Alain Degreffe
2002-Feb-25 16:01 UTC
[Shorewall-users] Rép. : RE: [Shorewall-users] Aliases problem
In my case, I have 2 ISP access via two ethernet cards. I try to redirect any smtp traffic trought one ISP access. When my firewall open a new socket to internet on port 25(smtp), it always use the same ip address. There is a policy routing to mark this kind of packet and a rule to lookup in an alternate routing table. I use the /etc/shorewall/tcrule to mark packet and custom script to initilize the new routing table. Everything is work well but the src ip address of a packet locally generated is always using the ip adress attached to the default gateway of the main routing table (and not the gateway of my new routing tabble) and finally the firewall sent this packet trough the right interface but with the wrong source IP.=20 To avoid this problem, I just try to nat every packet sent trough this alternate routing table. It work''s but your script do a "ip addr del " when nat is setting up or stopped by shorewall script on my isp interface !!! eth0 =3D isp1 eth1 =3D isp2 eth3 =3D localnet in the nat file: <realip> eth1 no no where realip is the eth1 real ip why ? because any packet locally generated use eth0 src address and my isp2 doesn''t like to see isp1 packet ... You said : dont use real ip in the first column but what can I place then ? If I disable AUTOIPALIASin shorewall.conf, the script continue to do a ip addr del in the delete_nat() function..., isn''t it ? Alain>>> "Tom Eastep" <teastep@shorewall.net> 25/02/2002 14:58:21 >>>Alain, Please tell me what the problem is that you are seeing -- from your description, it is not at all clear. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net=20 ICQ: #60745924 \ teastep@shorewall.net=20> -----Original Message----- > From: shorewall-users-admin@shorewall.net=20 > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of=20 > eczema@ecze.com=20 > Sent: Monday, February 25, 2002 2:26 AM > To: shorewall-users@shorewall.net=20 > Subject: [Shorewall-users] Aliases problem >=20 >=20 > The shorewall script doesn''t care about real interface when=20 > AUTO ADD ALIASES=20 > feature is enabled. >=20 > I think the problem come from the script. There isn''t any=20 > checking in the=20 > delete_nat() and not enough in set_nat() function when the=20 > script do a ip=20 > addr del.... ( on existence of <shorewall home>/nat is checked in=20 > delete_nat() function ) >=20 > Any idea about a bug fix in a short time ? >=20 > Alain Degreffe >=20 > eczema@ecze.com=20 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net=20 > http://www.shorewall.net/mailman/listinfo/shorewall-users=20 >=20
Tom Eastep
2002-Feb-25 16:52 UTC
[Shorewall-users] RE: [Shorewall-users] Rép. : RE: [Shorewall-users] Aliases problem
> -----Original Message----- > From: shorewall-users-admin@shorewall.net=20 > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of=20 > Alain Degreffe > Sent: Monday, February 25, 2002 8:02 AM > To: eczema@ecze.com; shorewall-users@shorewall.net;=20 > teastep@shorewall.net > Subject: [Shorewall-users] R=E9p. : RE: [Shorewall-users]=20 > Aliases problem >=20 >=20 > In my case, I have 2 ISP access via two ethernet cards. >=20 > I try to redirect any smtp traffic trought one ISP access. >=20 > When my firewall open a new socket to internet on port=20 > 25(smtp), it always use the same ip address. > There is a policy routing to mark this kind of packet and a=20 > rule to lookup in an alternate routing table. > I use the /etc/shorewall/tcrule to mark packet and custom=20 > script to initilize the new routing table. >=20 > Everything is work well but the src ip address of a packet=20 > locally generated is always using the ip adress attached to=20 > the default gateway of the main routing table (and not the=20 > gateway of my new routing tabble) and finally the firewall=20 > sent this packet trough the right interface but with the=20 > wrong source IP.=20 >=20 > To avoid this problem, I just try to nat every packet sent=20 > trough this alternate routing table. >=20 > It work''s but your script do a "ip addr del " when nat is=20 > setting up or stopped by shorewall script on my isp interface !!!Several things: a) Shorewall NAT is designed to do SNAT and DNAT for forwarded connections. It is not designed to do SNAT only. b) When you say "Locally Generated" do you mean generated in your local network or on the firewall itself? c) I haven''t heard of other people with a setup like yours having problems with packet source addresses -- perhaps there''s something else you are overlooking. Unfortunately, I haven''t set up a two-ISP system so I can''t speak authoritatively. If you simply want to get the SNAT part of what Shorewall does with entries in the /etc/shorewall/nat file then create /etc/shorewall/start and add the following to it: run_iptables -t nat -A POSTROUTING -o <first interface> -j SNAT --to-source <first ip> run_iptables -t nat -A POSTROUTINE -o <second interface> -j SNAT --to-source <second ip> -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net=20
Tom Eastep
2002-Feb-25 17:37 UTC
[Shorewall-users] RE: [Shorewall-users] RE: [Shorewall-users] Rép. : RE: [Shorewall-users] Aliases problem
> -----Original Message----- > From: shorewall-users-admin@shorewall.net=20 > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep > Sent: Monday, February 25, 2002 8:53 AM > To: ''Alain Degreffe''; eczema@ecze.com; shorewall-users@shorewall.net > Subject: [Shorewall-users] RE: [Shorewall-users] R=E9p. : RE:=20 > [Shorewall-users] Aliases problem >=20 > If you simply want to get the SNAT part of what Shorewall does with > entries in the /etc/shorewall/nat file then create=20 > /etc/shorewall/start > and add the following to it: >=20 > run_iptables -t nat -A POSTROUTING -o <first interface> -j SNAT > --to-source <first ip> > run_iptables -t nat -A POSTROUTINE -o <second interface> -j SNAT > --to-source <second ip> >=20Note that you can also do this with entries in the /etc/shorewall/masq file. Your choice, -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net=20