At my gateway I''m doing policy based routing (all outbound http-traffic goes through another DSL-Line attached to the internal net). The gateway is running kernel 2.4.19 and shorewall, the internal Interface has the ''multi''-attribute. And it works!! First question is: can I use shorewall for mangling packets? As far as I''ve seen, there''s only the tos-configuration doing mangling (but no custom marks allowed). Is it perhaps possible to tweak the tos-module? Or where would it be best to integrate custom iptables-commands (my case: ''iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 80 -j MARK --set-mark 2'')? second: not really shorewall-related, but perhaps its hidden somewhere. Is there a possibility to even integrate the routing (based on routing policy table) with shorewall (my case: ''/sbin/ip route add default via <IP_of_second_DSL_line> dev eth1 table www.out'')? of course every time I restart shorewall, my custom mangling is no more, therefore it would be nice to integrate with shorewall. my routing policy database: gate:~ # ip rule ls 0: from all lookup local 32765: from all fwmark 2 lookup www.out 32766: from all lookup main 32767: from all lookup default Andreas
> At my gateway I''m doing policy based routing (all outbound http-traffic > goes through another DSL-Line attached to the internal net). The gateway > is running kernel 2.4.19 and shorewall, the internal Interface has the > ''multi''-attribute. And it works!! > > First question is: can I use shorewall for mangling packets? As far as > I''ve seen, there''s only the tos-configuration doing mangling (but no > custom marks allowed). Is it perhaps possible to tweak the tos-module? > Or where would it be best to integrate custom iptables-commands (my > case: ''iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 80 -j > MARK --set-mark 2'')?Set TC_ENABLED in /etc/shorewall/shorewall.conf and use the /etc/shorewall/tcrules file.> > second: not really shorewall-related, but perhaps its hidden somewhere. > Is there a possibility to even integrate the routing (based on routing > policy table) with shorewall (my case: ''/sbin/ip route add default via > <IP_of_second_DSL_line> dev eth1 table www.out'')? > > of course every time I restart shorewall, my custom mangling is no more, > therefore it would be nice to integrate with shorewall. >See http://shorewall.sf.net/shorewall_extension_scripts.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Thank you for the reply. Can somebody have a short look at my ''translations'' of Tom''s advices? Its a production system, I''d like to do as little downtime as possible.> From: Tom Eastep [mailto:teastep@shorewall.net]=20> > Or where would it be best to integrate custom iptables-commands (my > > case: ''iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 80 -j > > MARK --set-mark 2'')? >=20 > Set TC_ENABLED in /etc/shorewall/shorewall.conf and use the > /etc/shorewall/tcrules file./etc/shorewall/tcrules: #MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) 2 eth1 !internal_net tcp 80 do I have to add zone names in front of DEST (e.g. loc)? is it allowed to use the ''!''-syntax? I know that its not necessary to exclude the internal net here, but it could be important to know in other cases.> > Is there a possibility to even integrate the routing (based=20 > on routing > > policy table) with shorewall (my case: ''/sbin/ip route add=20 > default via > > <IP_of_second_DSL_line> dev eth1 table www.out'')? > > >=20 > See http://shorewall.sf.net/shorewall_extension_scripts.htm.that looks great. Every time I come across a problem with configuring shorewall there''s already a solution. Somebody must have thought a lot with writing shorewall :) is it better to put the routing command in /etc/shorewall/init or /etc/shorewall/start ? In my opinion, it doesn''t matter. Correct? thank you for assistance, Andreas
--On Tuesday, November 19, 2002 5:57 PM +0100 Andreas Marbet <andreas.marbet@bluefire.ch> wrote:> Thank you for the reply. > Can somebody have a short look at my ''translations'' of Tom''s advices? > Its a production system, I''d like to do as little downtime as possible.You can always make your changes in a copy of the modified files in another directory and use the ''try'' command (see http://shorewall.sf.net/starting_and_stopping_shorewall.htm).> >> From: Tom Eastep [mailto:teastep@shorewall.net] > >> > Or where would it be best to integrate custom iptables-commands (my >> > case: ''iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 80 -j >> > MARK --set-mark 2'')? >> >> Set TC_ENABLED in /etc/shorewall/shorewall.conf and use the >> /etc/shorewall/tcrules file. > > /etc/shorewall/tcrules: > ># MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) > 2 eth1 !internal_net tcp 80 > > do I have to add zone names in front of DEST (e.g. loc)?No.> is it allowed to use the ''!''-syntax?Yes.> > is it better to put the routing command in /etc/shorewall/init or > /etc/shorewall/start ? In my opinion, it doesn''t matter. Correct? >Correct. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net