Shorewall users - May 2005 - Support for inbound traffic from multiple ISPs in CVS

The Shorewall2/ project in CVS contains my initial attempt to establish
correct routing for traffic forwarded from two different ISPs to
internal servers.
>From the release notes:
   Shorewall 2.3.2 includes support for multiple Internet interfaces to
   different ISPs. This feature is enabled by setting the "default"
   option for each Internet interface in /etc/shorewall/interfaces.

   This feature requires a number of extensions in your kernel and
   iptables:

   - Extended MARK support.
   - ROUTE Target support.
   - CONNMARK Target support and conntrack match support.

   Each interface with the ''default'' option given must have a
default
   route in the main routing table and must be up when
   Shorewall is [re]started.


   When you specify ''default'' on two or more entries in
   /etc/shorewall/interfaces, replies to connections from these
   interfaces are routed back out of the same interface and through the
   correct gateway.

The restriction that marks set in /etc/shorewall/tcrules is now strictly
enforced, thus allowing Shorewall to employ mark values >= 256 for its
own use.

Setting up the correct routing for outbound traffic is still your
responsibility. I''m working on that next...

-Tom
----------------------------------------------------------------
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> The Shorewall2/ project in CVS contains my initial attempt to establish
> correct routing for traffic forwarded from two different ISPs to
> internal servers.
> 
I had an inspiration today and have been able to implement a similar
feature that doesn''t require anything that is wildly non-standard in
iptables and/or the kernel.


   Shorewall 2.3.2 includes support for multiple Internet interfaces to
   different ISPs.

   The file /etc/shorewall/providers may be used to define the
   different providers. It can actually be used to define alternate
   routing tables so uses like transparent proxy can use the file as
   well.

   Columns are:

       NAME            The provider name.

       NUMBER          The provider number -- a number between 1 and 15

       MARK            A FWMARK value used in your
		       /etc/shorewall/tcrules file to direct packets to
		       this provider.

       DUPLICATE       The name of an existing table to duplicate. May
		       be ''main'' or the name of a previous provider.

       INTERFACE       The name of the network interface to the
		       provider. Must be listed in
		       /etc/shorewall/interfaces.

       GATEWAY         The IP address of the provider''s gateway router.

       OPTIONS         A comma-separated list selected from the
		       following:

               track   If specified, connections FROM this interface are
                       to be tracked so that responses may be routed
                       back out this same interface.

                       You want specify ''track'' if Internet
hosts will
		       be connecting to local servers through this
                       provider.

		       Because of limitations in the ''ip'' utility and
		       policy routing, you may not use the SAVE or
		       RESTORE tcrules options or use connection
		       marking on any traffic to or from this
		       interface. For traffic control purposes, you
		       must mark packets in the FORWARD chain (or
		       better yet, use the CLASSIFY target).

               default The providers that have ''default''
specified will
                       get outbound connections load-balanced among
		       them.

       Example:  You run squid in your DMZ on IP address
		 192.168.2.99. Your DMZ interface is eth2

       #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY       OPTIONS
       Squid   1       1    -          eth2      192.168.2.99  -

   Use of this feature requires that your kernel and iptables
   support CONNTRACK target and conntrack match as well as extended
   MARK support. It does NOT require the ROUTE target extension.

I have tested this about as much as I can until I do a rather massive
reorganization of my network (I''ll have to use two IP addresses from my
single ISP to simulate multiple providers) and I have to add an old ISA
NIC to my firewall to have enough interfaces (I''m out of PCI slots).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key