Greetings, I have a Shorewall configuration with 2 WAN subnets bound to eth0 and eth1 and 2 LAN interfaces bound to eth2 and eth3. We have a web/e-mail server on eth3 in the 192.168.30.0/24 subnet at 192.168.30.10. I have 2 rules to DNAT TCP traffic on ports 80 and 110 arriving on specific IP''s (eth0:70.143.10.135 and eth1:12.22.105.135) to be forwarded to eth3:192.168.30.10. /etc/shorewall/providers ISP1 1 1 main eth0 70.143.10.129 track,balance eth2,eth3 ISP2 2 2 main eth1 12.22.105.129 track,balance eth2,eth3 /etc/shorewall/interfaces net eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians net eth1 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians loc eth2 10.15.3.255 detectnets,routeback dmz eth3 192.168.30.255 detectnets /etc/shorewall/rules DNAT net dmz:192.168.30.10 TCP 80 - 12.22.105.135,70.143.10.135 DNAT net dmz:192.168.30.10 TCP 110 - 12.22.105.135,70.143.10.135 Only traffic arriving on eth1:12.22.105.135 works. Traffic arriving on eth0:70.143.10.135 is being forwarded to 192.168.30.10 as witnessed by ''tcpdump'' but is not sent back out, the return packet stops at eth3 and does not appear at eth0. I have attached a ''shorewall dump'' for your reference. Any assistance would be greatly appreciated. Please let me know if there is additional information or clarification I should provide. Best regards, Mark. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Mark wrote:> Greetings, > > I have a Shorewall configuration with 2 WAN subnets bound to eth0 and eth1 > and 2 LAN interfaces bound to eth2 and eth3. We have a web/e-mail server on > eth3 in the 192.168.30.0/24 subnet at 192.168.30.10. I have 2 rules to DNAT > TCP traffic on ports 80 and 110 arriving on specific IP''s > (eth0:70.143.10.135 and eth1:12.22.105.135) to be forwarded to > eth3:192.168.30.10. > > /etc/shorewall/providers > ISP1 1 1 main eth0 70.143.10.129 track,balance eth2,eth3 > ISP2 2 2 main eth1 12.22.105.129 track,balance eth2,eth3Think this might be an issue here, from your dump: Chain tcpre (3 references) pkts bytes target prot opt in out source destination 160 14771 MARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2 0 0 MARK tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 multiport dports 25 MARK set 0x1 31 2069 MARK all -- eth3 * 0.0.0.0/0 <<<< 0.0.0.0/0 MARK set 0x2 <<<< 0 0 MARK tcp -- eth3 * 0.0.0.0/0 0.0.0.0/0 multiport dports 25 MARK set 0x1> /etc/shorewall/interfaces > net eth0 detect > tcpflags,blacklist,routefilter,nosmurfs,logmartians > net eth1 detect > tcpflags,blacklist,routefilter,nosmurfs,logmartians > loc eth2 10.15.3.255 detectnets,routeback > dmz eth3 192.168.30.255 detectnets > > /etc/shorewall/rules > DNAT net dmz:192.168.30.10 TCP 80 - 12.22.105.135,70.143.10.135 > DNAT net dmz:192.168.30.10 TCP 110 - 12.22.105.135,70.143.10.135 > > Only traffic arriving on eth1:12.22.105.135 works. Traffic arriving on > eth0:70.143.10.135 is being forwarded to 192.168.30.10 as witnessed by > ''tcpdump'' but is not sent back out, the return packet stops at eth3 and does > not appear at eth0. I have attached a ''shorewall dump'' for your reference. > Any assistance would be greatly appreciated. Please let me know if there is > additional information or clarification I should provide.Did you really want to mark all outbound traffic from the dmz (eth3) to use only ISP2 (MARK set 0x2)? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
That was it! Thank you for your help Jerry. -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Friday, June 15, 2007 4:00 PM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT problem with MultiISP Mark wrote:> Greetings, > > I have a Shorewall configuration with 2 WAN subnets bound to eth0 and eth1 > and 2 LAN interfaces bound to eth2 and eth3. We have a web/e-mail serveron> eth3 in the 192.168.30.0/24 subnet at 192.168.30.10. I have 2 rules toDNAT> TCP traffic on ports 80 and 110 arriving on specific IP''s > (eth0:70.143.10.135 and eth1:12.22.105.135) to be forwarded to > eth3:192.168.30.10. > > /etc/shorewall/providers > ISP1 1 1 main eth0 70.143.10.129 track,balance eth2,eth3 > ISP2 2 2 main eth1 12.22.105.129 track,balance eth2,eth3Think this might be an issue here, from your dump: Chain tcpre (3 references) pkts bytes target prot opt in out source destination 160 14771 MARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2 0 0 MARK tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 multiport dports 25 MARK set 0x1 31 2069 MARK all -- eth3 * 0.0.0.0/0 <<<< 0.0.0.0/0 MARK set 0x2 <<<< 0 0 MARK tcp -- eth3 * 0.0.0.0/0 0.0.0.0/0 multiport dports 25 MARK set 0x1> /etc/shorewall/interfaces > net eth0 detect > tcpflags,blacklist,routefilter,nosmurfs,logmartians > net eth1 detect > tcpflags,blacklist,routefilter,nosmurfs,logmartians > loc eth2 10.15.3.255 detectnets,routeback > dmz eth3 192.168.30.255 detectnets > > /etc/shorewall/rules > DNAT net dmz:192.168.30.10 TCP 80 - 12.22.105.135,70.143.10.135 > DNAT net dmz:192.168.30.10 TCP 110 - 12.22.105.135,70.143.10.135 > > Only traffic arriving on eth1:12.22.105.135 works. Traffic arriving on > eth0:70.143.10.135 is being forwarded to 192.168.30.10 as witnessed by > ''tcpdump'' but is not sent back out, the return packet stops at eth3 anddoes> not appear at eth0. I have attached a ''shorewall dump'' for your reference. > Any assistance would be greatly appreciated. Please let me know if thereis> additional information or clarification I should provide.Did you really want to mark all outbound traffic from the dmz (eth3) to use only ISP2 (MARK set 0x2)? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Mark wrote:> That was it! Thank you for your help Jerry. >That problem was exacerbated by a Shorewall bug which will be fixed in 3.4.4. When HIGH_ROUTE_MARKS=Yes, TC_EXPERT=Yes is also being effectively set. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/