----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, August 19, 2004 08:06 Subject: Re: [Shorewall-users] Two Links and DNAT> > > > Btw, by "shorewall show nat" I just noticed that I was doing snat only > > for packets comming from eth1 (intranet). So now I added the following line > > to /etc/shorewall/start > > > > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to-source > > 192.168.200.1 > > > > Im not sure if this is the correct/best solution... but it worked. Now > > locally generated smtp packets go out only through eth0 (slowlink). > > > > > > Marcelo > > > > > > Tom Eastep wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Marcelo Mercio Dandrea wrote: > > > > > >> ip route add default via $P2 > > >> ip rule add from $IP1 table slow > > >> ip rule add from $IP2 table fast > > >> ip route add $P0_NET dev $IF0 table slow > > >> ip route add $P2_NET dev $IF2 table slow > > >> ip route add 127.0.0.0/8 dev lo table slow > > >> ip route add $P0_NET dev $IF0 table fast > > >> ip route add $P1_NET dev $IF1 table fast > > >> ip route add 127.0.0.0/8 dev lo table fast > > >> ip rule add fwmark 0x5 table slow prio 0 > > > > > > I wonder if reordering your rules to place this one first would > > > correct > > > the "from the firewall" problem... > > > > > > - -Tom > > Sorry for being slow on the reply but I think > your missing some routing rules. > > ip rule add from $IP1 table T1 > ip rule add from $IP2 table T2 > > Jerrychange T1 and T2 to your table names Jerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry Vonau wrote: |>>>>ip rule add from $IP1 table slow |>>>>ip rule add from $IP2 table fast Haven''t had your coffee yet this morning Jerry? :-) - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJLDXO/MAbZfjDLIRAh+gAJ9ha4A7ObMaRUOR0dHPmBxNS6VgbACff05i ERUSHT/8EBRtHH09Z2Xs47s=BtKi -----END PGP SIGNATURE-----
> > |>>>>ip rule add from $IP1 table slow > |>>>>ip rule add from $IP2 table fast > > Haven''t had your coffee yet this morning Jerry? :-) > > - -TomNo, I was a bit rushed... :( My doctor said I should cut down, and I was tring... That was based on the post listing the output of ''ip rule'' ---snip-- [root@magyar root]# ip rule 0: from all lookup local 0: from all fwmark 0x5 lookup slow 1: from 0.0.0.0 fwmark 0xca lookup www.out -------- Where is the rule? or is some missing? [jerry@sarg3 jerry]$ ip rule 0: from all lookup local 32630: from all to 139.xxx.212.xx lookup T1 32631: from all fwmark 0x1 lookup T2 32764: from 205.yyy.1.zzz lookup T2 32765: from 64.yyy.140.yyy lookup T1 32766: from all lookup main 32767: from all lookup 253 Jerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry Vonau wrote: |>|>>>>ip rule add from $IP1 table slow |>|>>>>ip rule add from $IP2 table fast |> |>Haven''t had your coffee yet this morning Jerry? :-) |> |>- -Tom | | | No, I was a bit rushed... :( | My doctor said I should cut down, and I was tring... | | That was based on the post listing the output of ''ip rule'' | ---snip-- | [root@magyar root]# ip rule | 0: from all lookup local | 0: from all fwmark 0x5 lookup slow | 1: from 0.0.0.0 fwmark 0xca lookup www.out | -------- | Where is the rule? or is some missing? I was confused about that too -- what was posted looked a whole lot like a Squid transparent proxy setup rather than a two internet interface config. But the commands that the OP says he was running to set up the routing were posted and contained the commands you mentioned. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJTGGO/MAbZfjDLIRAq8pAJ0TXQR5Q8MPuL99LqzqyMU1MR4JyACaA50m rWPnSQ0rGuer5h7qOXQtZxw=KWRW -----END PGP SIGNATURE-----
> Jerry Vonau wrote: > |>|>>>>ip rule add from $IP1 table slow > |>|>>>>ip rule add from $IP2 table fast > |> > |>Haven''t had your coffee yet this morning Jerry? :-) > |> > |>- -Tom > | > | > | No, I was a bit rushed... :( > | My doctor said I should cut down, and I was tring... > | > | That was based on the post listing the output of ''ip rule'' > | ---snip-- > | [root@magyar root]# ip rule > | 0: from all lookup local > | 0: from all fwmark 0x5 lookup slow > | 1: from 0.0.0.0 fwmark 0xca lookup www.out > | -------- > | Where is the rule? or is some missing? > > I was confused about that too -- what was posted looked a whole lot like > a Squid transparent proxy setup rather than a two internet interface > config. But the commands that the OP says he was running to set up the > routing were posted and contained the commands you mentioned. > > - -Tom > - --I hear you... Reacting on what is shown. The other thought I had was I run my setup with the load balancing inplace. ip route add default scope global nexthop via $P1 dev $IF1 weight 1 / nexthop via $P2 dev $IF2 weight 1 Perhaps, that has an effect on weather the other gateway is even considered in the outbound routing choice. The packet is said to have the correct ip, but leaving on the wrong interface, the one with the only default gateway. Just some thoughts. Just a quick question on posting, what do you prefer top or bottom? I want to be a good poster ;) Jerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry Vonau wrote: | | Just a quick question on posting, what do you prefer top or bottom? I want to | be a good post I read from left to right, top to bottom -- hence I prefer bottom posting. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJVMlO/MAbZfjDLIRAlcsAKCj1pDAcf2z5FWDduwnnUrCPLJhvgCbB16t fCtypVV5qc4pH9CErmCCa7U=J1Yg -----END PGP SIGNATURE-----
Jerry Vonau wrote:> ... > Just a quick question on posting, what do you prefer top or bottom? I want to > be a good poster ;)A helpful resource is: http://www.netmeister.org/news/learn2quote.html There is more to good posting than where you put your replies... Paul