Jens: This doesn''t sound like a shorewall issue, can''t really tell for sure without the config files.. please post them, along with the packet marking, ip info requested below. ----- Original Message ----- From: "Jens" <jens@pacificsun.ca> To: <shorewall-users@lists.shorewall.net> Sent: Sunday, July 25, 2004 22:58 Subject: [Shorewall-users] Routing to two isp''s> I have studied the various faq''s but I am having a bit of troubleapplying it> to my situation. > I have a shorewall box with two outside interfaces. Eth0 is for acable line> with dynamic ip, eth1 is for an adsl line with static ip, eth2 isthe local> zone and eth3 is the dmz. > All traffic currently uses eth0 with your typical 3 interface setupexamples.> I would like the mail server in the DMZ to use eth1 for outgoingmail.> although at this point I am not concerned with failover protection,I don''t> want to hamper later efforts by assigning a fixed route from themail server> to eth1. > I currently have no entries in the nat or proxyarp files. > I have followed FAQ 32 on two connections to the internet and haveadded eth1> to the interfaces and to the masq files.Ok lets assume that is correct, can''t see the files> Outside of shorewall I mark traffic on port 25 from my mail serverand tell it> to go via a different route which is eth1 (this is along the linesof the> LARTC how-to).Mind sharing the marking that your using? Did you cover traffic back from the internet?> What I see happening (with tcpdump) is that the mail server tries toestablish> a connection with a remote mail server and this connection is routed > correctly via the alternate route (eth1). I then see the remote mailserver> talking back to my shorewall box via eth1 but the packet dissapearsat this> point. No connection can be established.Is there any shorewall logging showing any drops for this traffic? If not then the routing might be off a bit. Would need to see a "ip rule ls" "ip route ls" and a "ip route ls table XXX" for each the defined tables.> It would seem to me that I need to establish a way for that packetto get to> my mail server but doesn''t the fact that I have eth1 listed in themasq file> (to masquerade to both eth2 and eth3) do this already ? I amobviously> missing something here and could use a suggestion as to which way tohead.>Sound like your just missing some "ip rule" rule from mix, but that is just a guess without seeing some more info posted. Jerry Vonau
Warning, before coffee...> On Sunday 25 July 2004 22:46, you wrote: > > > This doesn''t sound like a shorewall issue, can''t really tell forsure> > without the config files.. please post them, along with the > > packet marking, ip info requested below. > > > Outside of shorewall I mark traffic on port 25 from my mailserver> > > and tell it > > > to go via a different route which is eth1 (this is along thelines> > > of the LARTC how-to). > > > > Mind sharing the marking that your using? > > Did you cover traffic back from the internet? > > See routing1.table attached below. Note that I didn''t cover routingback with> any changes to shorewall rules. I have a line in rules that says: > DNAT net dmz:192.168.1.2 tcp www,ftp,pop3,smtp,ntp,imap2 > This arrangement has worked before when there was just a singleinterface to> the net (eth0) and since eth1 is also specified as ''net'', I amthinking that> the route back should be covered. >You don''t have any entries in the tables for the dmz, like the local lan, so there is no route back to the dmz in the defined routing tables. ip route add $NET_DMZ dev $NAME_DMZ table shaw ip route add $NET_DMZ dev $NAME_DMZ table adsl> > Is there any shorewall logging showing any drops for this traffic? > > If not then the routing might be off a bit. > > Shorewall does not report any drops to the standard output when Isend an> email routed over either eth0 or eth1 > > > Would need to see a "ip rule ls" "ip route ls" and a > > "ip route ls table XXX" for each the defined tables. > > see attached route.ls, rule.ls, table.adsl.ls and table.shaw.ls > > > Sound like your just missing some "ip rule" rule from mix, butthat is> > just a guess > > without seeing some more info posted. > > Thanks for your help Jerry ! > JensHope it''s just that. Jerry
Jens wrote:>>What I see happening (with tcpdump) is that the mail server tries to >>establish a connection with a remote mail server and this connection is >>routed correctly via the alternate route (eth1). I then see the remote mail >>server talking back to my shorewall box via eth1 but the packet dissapears >>at this point. No connection can be established. > > > I am still struggling with this ..... > I ran into something curious - in FAQ 32, we are instructed to insert another > line into /etc/shorewall/interfaces for the second internet interface (net > eth1). We are also reminded to upgrade the masq file if this applies. > Going thru the configuration files, I notice that /etc/shorewall/params > contains a line NET_IF=eth0 .... but there is no mention of updating the > params file.If there is something in /etc/shorewall/params then you put it there. As I release the file, it''s empty.> I am not exactly sure where the variables in the params file come into the > picture but could this be a reason why my second internet connection is going > to the outside without any trouble but return traffic can''t get back in ?Jens, The key points of FAQ 32 are: a) There are only a couple of Shorewall changes that you need to make but those are trivial and are associated with setting up two interfaces to a zone. They are *completely* described in FAQ 32. Beyond those simple changes, THIS ISN''T A SHOREWALL PROBLEM and until you understand that you are going to just beat your head against the wall. b) I reproduced the information from the LARTC as a courtesy. FAQ 32 clearly states that I haven''t tried *any* part of what is described there and that if you have problems, the LARTC mailing list is much more likely to be of help since presumabely the people who wrote that information have a least tried it. c) You are trying to use port forwarding and hence you need to take the additional routing measures contributed to FAQ 32 by Martin Brown. Have you implemented those measures? Folks, I''m not going to pay for another ISP connection so that I can give better free support for my free product, expecially since the problem only marginally involves Shorewall; my own internet connection has been down for less than an hour in the last five years. So unless those of you who have set up two internet interfaces with Shorewall are willing to help the others, this list isn''t going to be of any assistance in that area. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi I had that same problem. Thanks for FAQ32, but it didn''t help. After having played with shorewall and packet marking etc. I gave up and threw more hardware at it. Now I have one linux box (with shorewall) for each of the three external interfaces; these boxes act as gateways for the adsl lines. The internal boxes (in the dmz and other zones) each have one of them as default gw, so that packets generated inside find their way out as I like them to. For packets coming in from the internet, I masquerade the internet, that is, for all incoming packets my gws do a snat to the gw internal ip, so that the services inside seem to get the traffic from the gw, and return the traffic there, where it gets unmasqed and returns to the original source the way it came in. Yes I know this is not how it all was invented, but it works. -- Titus Green
Titus Green wrote:> Yes I know this is not how it all was invented, but it works.Maybe someone who has made this work will be willing to write a better HOWTO.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Jens wrote:> > I am holding my breath to see when this gremlin will come out of hiding and > bite me in the behind ..... >Did you ever have your mail server connected directly to your 2nd ISP''s line? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net