thr3ads.net - Shorewall users - [Shorewall-users] Multiple ISP with shorewall [May 2003]

If this information is useful, please help other people find it:
Share via:

Matthieu Turpault

2003-May-06 05:16 UTC

[Shorewall-users] Multiple ISP with shorewall

Hi list,


        I have a firewall running Mandrake 8.2 (kernel 2.4.18) and 3 nic. 2
of them are connect to a router provided by ISP. All incoming request coming
from an ISP must be answered by the interface which were used for the
request.

	I have not found any configuration of shorewall which make this
configuration worked properly.
	I have to install a Mandrake 9.1 (kernel 2.4.21) on the firewall, use the
conntrack match of iptables and configure iproute2.


------------------- Configuration ---------------------------

	ISP 1					ISP2
	|					 |
  Router ISP1                      Router ISP2
      | 10.0.1.2                     | 10.0.2.2
	|					 |
	\_____________      ___________/
    (10.0.1.1) eth1 |    | eth0 ( 10.0.2.1)
		--------------------
			firewall
		--------------------
			   |eth2 (10.1.0.1)
			my network

File /etc/iproute2/rt_tables:
	253	default
	201	toISP1
	202	toISP2

To launched the firewall, I launch the following commands :

     	1) shorewall start

 	2) iptables -t MANGLE -I FORWARD -m conntrack --ctorigdst 10.0.2.1 \
		-j MARK --set-mark 2
 	3) iptables -t MANGLE -I FORWARD -m conntrack --ctorigdst 10.0.1.1 \
		-j MARK --set-mark 1

	4) ip route add to 10.1.0.0/24 dev eth2 table toISP1
	5) ip route add via 10.0.1.2 dev eth1 table toISP1
	6) ip route add to 10.1.0.0/24 dev eth2 table toISP2
	7) ip route add via 10.0.2.2 dev eth0 table toISP2

	8) ip rule add fwmark 1 lookup toISP1
	9) ip rule add fwmark 2 lookup toISP2

------------------- END - Configuration ---------------------------



	Can shorewall manage this situation or is it planned for future release ?


Thanks in advance

Tom Eastep

2003-May-06 06:40 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

On Tue, 6 May 2003 14:15:40 +0200, Matthieu Turpault 
<mt.shorewall@comelis.fr> wrote:
> Hi list,
>
>
> I have a firewall running Mandrake 8.2 (kernel 2.4.18) and 3 nic. 2
> of them are connect to a router provided by ISP. All incoming request 
> coming
> from an ISP must be answered by the interface which were used for the
> request.
>
> 	I have not found any configuration of shorewall which make this
> configuration worked properly.
<Lots of detail NOT INCLUDING ONE WORD ABOUT YOUR SHOREWALL CONFIGURATION 
deleted>
>
>
> 	Can shorewall manage this situation or is it planned for future release 
> ?
Shorewall can manage this fine today. The basic notions are that you define 
two interfaces to the ''net'' zone (eth1 and eth2) then
duplicate your ''masq''
and/or ''nat'' entries for the two interfaces. As always, toss
your Mandrake-
generated configuration and install a standard Shorewall distribution.

And by the way -- the LARTC describes a way to set up your routing (Section 
4.2.1) without having to resort to bleeding-edge kernels...

-Tom
--
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Matthieu Turpault

2003-May-06 07:20 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

Thanks for the reply.

Sorry for the missing configuration. I attached the status.txt file, result
of "shorewall status" command.
This config file does not include all command of my first mail.

IP adress are not the same as I was written in my first mail.
I use a test platform. Here is the configuration of this platform:
	ISP 1					ISP2
	|					 |
  Router ISP1                      Router ISP2
      | 10.2.6.1                     | 10.2.2.1
	|					 |
	\_____________      ___________/
   (10.2.3.10) eth1 |    | eth0 ( 10.2.2.10)
		--------------------
			firewall
		--------------------
			   |eth2 (10.2.4.10)
			my network


My shorewall version is 1.4.2, installed with the Mandrake rpm.
I have tried to implement the lartc configuration but it does not work.


Here is my /etc/shorewall/masq file:
#INTERFACE              SUBNET          ADDRESS
eth0            eth2
eth1            eth2


A detail: Router ISP1 and Router ISP2 do address translation.
Consequently, all incoming request coming by router ISP1 *must* be answered
on eth1.
When I try to connect to ISP1 with FTP, the answer packet is route to eth0
(default route)

Matthieu Turpault
> -----Message d''origine-----
> De : Tom Eastep [mailto:teastep@shorewall.net]
> Envoy? : mardi 6 mai 2003 15:41
> ? : Matthieu Turpault; shorewall-users@lists.shorewall.net
> Objet : Re: [Shorewall-users] Multiple ISP with shorewall
>
>
> On Tue, 6 May 2003 14:15:40 +0200, Matthieu Turpault
> <mt.shorewall@comelis.fr> wrote:
>
> > Hi list,
> >
> >
> > I have a firewall running Mandrake 8.2 (kernel 2.4.18) and 3 nic. 2
> > of them are connect to a router provided by ISP. All incoming request
> > coming
> > from an ISP must be answered by the interface which were used for the
> > request.
> >
> > 	I have not found any configuration of shorewall which make this
> > configuration worked properly.
>
> <Lots of detail NOT INCLUDING ONE WORD ABOUT YOUR SHOREWALL
CONFIGURATION
> deleted>
>
> >
> >
> > 	Can shorewall manage this situation or is it planned for
> future release
> > ?
>
> Shorewall can manage this fine today. The basic notions are that
> you define
> two interfaces to the ''net'' zone (eth1 and eth2) then
duplicate
> your ''masq''
> and/or ''nat'' entries for the two interfaces. As always,
toss your
> Mandrake-
> generated configuration and install a standard Shorewall distribution.
>
> And by the way -- the LARTC describes a way to set up your
> routing (Section
> 4.2.1) without having to resort to bleeding-edge kernels...
>
> -Tom
> --
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>-------------- next part --------------
Shorewall-1.4.2 Status at rosy.test02.test.com - mar mai  6 18:11:20 CEST 2003

Counters reset Tue May  6 18:11:14 CEST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    1    60 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
   18   880 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 fw2net     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
   11  1084 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.2.3.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.2.2.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.2.4.255

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 net2loc    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   18   880 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   18   880 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2loc    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    1    60 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
   11  1084 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    1    60 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    1    60 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    1    60 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination
   18   880 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    1    60 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.4.12   
state NEW tcp dpt:21
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

May  6 18:06:54 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=48655 DF PROTO=TCP SPT=4470 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:06:57 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=48656 DF PROTO=TCP SPT=4470 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:07:03 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=48657 DF PROTO=TCP SPT=4470 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:07:15 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=48658 DF PROTO=TCP SPT=4470 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:07:54 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=6087 DF PROTO=TCP SPT=4472 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:07:57 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=6088 DF PROTO=TCP SPT=4472 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:08:03 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=6089 DF PROTO=TCP SPT=4472 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:08:15 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=6090 DF PROTO=TCP SPT=4472 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:08:54 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=46600 DF PROTO=TCP SPT=4476 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:08:57 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=46601 DF PROTO=TCP SPT=4476 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:09:03 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=46602 DF PROTO=TCP SPT=4476 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:09:15 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=46603 DF PROTO=TCP SPT=4476 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:09:54 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=16830 DF PROTO=TCP SPT=4478 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:09:56 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=16831 DF PROTO=TCP SPT=4478 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:10:02 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=16832 DF PROTO=TCP SPT=4478 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:10:14 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=16833 DF PROTO=TCP SPT=4478 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:10:54 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=18860 DF PROTO=TCP SPT=4480 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:10:57 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=18861 DF PROTO=TCP SPT=4480 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:11:03 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=18862 DF PROTO=TCP SPT=4480 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0
May  6 18:11:15 net2all:DROP:IN=eth1 OUT= SRC=10.2.3.11 DST=10.2.3.10 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=18863 DF PROTO=TCP SPT=4480 DPT=389 WINDOW=5840
RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 10298 packets, 839K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 net_dnat   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 135 packets, 7495 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 128 packets, 8672 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.2.4.0/24          0.0.0.0/0

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.2.4.0/24          0.0.0.0/0

Chain net_dnat (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 to:10.2.4.12

Mangle Table

Chain PREROUTING (policy ACCEPT 116K packets, 78M bytes)
 pkts bytes target     prot opt in     out     source               destination
   20   980 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 113K packets, 78M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 589 packets, 29204 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 85790 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination
   12  1200 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 86195 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
   12  1200 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
   19   920 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 429131 ESTABLISHED src=10.1.0.191 dst=10.2.2.10 sport=3384 dport=22
src=10.2.2.10 dst=10.1.0.191 sport=22 dport=3384 [ASSURED] use=1
tcp      6 431996 ESTABLISHED src=10.1.0.200 dst=10.2.2.10 sport=2684 dport=22
src=10.2.2.10 dst=10.1.0.200 sport=22 dport=2684 [ASSURED] use=1

Tom Eastep

2003-May-06 07:28 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

On Tue, 6 May 2003 16:19:09 +0200, Matthieu Turpault 
<mt.shorewall@comelis.fr> wrote:
>
>
>
> A detail: Router ISP1 and Router ISP2 do address translation.
> Consequently, all incoming request coming by router ISP1 *must* be 
> answered
> on eth1.
> When I try to connect to ISP1 with FTP, the answer packet is route to 
> eth0
> (default route)
>
Then you have a routing problem which has nothing to do with Shorewall. 
Again, see the LARTC, section 4.2.1.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Matthieu Turpault

2003-May-06 07:32 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

I have already tried the configuration of the LARTC, section 4.2.1
(http://www.lartc.org) but it does not work.

With the LARTC configuration, the routing is made with the ip source.
When DNAT is enabled, the routing decision is done *after* the DNAT
operation (for an answering packet). The routing table which is used is not
the good one as we can expected accorting to lartc.

That''s why packets are marked before the routing decision and this mark
is
used for routing.

Matthieu
> >
> >
> > A detail: Router ISP1 and Router ISP2 do address translation.
> > Consequently, all incoming request coming by router ISP1 *must* be
> > answered
> > on eth1.
> > When I try to connect to ISP1 with FTP, the answer packet is route to
> > eth0
> > (default route)
> >
>
> Then you have a routing problem which has nothing to do with Shorewall.
> Again, see the LARTC, section 4.2.1.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

Tom Eastep

2003-May-06 07:50 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

On Tue, 6 May 2003 16:31:51 +0200, Matthieu Turpault 
<mt.shorewall@comelis.fr> wrote:
> I have already tried the configuration of the LARTC, section 4.2.1
> (http://www.lartc.org) but it does not work.
>
> With the LARTC configuration, the routing is made with the ip source.
> When DNAT is enabled, the routing decision is done *after* the DNAT
> operation (for an answering packet). The routing table which is used is 
> not
> the good one as we can expected accorting to lartc.
>
> That''s why packets are marked before the routing decision and this
mark
> is
> used for routing.
>
Nevertheless, routing is not something that Shorewall is responsible for 
and no amount of changing of your Shorewall configuration will have any 
effect on your problem. Shorewall does set up routes for Proxy ARP but I 
consider that feature to be a mistake; routing should be established when 
the network devices are brought up and not when the firewall is started.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Matthieu Turpault

2003-May-06 08:51 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

It depends on what is understood with "firewall".

A firewall can be seen as a packet filtering manager.
One of its feature should be the management of connexion.
Consequently, it should manage routing.


Matthieu Turpault
> -----Message d''origine-----
> De : Tom Eastep [mailto:teastep@shorewall.net]
> Envoy? : mardi 6 mai 2003 16:50
> ? : Matthieu Turpault; shorewall-users@lists.shorewall.net
> Objet : Re: [Shorewall-users] Multiple ISP with shorewall
>
>
> On Tue, 6 May 2003 16:31:51 +0200, Matthieu Turpault
> <mt.shorewall@comelis.fr> wrote:
>
> > I have already tried the configuration of the LARTC, section 4.2.1
> > (http://www.lartc.org) but it does not work.
> >
> > With the LARTC configuration, the routing is made with the ip source.
> > When DNAT is enabled, the routing decision is done *after* the DNAT
> > operation (for an answering packet). The routing table which is used
is
> > not
> > the good one as we can expected accorting to lartc.
> >
> > That''s why packets are marked before the routing decision and
this mark
> > is
> > used for routing.
> >
>
> Nevertheless, routing is not something that Shorewall is responsible for
> and no amount of changing of your Shorewall configuration will have any
> effect on your problem. Shorewall does set up routes for Proxy ARP but I
> consider that feature to be a mistake; routing should be established when
> the network devices are brought up and not when the firewall is started.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

Tom Eastep

2003-May-06 10:30 UTC

head link

[Shorewall-users] Multiple ISP with shorewall

On Tue, 6 May 2003 17:50:50 +0200, Matthieu Turpault 
<matthieu.turpault@comelis.fr> wrote:
> It depends on what is understood with "firewall".
>
> A firewall can be seen as a packet filtering manager.
> One of its feature should be the management of connexion.
> Consequently, it should manage routing.
A firewall should also:

- scan email for viruses
- block spam
- provide proxy services for http, ftp, etc.
- implement content HTTP filtering by time-of-day, user, etc.

Shorewall doesn''t do any of those things either.

There are already existing solutions for those things and there are also 
existing solutions for routing (every distribution contains code to set up 
routing when the network is brought up). There may be a place for an add-on 
routing manager for Linux but I think that it should be a separate product.

-Tom -- Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - May 2003 - Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall

[Shorewall-users] Multiple ISP with shorewall