search for: ctorigdst

I just recompiled a plain vanilla 2.4.28 kernel, and used the Shorewall.net kernel config as a guideline. For some reason, I get this: Nov 30 12:05:34 fw shorewall: Shorewall has detected the following iptables/netfilter capabilities: Nov 30 12:05:34 fw shorewall: NAT: Available Nov 30 12:05:34 fw shorewall: Packet Mangling: Available Nov 30 12:05:34 fw shorewall: Multi-port Match:

Been running this for quite a while and noticed that have intermittent problems getting out. Find that if I ping the same site from 2 computers it may work on one and fail on the other. Also was surprised that some time they are going out different interfaces at the same time. Seems to work all the time from the firewall. Running 2.6.10 kernel with the multipath routing patches on a debian

I am working on a split route and ShoreWall system. I reviewed the lartc documentation but have a few areas that I still need help on. Here is my network: 64.xxx.xxx.1/25 66.xxx.xxx.129/26 | | ################################################# # Eth2 64.xxx.xxx.2 eth0 66.xxx.xxx.130 # #

...00 -o wan0 -s 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctorigsrc 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctorigdst 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctreplsr...

...state NEW tcp flags:!0x16/0x02 205 10020 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:25 1199 57624 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:25 ctorigdst 213.58.230.27 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:110 ctorigdst 213.58.230.27 7 336 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:389 ctorigdst 213.58.230.27 3 144 ACCEPT tcp -- * * 0.0.0.0/0 1...

...state NEW tcp flags:!0x16/0x02 205 10020 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:25 1199 57624 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:25 ctorigdst 213.58.230.27 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:110 ctorigdst 213.58.230.27 7 336 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.152 tcp dpt:389 ctorigdst 213.58.230.27 3 144 ACCEPT tcp -- * * 0.0.0.0/0 1...

...tc class add dev $DEV parent 1:1 classid $HTTP htb rate 10kbps ceil $MAX_RATE burst 15k prio 0 quantum 1600 tc class add dev $DEV parent 1:1 classid $DEF htb rate 5kbps ceil $MAX_RATE burst 0 prio 1 quantum 1600 ### ESFQ LEAFS ### tc qdisc add dev $DEV parent $SSH handle 10: esfq perturb 10 hash ctorigdst tc qdisc add dev $DEV parent $DEF handle 30: esfq perturb 10 hash classic tc qdisc add dev $DEV parent $P2P handle 20: esfq perturb 10 hash ctorigdst depth 256 tc qdisc add dev $DEV parent $HTTP handle 40: esfq perturb 10 hash classic ## RED rule used instead of ESFQ one for $P2P class ## #tc qd...

...ything I read tell me this should work. Here are my rules (from iptables-save): *mangle :PREROUTING ACCEPT [529944:316988323] :INPUT ACCEPT [374208:35129218] :FORWARD ACCEPT [4225914:2972153716] :OUTPUT ACCEPT [147094:14149367] :POSTROUTING ACCEPT [4855993:3030201798] -A PREROUTING -m conntrack --ctorigdst IP_OF_PPP0 -j MARK --set-mark 0x1 -A PREROUTING -m conntrack --ctorigdst IP_OF_PPP1 -j MARK --set-mark 0x2 -A PREROUTING -m connmark --mark 0x1 -j LOG --log-prefix "FWMARK1" COMMIT # Completed on Mon Nov 28 09:53:06 2005 # Generated by iptables-save v1.2.11 on Mon Nov 28 09:53:06 2005 *na...

...DNAT [1]. The proposed solution [1] is to use these rules to mark packages with the conntrack module ... so I guess you mark all the packages that belong to the connection when it''s established (and every package before they get DNATted). # iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP1 -j MARK --set-mark=1 # iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP2 -j MARK --set-mark=2 And then use the mark to route the outgoing packages correctly. # ip rule add fwmark 1 table T1 # ip rule add fwmark 2 table T2 [1] (Spanish) http://bulma.net/body.phtml?nIdNoticia=214...

I''m trying to use my VPS server (single interface of course) as somewhat of a VPN gateway to my other location (which is not accessible directly from some places) where the openvpn server is running, and am kind of lost as to what to try next. I tried a redirect rule, but apparently shorewall didn''t like that (it just failed to start). I tried adding the rules via

Let''s move this to the Shorewall Development list.... On Tuesday 10 February 2004 03:14 pm, xavier wrote: > here is a patch to allow this : > |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - ntp > > a problem with the patch is that now the logprefix is mandatory. > i''m trying to debug it, but i can''t find the flaw. Also, with

...Chain norfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16 0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0...

...918 (2 references) > pkts bytes target prot opt in out source destination > 0 0 RETURN all -- * * 192.168.174.240/29 0.0.0.0/0 > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.174.240/29 > 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 > 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 > 0 0 rfc1918 all -- * * 192.168.0.0/16...

I''ve made some tests... eth2 is my internal interface, LAN is connected here. Before I had IMQ device in AB mode... PREROUTING [A]fter NAT, POSTROUTING [B]efore NAT. I want the same situation on ifb. I do this in this way: --- # incoming traffic here from LAN is before NAT tc qdisc add dev eth2 handle ffff: ingress # outcoming traffic here from WAN is after NAT tc qdisc add dev eth2

Hi Here is a short description of my network: ppp0 (adsl) ppp1 (adsl) | | | | --------------------- | Router | | Firewall | | MASQUERAD | | DNAT | | | | eth0 | --------------------- | | | ---------------------- |

Hello! I am using shorewall shorewall-2.0.11-1 on fedora core2 (iptables-1.2.9-95.7). My box has 2 physical nic´s plus one virt. ipsec interface for a freeswan-vpn connection. A few days ago, portsentry spit out a lot of connections from windows clients (port 135, 445). Ooops. I review my shorewall settings but could not find a mistake. So I took a win-client and established a second

...net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain norfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16 0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 rfc1918 all -- * *...

Hi, I''ve to restart shorewall when my dynamic IP was changed from my ISP. Of course i can with a shell script do it automatically, but the question is still there.. why ? mess-mate -- "I understand this is your first dead client," Sabian was saying. The absurdity of the statement made me want to laugh but they don''t call me Deadpan

I''m having a problem with the Shorewall firewall and CUPS printing interfering with each other. My Linux firewall machine is acting as both a CUPS server and client for all of my tests. Shorewall 2.0.13 CUPS 1.1.22-2 Linux kernel 2.6.9 CUPS was working fine to print to my Epson C84 (network connected via a Netgear PS101 print server using lpd://PS101.IP.address/raw ) until I

Hi folks, Has anyone tested the changes to multiple ISPs/load balancing or routestopped in 2.4.0-RC1 yet? We need to talk about what criteria we will use for determining whether 2.4.0 is ready for release. I''ve started configuring a firewall at work with the multiple ISPs support, but its kernel doesn''t have connection marking support, so it''s going to be a couple of