Hey guys, here is the deal, i configured shorewall with 2 ISPs, both working fine, configured rules to allow secure access from internet to the fw thru any of the 2 external IP addresses with success, also set up DNAT for web servers behind the firewall using current provider (isp1 on providers file) also with success, but if i try to DNAT using the 2nd provider, it will give me timeout from outside. this is the dnat rule im using: DNAT wan lan:192.168.0.101:22 tcp 2000 - isp2_if_ipaddr if i don''t specify isp2_if_ipaddr then i can get thru isp1_if_ipaddr but not on isp2_if_ipaddr default behavior? how can i get around? Thanks AlberTUX ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Alberto Sierra wrote:> Hey guys, here is the deal, i configured shorewall > with 2 ISPs, both working fine, configured rules to > allow secure access from internet to the fw thru any > of the 2 external IP addresses with success, also set > up DNAT for web servers behind the firewall using > current provider (isp1 on providers file) also with > success, but if i try to DNAT using the 2nd provider, > it will give me timeout from outside. > > this is the dnat rule im using: > > DNAT wan lan:192.168.0.101:22 tcp 2000 - > isp2_if_ipaddr > > if i don''t specify isp2_if_ipaddr then i can get thru > isp1_if_ipaddr but not on isp2_if_ipaddr > > default behavior? how can i get around?Without seeing the details of your setup, it''s impossible to say. Please see http://www.shorewall.net/support.htm for detailed problem reporting instructions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>Without seeing the details of your setup, it''s >impossible to say. >Please >see http://www.shorewall.net/support.htm for detailed >problem reporting >instructions. > >-Tomsorry, i haven''t posted in a very long time, im attaching the shorewall dump, im trying to make a DNAT connection from any external ip address (home, road) thru the ip address of the second provider (216.194.173.173, eth3) on port 2000 (doesn''t have to be this port) to a server on the inside network (10.1.1.13, eth0). for some reason it just gives me time out. thanks for your help. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Alberto Sierra wrote:>> Without seeing the details of your setup, it''s >> impossible to say. >> Please >> see http://www.shorewall.net/support.htm for detailed >> problem reporting >> instructions. >> >> -Tom > > sorry, i haven''t posted in a very long time, im > attaching the shorewall dump, im trying to make a DNAT > connection from any external ip address (home, road) > thru the ip address of the second provider > (216.194.173.173, eth3) on port 2000 (doesn''t have to > be this port) to a server on the inside network > (10.1.1.13, eth0). > > for some reason it just gives me time out. > > thanks for your help.If you don''t set ''balance'' on your providers, then you may not use ''route_filter'' on their interfaces. Don''t specify ''route_filter'' on eth3 (and if you are not specifying route_filter'' on that interface then you must disable all "IP address spoofing" measures that your distribution provides. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> > If you don''t set ''balance'' on your providers, then you may not use > ''route_filter'' on their interfaces. Don''t specify ''route_filter'' on eth3 > (and if you are not specifying route_filter'' on that interface then you > must disable all "IP address spoofing" measures that your distribution > provides.FYI: The option is ''routefilter'', not ''route_filter''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642