Shorewall users - Nov 2006 - Sending replies back to the IP from whence they came.

Sorry for the somewhat contorted subject heading -- but it describes what
I''d like to do.  I''ve got a T1 coming in, and a cable modem as
backup in
case the T1 flakes out.  The host I''m interested in tweaking sits on a
10.x.x.x network -- it sees the T1 as 10.20.1.1 and the cable modem as
10.20.1.133.  I''d like it such that, when it receives a packet from the
NAT box on 10.20.1.1 or 10.20.1.133, it''s smart enough to reply to the
same box that the packet came from.  (That way, the external host
doesn''t
get pissed off.)  After perusing iproute2 docs and Shorewall docs, I
*think* it''s possible.  Maybe.

So, is it?  If so, any pointers on where to start looking more closely?  I
admit I''m currently pretty stumped.

Thanks,

-Ken D''Ambrosio


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Ken D''Ambrosio wrote:
> Sorry for the somewhat contorted subject heading -- but it describes what
> I''d like to do.  I''ve got a T1 coming in, and a cable
modem as backup in
> case the T1 flakes out.  The host I''m interested in tweaking sits
on a
> 10.x.x.x network -- it sees the T1 as 10.20.1.1 and the cable modem as
> 10.20.1.133.  I''d like it such that, when it receives a packet
from the
> NAT box on 10.20.1.1 or 10.20.1.133, it''s smart enough to reply to
the
> same box that the packet came from.  (That way, the external host
doesn''t
> get pissed off.)  After perusing iproute2 docs and Shorewall docs, I
> *think* it''s possible.  Maybe.
> 
> So, is it?  If so, any pointers on where to start looking more closely?  I
> admit I''m currently pretty stumped.
> 
> Thanks,
> 
> -Ken D''Ambrosio
Yes, it is possible, you''ll need to have 2 gateways installed on the
server. Check the email archives at sourceforge, there is a good thread
with the subject "Please help with dnat issues"  - April 14, 2006.

Hope it helps,

Jerry

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On 11/6/06, Ken D''Ambrosio <ken@jots.org>
wrote:
> Sorry for the somewhat contorted subject heading -- but it describes what
> I''d like to do.  I''ve got a T1 coming in, and a cable
modem as backup in
> case the T1 flakes out.  The host I''m interested in tweaking sits
on a
> 10.x.x.x network -- it sees the T1 as 10.20.1.1 and the cable modem as
> 10.20.1.133.  I''d like it such that, when it receives a packet
from the
> NAT box on 10.20.1.1 or 10.20.1.133, it''s smart enough to reply to
the
> same box that the packet came from.  (That way, the external host
doesn''t
> get pissed off.)  After perusing iproute2 docs and Shorewall docs, I
> *think* it''s possible.  Maybe.
Add the "track" option to your /etc/shorewall/providers file:
ISP1    1       1       main            eth0            detect
 track,balance
ISP2    2       2       main            eth1            detect
 track,balance
and you can add rules in /etc/tcrules to force traffic out one
particular interface.  Sites that keep track of your IP to keep you
logged in get confused otherwise.

HTH, and that it''s accurate >.>
Will

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642