Greetings, I have a firewall with two internet connection: /etc/shorewall/providers #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY TISCALI 1 256 main eth2 217.133.234.182 track eth0,eth1 INFO1 2 512 main eth3 192.168.50.2 - eth0,eth1 LAN_TRANSPARENT_PROXY 14 1024 - eth1 192.168.0.205 loose I use the ip on eth2 to do DNAT on some host in the LAN, but the response doesn''t go through eth2, since the default provider is on eth3: /etc/shorewall/route_rules: eth1 - INFO1 26002>From my understanding, using the option "track" on eth2 should make return on eth2the connections that arrive on eth2 and are DNATted on the hosts on the lan. Since that doesn''t happen, my question is if this depends on a wrong setup, or if it shouldn''t work anyway since I''m still using route_rules instead of tcrules. Besides, in the MultiSP howto is recommended to use shorewall 4.2, while I''m still shorewall 4.0. This setup worked in shorewall 3.2, now as I work-around I''m forcing every host who receive DNAT connection to exit always through eth2. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Gaetano Guerriero wrote:> Greetings, > I have a firewall with two internet connection: > /etc/shorewall/providers > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > TISCALI 1 256 main eth2 217.133.234.182 track eth0,eth1 > INFO1 2 512 main eth3 192.168.50.2 - eth0,eth1 > LAN_TRANSPARENT_PROXY 14 1024 - eth1 192.168.0.205 loose > > I use the ip on eth2 to do DNAT on some host in the LAN, but the response > doesn''t go through eth2, since the default provider is on eth3: > /etc/shorewall/route_rules: > eth1 - INFO1 26002 > >>From my understanding, using the option "track" on eth2 should make return on eth2 > the connections that arrive on eth2 and are DNATted on the hosts on the lan. > Since that doesn''t happen, my question is if this depends on a wrong setup, or if > it shouldn''t work anyway since I''m still using route_rules instead of tcrules. > Besides, in the MultiSP howto is recommended to use shorewall 4.2, while I''m still > shorewall 4.0.It should work.> > This setup worked in shorewall 3.2, now as I work-around I''m forcing every host who > receive DNAT connection to exit always through eth2.Unfortunately, there isn''t enough information here to really help you. Please forward the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Thanks, here''s `shorewall dump`. On Wed, Aug 19, 2009 at 06:37:55AM -0700, Tom Eastep wrote:> Gaetano Guerriero wrote: > > Greetings, > > I have a firewall with two internet connection: > > /etc/shorewall/providers > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > > TISCALI 1 256 main eth2 217.133.234.182 track eth0,eth1 > > INFO1 2 512 main eth3 192.168.50.2 - eth0,eth1 > > LAN_TRANSPARENT_PROXY 14 1024 - eth1 192.168.0.205 loose > > > > I use the ip on eth2 to do DNAT on some host in the LAN, but the response > > doesn''t go through eth2, since the default provider is on eth3: > > /etc/shorewall/route_rules: > > eth1 - INFO1 26002 > > > >>From my understanding, using the option "track" on eth2 should make return on eth2 > > the connections that arrive on eth2 and are DNATted on the hosts on the lan. > > Since that doesn''t happen, my question is if this depends on a wrong setup, or if > > it shouldn''t work anyway since I''m still using route_rules instead of tcrules. > > Besides, in the MultiSP howto is recommended to use shorewall 4.2, while I''m still > > shorewall 4.0. > > It should work. > > > > > This setup worked in shorewall 3.2, now as I work-around I''m forcing every host who > > receive DNAT connection to exit always through eth2. > > Unfortunately, there isn''t enough information here to really help you. > Please forward the output of "shorewall dump" collected as described at > http://www.shorewall.net/support.htm#Guidelines. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ >> ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Wed, 2009-08-19 at 16:00 +0200, Gaetano Guerriero wrote:> Thanks, here''s `shorewall dump`. > > On Wed, Aug 19, 2009 at 06:37:55AM -0700, Tom Eastep wrote: > > Gaetano Guerriero wrote: > > > Greetings, > > > I have a firewall with two internet connection: > > > /etc/shorewall/providers > > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > > > TISCALI 1 256 main eth2 217.133.234.182 track eth0,eth1 > > > INFO1 2 512 main eth3 192.168.50.2 - eth0,eth1 > > > LAN_TRANSPARENT_PROXY 14 1024 - eth1 192.168.0.205 loose > > > > > > I use the ip on eth2 to do DNAT on some host in the LAN, but the response > > > doesn''t go through eth2, since the default provider is on eth3: > > > /etc/shorewall/route_rules: > > > eth1 - INFO1 26002 > > > > > >>From my understanding, using the option "track" on eth2 should make return on eth2 > > > the connections that arrive on eth2 and are DNATted on the hosts on the lan. > > > Since that doesn''t happen, my question is if this depends on a wrong setup, or if > > > it shouldn''t work anyway since I''m still using route_rules instead of tcrules. > > > Besides, in the MultiSP howto is recommended to use shorewall 4.2, while I''m still > > > shorewall 4.0. > > > > It should work. > >Well I get prompted for a password when I try the dnat''ed http port.... A username and password are being requested by http://217.133.234.177. The site says: "Space Trac"> > > > > > This setup worked in shorewall 3.2, now as I work-around I''m forcing every host who > > > receive DNAT connection to exit always through eth2. > >Where are you testing from? On the same lan as the dnat targets? Just a side note, I''d use snat in the masq file... and have a re-read of the Multi-ISP page.. Jerry ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Wed, Aug 19, 2009 at 11:01:51AM -0500, Jerry Vonau wrote:> On Wed, 2009-08-19 at 16:00 +0200, Gaetano Guerriero wrote: > > Thanks, here''s `shorewall dump`. > > > > On Wed, Aug 19, 2009 at 06:37:55AM -0700, Tom Eastep wrote: > > > Gaetano Guerriero wrote: > > > > Greetings, > > > > I have a firewall with two internet connection: > > > > /etc/shorewall/providers > > > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > > > > TISCALI 1 256 main eth2 217.133.234.182 track eth0,eth1 > > > > INFO1 2 512 main eth3 192.168.50.2 - eth0,eth1 > > > > LAN_TRANSPARENT_PROXY 14 1024 - eth1 192.168.0.205 loose > > > > > > > > I use the ip on eth2 to do DNAT on some host in the LAN, but the response > > > > doesn''t go through eth2, since the default provider is on eth3: > > > > /etc/shorewall/route_rules: > > > > eth1 - INFO1 26002 > > > > > > > >>From my understanding, using the option "track" on eth2 should make return on eth2 > > > > the connections that arrive on eth2 and are DNATted on the hosts on the lan. > > > > Since that doesn''t happen, my question is if this depends on a wrong setup, or if > > > > it shouldn''t work anyway since I''m still using route_rules instead of tcrules. > > > > Besides, in the MultiSP howto is recommended to use shorewall 4.2, while I''m still > > > > shorewall 4.0. > > > > > > It should work. > > >The DNAted connections works now because I manually forced every publishing host to exit on the internet via eth2, using route_rules and masq. I wanted to let shorewall magically do the work and send the response through the same provider. I think this is the sense of the "track" option.> Well I get prompted for a password when I try the dnat''ed http port.... > A username and password are being requested by http://217.133.234.177. > The site says: "Space Trac" > > > > > > > > > This setup worked in shorewall 3.2, now as I work-around I''m forcing every host who > > > > receive DNAT connection to exit always through eth2. > > >Thanks for the tip. The difference between MASQ end SNAT should be only in performance, right?> Where are you testing from? On the same lan as the dnat targets? Just a > side note, I''d use snat in the masq file... and have a re-read of the > Multi-ISP page.. > > Jerry > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Wed, 2009-08-19 at 18:19 +0200, Gaetano Guerriero wrote:> On Wed, Aug 19, 2009 at 11:01:51AM -0500, Jerry Vonau wrote: > > On Wed, 2009-08-19 at 16:00 +0200, Gaetano Guerriero wrote: > > > Thanks, here''s `shorewall dump`. > > > > > > On Wed, Aug 19, 2009 at 06:37:55AM -0700, Tom Eastep wrote: > > > > Gaetano Guerriero wrote: > > > > > Greetings, > > > > > I have a firewall with two internet connection: > > > > > /etc/shorewall/providers > > > > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > > > > > TISCALI 1 256 main eth2 217.133.234.182 track eth0,eth1 > > > > > INFO1 2 512 main eth3 192.168.50.2 - eth0,eth1 > > > > > LAN_TRANSPARENT_PROXY 14 1024 - eth1 192.168.0.205 loose > > > > > > > > > > I use the ip on eth2 to do DNAT on some host in the LAN, but the response > > > > > doesn''t go through eth2, since the default provider is on eth3: > > > > > /etc/shorewall/route_rules: > > > > > eth1 - INFO1 26002 > > > > > > > > > >>From my understanding, using the option "track" on eth2 should make return on eth2 > > > > > the connections that arrive on eth2 and are DNATted on the hosts on the lan. > > > > > Since that doesn''t happen, my question is if this depends on a wrong setup, or if > > > > > it shouldn''t work anyway since I''m still using route_rules instead of tcrules. > > > > > Besides, in the MultiSP howto is recommended to use shorewall 4.2, while I''m still > > > > > shorewall 4.0. > > > > > > > > It should work. > > > > > The DNAted connections works now because I manually forced every publishing > host to exit on the internet via eth2, using route_rules and masq. I wanted > to let shorewall magically do the work and send the response through > the same provider. I think this is the sense of the "track" option. >You have read http://www.shorewall.net/FAQ.htm#faq57 right? You may want use balance here, then track might work. If you don''t want to use balance I''d suggest using something like this in tcrules for each service that is dnat''ed 256:P 192.168.0.211 0.0.0.0/0 tcp - 80 which reads: mark packets with mark 256 in prerouting from $ip going anywhere with source port of 80 repeat with edits for each service... Do these dnat''ed public ip addresses need to be available though the vpn? If not, then the route_rules entries that point the dnat''ed boxes to the main table may go away. Jerry> > Well I get prompted for a password when I try the dnat''ed http port.... > > A username and password are being requested by http://217.133.234.177. > > The site says: "Space Trac" > > > > > > > > > > > > This setup worked in shorewall 3.2, now as I work-around I''m forcing every host who > > > > > receive DNAT connection to exit always through eth2. > > > > > > Thanks for the tip. > The difference between MASQ end SNAT should be only in performance, right? >Should not make much of a difference... Jerry ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Jerry Vonau wrote:> You have read http://www.shorewall.net/FAQ.htm#faq57 right? You may want > use balance here, then track might work. If you don''t want to use > balance I''d suggest using something like this in tcrules for each > service that is dnat''ed > > 256:P 192.168.0.211 0.0.0.0/0 tcp - 80 > > which reads: mark packets with mark 256 in prerouting from $ip going > anywhere with source port of 80 > > repeat with edits for each service... > > Do these dnat''ed public ip addresses need to be available though the > vpn? If not, then the route_rules entries that point the dnat''ed boxes > to the main table may go away.I''m unclear why this isn''t working correctly to start with. Unfortunately, I could find no DNATed connections active in the dump so I couldn''t look at their packet marks. But there are several active connections from eth2 and they are marked correctly: Example: tcp 6 374597 ESTABLISHED src=201.2.226.149 dst=217.133.234.179 sport=2873 dport=25 packets=4 bytes=168 src=217.133.234.179 dst=201.2.226.149 sport=25 dport=2873 packets=1 bytes=48 [ASSURED] mark=256 secmark=0 use=1 And the routing rules look correct: 0: from all lookup local 1000: from all to 192.168.1.0/24 lookup main 1001: from all to 172.18.36.64/26 lookup main ... <extra rules deleted> 10000: from all fwmark 0x100 lookup TISCALI 10001: from all fwmark 0x200 lookup INFO1 10013: from all fwmark 0x400 lookup LAN_TRANSPARENT_PROXY 20000: from 217.133.234.177 lookup TISCALI 20256: from 192.168.50.1 lookup INFO1 26002: from all iif eth1 lookup INFO1 32766: from all lookup main 32767: from all lookup default Rule 10000 should send all packets marked with ''256'' to TISCALI which is eth2. And the marking rules also look correct. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
As often happens, posing a problem to someone else gave me hints to solve the problem myself. In the end, my problem was only in filtering, so I do need ACCEPT loc:$local_dnatted_ip net1 in rules, but I do not need eth2 $local_dnatted_ip in masq, and I do not need $local_dnatted_ip - main 1100 in route_rules, since "track" option works as excpected. On Wed, Aug 19, 2009 at 11:35:21AM -0700, Tom Eastep wrote:> Jerry Vonau wrote: > > > You have read http://www.shorewall.net/FAQ.htm#faq57 right? You may want > > use balance here, then track might work. If you don''t want to use > > balance I''d suggest using something like this in tcrules for each > > service that is dnat''ed > > > > 256:P 192.168.0.211 0.0.0.0/0 tcp - 80 > > > > which reads: mark packets with mark 256 in prerouting from $ip going > > anywhere with source port of 80 > > > > repeat with edits for each service... > > > > Do these dnat''ed public ip addresses need to be available though the > > vpn? If not, then the route_rules entries that point the dnat''ed boxes > > to the main table may go away. > > I''m unclear why this isn''t working correctly to start with. > Unfortunately, I could find no DNATed connections active in the dump so > I couldn''t look at their packet marks. But there are several active > connections from eth2 and they are marked correctly: > > Example: > > tcp 6 374597 ESTABLISHED src=201.2.226.149 dst=217.133.234.179 > sport=2873 dport=25 packets=4 bytes=168 src=217.133.234.179 > dst=201.2.226.149 sport=25 dport=2873 packets=1 bytes=48 [ASSURED] > mark=256 secmark=0 use=1 > > And the routing rules look correct: > > 0: from all lookup local > 1000: from all to 192.168.1.0/24 lookup main > 1001: from all to 172.18.36.64/26 lookup main > ... <extra rules deleted> > 10000: from all fwmark 0x100 lookup TISCALI > 10001: from all fwmark 0x200 lookup INFO1 > 10013: from all fwmark 0x400 lookup LAN_TRANSPARENT_PROXY > 20000: from 217.133.234.177 lookup TISCALI > 20256: from 192.168.50.1 lookup INFO1 > 26002: from all iif eth1 lookup INFO1 > 32766: from all lookup main > 32767: from all lookup default > > Rule 10000 should send all packets marked with ''256'' to TISCALI which is > eth2. > > And the marking rules also look correct. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ >> ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Gaetano Guerriero wrote:> As often happens, posing a problem to someone else gave me hints to > solve the problem myself. > In the end, my problem was only in filtering, so I do need > ACCEPT loc:$local_dnatted_ip net1 > in rules, but I do not need > eth2 $local_dnatted_ip > in masq, and I do not need > $local_dnatted_ip - main 1100 > in route_rules, since "track" option works as excpected.Excellent. Thanks for the update. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july