Hello, I have two-interface linux box with Shorewall connecting private network to Internet. It works well. Now I have got second public IP addres from our ISP (located in different segment). This new chanel is faster but data on it are counted. I am able to assign the second IP addres to outgoing interface (eth0) with "ip addr add" command and set another routing table with different default gateway via policy routing. Ping from and to external interface from outside works fine for both IP addresses. My question is: is it possible to make masquerade to both external IP addresses dependent on protocol (tcp port)? For example I want to let ftp connections to masquerade (SNAT) through first external IP address (slow, unlimited line) and http connections masquerade through second one (fast, counted line). I can mark packets in /etc/shorewall/tcrules but how can I use this mark to choose outgoing IP address for masquerade? Is there another way how to do it ? Thanks, Radek Zavicak Vsetin, Czech Republic
On Wed, 23 Apr 2003, Radek Zavicak wrote:> I can mark packets in /etc/shorewall/tcrules but how can I use this mark to > choose outgoing IP address for masquerade? Is there another way how to do it > ? >Use ip ''rule''s to assign the packets to one routing table or the other based on their mark value. There''s an example in the Shorewall Squid documentation. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I think it would work if I had public addresses in my LAN but for addresses from private IP space I need to do SNAT to one of my external IP address. Is there any way how to use /etc/shorewall/masq for this? Radek Zavicak Quoting Tom Eastep <teastep@shorewall.net>:> On Wed, 23 Apr 2003, Radek Zavicak wrote: > > > I can mark packets in /etc/shorewall/tcrules but how can I use this mark > to > > choose outgoing IP address for masquerade? Is there another way how to do > it > > ? > > > > Use ip ''rule''s to assign the packets to one routing table or the other > based on their mark value. There''s an example in the Shorewall Squid > documentation. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > >
On Wed, 23 Apr 2003 zavicak@gsl.cz wrote:> I think it would work if I had public addresses in my LAN but for addresses > from private IP space I need to do SNAT to one of my external IP address. Is > there any way how to use /etc/shorewall/masq for this? >No -- If you need to masq selectively based on fwmark, you will have to do it yourself in an Extension Script. Or -- add another NIC to your firewall so that each external IP has its own NIC. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net