not be required. echo " add host routes to for gateways to tables " /sbin/ip route add $GW1 dev eth0 table 1 /sbin/ip route add $GW2 dev eth0 table 2 # add the gateways to their tables echo " add gateways to the tables " /sbin/ip route add default via $GW1 dev eth0 table T1 /sbin/ip route add default via $GW2 dev eth0 table T2 # Now we need some rules # These force the tables to be used # this need to be run once echo " add rules " #/sbin/ip rule add from $IP1 table 1 #/sbin/ip rule add from $IP2 table 2 #/sbin/ip rule add to $GW1 table 1 #/sbin/ip rule add to $GW2 table 2 # replace the stock gateway echo "replace gateway" /sbin/ip route replace default nexthop via $GW1 weight 1 / nexthop via $GW2 weight 1 ------------ Hope it helps, good luck Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 14 April 2006 09:38, Jerry Vonau wrote:> # Now we need some rules > # These force the tables to be used > # this need to be run once > echo " add rules " > > #/sbin/ip rule add from $IP1 table 1 > #/sbin/ip rule add from $IP2 table 2 > #/sbin/ip rule add to $GW1 table 1 > #/sbin/ip rule add to $GW2 table 2 >In my response, I had over-engineered the solution (connection marking) -- Jerry is correct; in a simple server configuration, all that is required are routing rules. Thanks, Jerry -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jerry Vonau wrote:> > This is a bit OT for the shorewall list, you may have to do a full > iproute2 table setup, below are some note I made some time ago: > ----------------- > #!/bin/sh > # Jerry''s script to install second ip address > # and use 2 gateways on the same local LAN > > # Need some variables > LAN=10.3.0.0 > MASK=/24 > BCAST=10.3.0.255 > IP1=10.3.0.10 > GW1=10.3.0.1 > IP2=10.3.0.11 > GW2=10.3.0.50 >Shoot, I edited the my notes and forgot to add these variables LAN2MASK2BCAST2 Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Great... Thanks, Tom & Jerry... Sorry, I''m not poking any fun ;-) it just came out that way. In any case, is there a howto for routing rules? Sorry I''m not too familiar... do I need to run the entire setup Jerry mentioned, or simply doing routing rules would work? Thanks again Ricardo> # Now we need some rules > # These force the tables to be used > # this need to be run once > echo " add rules " > > #/sbin/ip rule add from $IP1 table 1 > #/sbin/ip rule add from $IP2 table 2 > #/sbin/ip rule add to $GW1 table 1 > #/sbin/ip rule add to $GW2 table 2 >In my response, I had over-engineered the solution (connection marking) -- Jerry is correct; in a simple server configuration, all that is required are routing rules. Thanks, Jerry -Tom ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Jerry Vonau" <jvonau@shaw.ca> Sent: Friday, April 14, 2006 9:43 AM Subject: Re: [Shorewall-users] Please help with dnat issues ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 14 April 2006 09:50, Ricardo Kleemann wrote:> Great... Thanks, Tom & Jerry... Sorry, I''m not poking any fun ;-) it just > came out that way. > > In any case, is there a howto for routing rules? Sorry I''m not too > familiar... do I need to run the entire setup Jerry mentioned, or simply > doing routing rules would work? >The HOWTO for routing rules is the Linux Advanced Routing and Traffic Control (LARTC) HOWTO (http://www.lartc.org). On your server, you need to implement the entire solution that Jerry has outlined. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ricardo Kleemann wrote:> Great... Thanks, Tom & Jerry... Sorry, I''m not poking any fun ;-) it just > came out that way. >Your not the first.... ;-)> In any case, is there a howto for routing rules? Sorry I''m not too > familiar... do I need to run the entire setup Jerry mentioned, or simply > doing routing rules would work? >I''d try just installing the multi-hop gateway first, if that doesn''t work for you, you would need to use the full script. Things that are noted "run once" would need to be run on a reboot while the rest would need to be run when the interfaces is brought up. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 14 April 2006 09:58, Jerry Vonau wrote:> Ricardo Kleemann wrote: > > Great... Thanks, Tom & Jerry... Sorry, I''m not poking any fun ;-) it > > just came out that way. > > Your not the first.... ;-)Nor will you be the last ;-)> > > In any case, is there a howto for routing rules? Sorry I''m not too > > familiar... do I need to run the entire setup Jerry mentioned, or simply > > doing routing rules would work? > > I''d try just installing the multi-hop gateway first, if that doesn''t > work for you, you would need to use the full script. Things that are > noted "run once" would need to be run on a reboot while the rest would > need to be run when the interfaces is brought up.I believe that Ricardo will need the full setup with multiple routing tables. But we''ll see... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > # Need some variables > > LAN=10.3.0.0 > > MASK=/24 > > BCAST=10.3.0.255 > > IP1=10.3.0.10 > > GW1=10.3.0.1 > > IP2=10.3.0.11 > > GW2=10.3.0.50 > > > Shoot, I edited the my notes and forgot to add these variables > LAN2> MASK2> BCAST2> >So LAN/MASK are tied to IP1 and GW1, while LAN2/MASK2 are tied to GW2 ? So my setup would be something like LAN=192.168.1.0 MASK=/24 BCAST=192.168.1.255 IP1=192.168.1.247 GW1=192.168.1.254 LAN2=192.168.111.0 MASK2=/24 BCAST2=192.168.111.255 IP2=192.168.111.247 GW2=192.168.111.254 Is that correct? Thanks Ricardo ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ricardo Kleemann wrote:>>> # Need some variables >>> LAN=10.3.0.0 >>> MASK=/24 >>> BCAST=10.3.0.255 >>> IP1=10.3.0.10 >>> GW1=10.3.0.1 >>> IP2=10.3.0.11 >>> GW2=10.3.0.50 >>> >> Shoot, I edited the my notes and forgot to add these variables >> LAN2>> MASK2>> BCAST2>> >> > > So LAN/MASK are tied to IP1 and GW1, while LAN2/MASK2 are tied to GW2 ? > > So my setup would be something like > > LAN=192.168.1.0 > MASK=/24 > BCAST=192.168.1.255 > IP1=192.168.1.247 > GW1=192.168.1.254 > > LAN2=192.168.111.0 > MASK2=/24 > BCAST2=192.168.111.255 > IP2=192.168.111.247 > GW2=192.168.111.254 > > Is that correct?Yes. Just a warning don''t use "ifconfig" or "route" when you start playing around with this, your going to need to get familiar with "ip" Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ok, So I set it up as suggested. At first I still could not connect. Then suddenly I was able to connect a couple of times. But then after that, not anymore. Strange. I''ve attached the status and route information. Ricardo ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Friday, April 14, 2006 10:28 AM Subject: Re: [Shorewall-users] Please help with dnat issues> Ricardo Kleemann wrote: > >>> # Need some variables > >>> LAN=10.3.0.0 > >>> MASK=/24 > >>> BCAST=10.3.0.255 > >>> IP1=10.3.0.10 > >>> GW1=10.3.0.1 > >>> IP2=10.3.0.11 > >>> GW2=10.3.0.50 > >>> > >> Shoot, I edited the my notes and forgot to add these variables > >> LAN2> >> MASK2> >> BCAST2> >> > >> > > > > So LAN/MASK are tied to IP1 and GW1, while LAN2/MASK2 are tied to GW2 ? > > > > So my setup would be something like > > > > LAN=192.168.1.0 > > MASK=/24 > > BCAST=192.168.1.255 > > IP1=192.168.1.247 > > GW1=192.168.1.254 > > > > LAN2=192.168.111.0 > > MASK2=/24 > > BCAST2=192.168.111.255 > > IP2=192.168.111.247 > > GW2=192.168.111.254 > > > > Is that correct? > Yes. Just a warning don''t use "ifconfig" or "route" when you start > playing around with this, your going to need to get familiar with "ip" > > Jerry > > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scriptinglanguage> that extends applications into web and mobile media. Attend the livewebcast> and join the prime developer group breaking into this new codingterritory!> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
On Friday 14 April 2006 11:09, Ricardo Kleemann wrote:> Ok, > > So I set it up as suggested. At first I still could not connect. Then > suddenly I was able to connect a couple of times. But then after that, not > anymore. Strange. > > I''ve attached the status and route information. >From now on, your problem HAS NOTHING TO DO WITH SHOREWALL! So a) It is off-topic here (although we''ll try to help). b) Showing us dumps of Shorewall on your firewall system will just annoy us. Have you implemented the full solution or just the multi-hop gateway? If just the multi-hop gateway, then what you are seeing is exactly what I would predict (and is why I think you need the full solution). If you have implemented the full solution: To help you, we would need to see the routing configuration *on the server*. Also, you should be using tcpdump (or ethereal) *on the server* to see what is happening. The complete routing configuration on the server can be shown using: #/bin/sh echo "IP Address Configuration" echo ip addr ls echo echo "Main Routing Table" echo ip route ls echo echo "Routing Table T1" echo ip route ls table T1 echo echo "Routing Table T2" echo ip route ls table T2 echo echo "Routing Rules" echo ip rule ls -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 14 April 2006 11:23, Tom Eastep wrote:> > If you have implemented the full solution: >From the information you included, I''m guessing that you have not implemented the full solution. So again: a) Implement the full solution. b) If you still can''t get it to work then capture the interesting information based on the commands in my previous message. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I appreciate your help. I''m sorry if suddenly this has become OT, no need to chew me out... :-/ I did indeed implement the "full solution" at least to my knowledge. I edited the script Jerry sent to fit my needs and ran the script, so I''m assuming that''s equivalent to the full routing solution. The output you requested is: IP Address Configuration 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:2c:0a:51:e4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.247/24 brd 192.168.1.255 scope global eth0 inet 192.168.111.247/24 brd 192.168.111.255 scope global eth0 inet6 fe80::250:2cff:fe0a:51e4/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:09:5b:20:ac:9b brd ff:ff:ff:ff:ff:ff inet 192.168.2.247/24 brd 192.168.2.255 scope global eth1 inet6 fe80::209:5bff:fe20:ac9b/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 Main Routing Table 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.247 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.247 192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.111.247 169.254.0.0/16 dev eth1 scope link default nexthop via 192.168.1.254 dev eth0 weight 1 nexthop via 192.168.111.254 dev eth0 weight 1 Routing Table T1 192.168.1.0/24 dev eth0 scope link src 192.168.1.247 default via 192.168.1.254 dev eth0 Routing Table T2 192.168.111.0/24 dev eth0 scope link src 192.168.111.247 default via 192.168.111.254 dev eth0 Routing Rules 0: from all lookup local 32762: from all to 192.168.111.254 lookup 2 32763: from all to 192.168.1.254 lookup 1 32764: from 192.168.111.247 lookup 2 32765: from 192.168.1.247 lookup 1 32766: from all lookup main 32767: from all lookup default ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Ricardo Kleemann" <ricardo@americasnet.com> Sent: Friday, April 14, 2006 11:30 AM Subject: Re: [Shorewall-users] Please help with dnat issues ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ricardo Kleemann wrote:> I appreciate your help. > > I''m sorry if suddenly this has become OT, no need to chew me out... :-/ > > I did indeed implement the "full solution" at least to my knowledge. I > edited the script Jerry sent to fit my needs and ran the script, so I''m > assuming that''s equivalent to the full routing solution. > > The output you requested is: > > IP Address Configuration > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:50:2c:0a:51:e4 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.247/24 brd 192.168.1.255 scope global eth0 > inet 192.168.111.247/24 brd 192.168.111.255 scope global eth0 > inet6 fe80::250:2cff:fe0a:51e4/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:09:5b:20:ac:9b brd ff:ff:ff:ff:ff:ff > inet 192.168.2.247/24 brd 192.168.2.255 scope global eth1 > inet6 fe80::209:5bff:fe20:ac9b/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > Main Routing Table > > 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.247 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.247 > 192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.111.247 > 169.254.0.0/16 dev eth1 scope link > default > nexthop via 192.168.1.254 dev eth0 weight 1 > nexthop via 192.168.111.254 dev eth0 weight 1 > > Routing Table T1 > > 192.168.1.0/24 dev eth0 scope link src 192.168.1.247 > default via 192.168.1.254 dev eth0 > > Routing Table T2 > > 192.168.111.0/24 dev eth0 scope link src 192.168.111.247 > default via 192.168.111.254 dev eth0 > > Routing Rules > > 0: from all lookup local > 32762: from all to 192.168.111.254 lookup 2 > 32763: from all to 192.168.1.254 lookup 1 > 32764: from 192.168.111.247 lookup 2 > 32765: from 192.168.1.247 lookup 1 > 32766: from all lookup main > 32767: from all lookup default > >Darn... That is what I get for using my old notes..... edit these lines in the script: from: #/sbin/ip rule add from $IP1 table 1 #/sbin/ip rule add from $IP2 table 2 #/sbin/ip rule add to $GW1 table 1 #/sbin/ip rule add to $GW2 table 2 The "ip rule" must match the table name.... to: #/sbin/ip rule add from $IP1 table T1 #/sbin/ip rule add from $IP2 table T2 #/sbin/ip rule add to $GW1 table T1 #/sbin/ip rule add to $GW2 table T2 Sorry for the confusion... Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Thanks! That did it... :-) It works now. Ricardo ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Friday, April 14, 2006 12:18 PM Subject: Re: [Shorewall-users] Please help with dnat issues> Ricardo Kleemann wrote: > > I appreciate your help. > > > > I''m sorry if suddenly this has become OT, no need to chew me out... :-/ > > > > I did indeed implement the "full solution" at least to my knowledge. I > > edited the script Jerry sent to fit my needs and ran the script, so I''m > > assuming that''s equivalent to the full routing solution. > > > > The output you requested is: > > > > IP Address Configuration > > > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > valid_lft forever preferred_lft forever > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:50:2c:0a:51:e4 brd ff:ff:ff:ff:ff:ff > > inet 192.168.1.247/24 brd 192.168.1.255 scope global eth0 > > inet 192.168.111.247/24 brd 192.168.111.255 scope global eth0 > > inet6 fe80::250:2cff:fe0a:51e4/64 scope link > > valid_lft forever preferred_lft forever > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:09:5b:20:ac:9b brd ff:ff:ff:ff:ff:ff > > inet 192.168.2.247/24 brd 192.168.2.255 scope global eth1 > > inet6 fe80::209:5bff:fe20:ac9b/64 scope link > > valid_lft forever preferred_lft forever > > 4: sit0: <NOARP> mtu 1480 qdisc noop > > link/sit 0.0.0.0 brd 0.0.0.0 > > > > Main Routing Table > > > > 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.247 > > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.247 > > 192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.111.247 > > 169.254.0.0/16 dev eth1 scope link > > default > > nexthop via 192.168.1.254 dev eth0 weight 1 > > nexthop via 192.168.111.254 dev eth0 weight 1 > > > > Routing Table T1 > > > > 192.168.1.0/24 dev eth0 scope link src 192.168.1.247 > > default via 192.168.1.254 dev eth0 > > > > Routing Table T2 > > > > 192.168.111.0/24 dev eth0 scope link src 192.168.111.247 > > default via 192.168.111.254 dev eth0 > > > > Routing Rules > > > > 0: from all lookup local > > 32762: from all to 192.168.111.254 lookup 2 > > 32763: from all to 192.168.1.254 lookup 1 > > 32764: from 192.168.111.247 lookup 2 > > 32765: from 192.168.1.247 lookup 1 > > 32766: from all lookup main > > 32767: from all lookup default > > > > > > Darn... That is what I get for using my old notes..... > > edit these lines in the script: > from: > #/sbin/ip rule add from $IP1 table 1 > #/sbin/ip rule add from $IP2 table 2 > #/sbin/ip rule add to $GW1 table 1 > #/sbin/ip rule add to $GW2 table 2 > > The "ip rule" must match the table name.... > > to: > > #/sbin/ip rule add from $IP1 table T1 > #/sbin/ip rule add from $IP2 table T2 > #/sbin/ip rule add to $GW1 table T1 > #/sbin/ip rule add to $GW2 table T2 > > > Sorry for the confusion... > > > Jerry > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scriptinglanguage> that extends applications into web and mobile media. Attend the livewebcast> and join the prime developer group breaking into this new codingterritory!> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ricardo Kleemann wrote:> Thanks! > > That did it... :-) It works now. >See what happens when you get slipped "decaf" instead of real coffee... Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
can someone post the complete script just for the record Thanks Jim ---------- Original Message ----------- From: Jerry Vonau <jvonau@shaw.ca> To: shorewall-users@lists.sourceforge.net Sent: Fri, 14 Apr 2006 14:47:45 -0500 Subject: Re: [Shorewall-users] Please help with dnat issues> Ricardo Kleemann wrote: > > Thanks! > > > > That did it... :-) It works now. > > > > See what happens when you get slipped "decaf" instead of real coffee... > > Jerry > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------- End of Original Message ------- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Here it is, with my settings: #!/bin/sh # Jerry''s script to install second ip address # and use 2 gateways on the same local LAN # Need some variables LAN=192.168.1.0 MASK=/24 BCAST=192.168.1.255 IP1=192.168.1.247 GW1=192.168.1.254 LAN2=192.168.111.0 MASK2=/24 BCAST2=192.168.111.255 IP2=192.168.111.247 GW2=192.168.111.254 # Add second ip for use with second gateway echo " set second ip " /sbin/ip addr add $IP2$MASK2 broadcast $BCAST2 dev eth0 # This needs to be run once #echo 200 T1 >> /etc/iproute2/rt_tables #echo 201 T2 >> /etc/iproute2/rt_tables # add "table routes" from the ips to there own table echo " set ip to table routes " /sbin/ip route add $LAN$MASK src $IP1 dev eth0 table T1 /sbin/ip route add $LAN2$MASK2 src $IP2 dev eth0 table T2 # Add a host route for each gateway to their table # May not be required. echo " add host routes to for gateways to tables " /sbin/ip route add $GW1 dev eth0 table 1 /sbin/ip route add $GW2 dev eth0 table 2 # add the gateways to their tables echo " add gateways to the tables " /sbin/ip route add default via $GW1 dev eth0 table T1 /sbin/ip route add default via $GW2 dev eth0 table T2 # Now we need some rules # These force the tables to be used # this need to be run once echo " add rules " /sbin/ip rule add from $IP1 table T1 /sbin/ip rule add from $IP2 table T2 /sbin/ip rule add to $GW1 table T1 /sbin/ip rule add to $GW2 table T2 # replace the stock gateway echo "replace gateway" /sbin/ip route replace default nexthop via $GW1 weight 1 nexthop via $GW2 weight 1 ----- Original Message ----- From: "Jim Buttafuoco" <jim@contactbda.com> To: <shorewall-users@lists.sourceforge.net> Sent: Friday, April 14, 2006 1:27 PM Subject: Re: [Shorewall-users] Please help with dnat issues> can someone post the complete script just for the record > > Thanks > Jim > > > ---------- Original Message ----------- > From: Jerry Vonau <jvonau@shaw.ca> > To: shorewall-users@lists.sourceforge.net > Sent: Fri, 14 Apr 2006 14:47:45 -0500 > Subject: Re: [Shorewall-users] Please help with dnat issues > > > Ricardo Kleemann wrote: > > > Thanks! > > > > > > That did it... :-) It works now. > > > > > > > See what happens when you get slipped "decaf" instead of real coffee... > > > > Jerry > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by xPML, a groundbreaking scriptinglanguage> > that extends applications into web and mobile media. Attend the livewebcast> > and join the prime developer group breaking into this new codingterritory!> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------- End of Original Message ------- > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scriptinglanguage> that extends applications into web and mobile media. Attend the livewebcast> and join the prime developer group breaking into this new codingterritory!> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
thanks ---------- Original Message ----------- From: "Ricardo Kleemann" <ricardo@americasnet.com> To: shorewall-users@lists.sourceforge.net Sent: Fri, 14 Apr 2006 13:29:37 -0700 Subject: Re: [Shorewall-users] Please help with dnat issues> Here it is, with my settings: > > #!/bin/sh > # Jerry''s script to install second ip address > # and use 2 gateways on the same local LAN > > # Need some variables > LAN=192.168.1.0 > MASK=/24 > BCAST=192.168.1.255 > IP1=192.168.1.247 > GW1=192.168.1.254 > > LAN2=192.168.111.0 > MASK2=/24 > BCAST2=192.168.111.255 > IP2=192.168.111.247 > GW2=192.168.111.254 > > # Add second ip for use with second gateway > echo " set second ip " > > /sbin/ip addr add $IP2$MASK2 broadcast $BCAST2 dev eth0 > > # This needs to be run once > > #echo 200 T1 >> /etc/iproute2/rt_tables > #echo 201 T2 >> /etc/iproute2/rt_tables > > # add "table routes" from the ips to there own table > echo " set ip to table routes " > > /sbin/ip route add $LAN$MASK src $IP1 dev eth0 table T1 > /sbin/ip route add $LAN2$MASK2 src $IP2 dev eth0 table T2 > > # Add a host route for each gateway to their table > # May not be required. > echo " add host routes to for gateways to tables " > > /sbin/ip route add $GW1 dev eth0 table 1 > /sbin/ip route add $GW2 dev eth0 table 2 > > # add the gateways to their tables > echo " add gateways to the tables " > > /sbin/ip route add default via $GW1 dev eth0 table T1 > /sbin/ip route add default via $GW2 dev eth0 table T2 > > # Now we need some rules > # These force the tables to be used > # this need to be run once > echo " add rules " > > /sbin/ip rule add from $IP1 table T1 > /sbin/ip rule add from $IP2 table T2 > /sbin/ip rule add to $GW1 table T1 > /sbin/ip rule add to $GW2 table T2 > > # replace the stock gateway > echo "replace gateway" > /sbin/ip route replace default nexthop via $GW1 weight 1 nexthop via $GW2 > weight 1 > > ----- Original Message ----- > From: "Jim Buttafuoco" <jim@contactbda.com> > To: <shorewall-users@lists.sourceforge.net> > Sent: Friday, April 14, 2006 1:27 PM > Subject: Re: [Shorewall-users] Please help with dnat issues > > > can someone post the complete script just for the record > > > > Thanks > > Jim > > > > > > ---------- Original Message ----------- > > From: Jerry Vonau <jvonau@shaw.ca> > > To: shorewall-users@lists.sourceforge.net > > Sent: Fri, 14 Apr 2006 14:47:45 -0500 > > Subject: Re: [Shorewall-users] Please help with dnat issues > > > > > Ricardo Kleemann wrote: > > > > Thanks! > > > > > > > > That did it... :-) It works now. > > > > > > > > > > See what happens when you get slipped "decaf" instead of real coffee... > > > > > > Jerry > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > > > that extends applications into web and mobile media. Attend the live > webcast > > > and join the prime developer group breaking into this new coding > territory! > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------- End of Original Message ------- > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > > that extends applications into web and mobile media. Attend the live > webcast > > and join the prime developer group breaking into this new coding > territory! > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------- End of Original Message ------- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642