Joshua Penix
2002-Sep-23 21:14 UTC
[Shorewall-users] Re: [Shorewall-users]FOUR (was) three legge d router
> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Sunday, September 22, 2002 3:51 PM > To: Dirk Koopman > Cc: shorewall-users@shorewall.net > Subject: [Shorewall-users] Re: [Shorewall-users]FOUR (was) > three legged > router > > > I would like the packets thus redirected to go back out of > the interface > > they respectively came in on. IE stuff coming in on 62.6.149.0 gets > > replies and accs going back out that interface and the same for > > 212.240.163.96/28 addresses (which go out on their interface). > > > > This is for a switch over period only (although it appears this is > > getting less and less needed, but it would be nice to do). > > > > See the Linux Advanced Routing and Traffic Control HOWTO -- > Link on the > "Useful Links" page on my site.I have a setup similar to Dirk''s, where the Shorewall box has two outside connections, and I want traffic to go back out via the original path. I read section 4.2.1 of the LARTC which addresses exactly this, and it makes good sense. But the question still in my mind is, what''s involved in integrating that setup with Shorewall? Does Shorewall even care if such changes are made? Where''s the best place to add the LARTC-suggested ''ip route'' and ''ip rule'' lines? Would these go in ''tcstart?'' Or /etc/shorewall/init? Or in ''common'' with a run_ip? Guidance is appreciated :^) --Josh
Tom Eastep
2002-Sep-23 21:29 UTC
[Shorewall-users] Re: [Shorewall-users]FOUR (was) three legge d router
Joshua Penix wrote:>>-----Original Message----- >>From: Tom Eastep [mailto:teastep@shorewall.net] >>Sent: Sunday, September 22, 2002 3:51 PM >>To: Dirk Koopman >>Cc: shorewall-users@shorewall.net >>Subject: [Shorewall-users] Re: [Shorewall-users]FOUR (was) >>three legged >>router >> >> >>>I would like the packets thus redirected to go back out of >> >>the interface >> >>>they respectively came in on. IE stuff coming in on 62.6.149.0 gets >>>replies and accs going back out that interface and the same for >>>212.240.163.96/28 addresses (which go out on their interface). >>> >>>This is for a switch over period only (although it appears this is >>>getting less and less needed, but it would be nice to do). >>> >> >>See the Linux Advanced Routing and Traffic Control HOWTO -- >>Link on the >>"Useful Links" page on my site. > > > I have a setup similar to Dirk''s, where the Shorewall box has two outside > connections, and I want traffic to go back out via the original path. I > read section 4.2.1 of the LARTC which addresses exactly this, and it makes > good sense. But the question still in my mind is, what''s involved in > integrating that setup with Shorewall? Does Shorewall even care if such > changes are made?Only in the sense that you will have two interfaces to the ''net'' zone and if you are masquerading to the net, then you need to masq to both interfaces.> > Where''s the best place to add the LARTC-suggested ''ip route'' and ''ip rule'' > lines? Would these go in ''tcstart?'' Or /etc/shorewall/init? Or in > ''common'' with a run_ip? >I wouldn''t add them to Shorewall at all -- they don''t change when Shorewall starts and stops and really have nothing to do with Shorewall. They should instead go where your distribution puts "ifup" extensions. In RedHat, that''s /sbin/ifup-local (invoked with one argument - the if name). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net