Shorewall users - Jun 2005 - tcp redirect questions

Hi there. Currently, our network design has two ISP
lines and 3 subnets for LAN. Below are some details :-


eth0 - isp1
eth1 - isp2
eth2 - subnet1
eth3 - subnet2
eth4 - subnet3

What i wanted to do is to assign incoming port 80 to
our local squid server running on the firewall itself
and assigned it to eth0(ISP1). I think it shouldnt be
a problem as /etc/shorewall/rules provides a sample of
the rule. For ISP2, i wanted to assign yahoo msgr, msn
msgr and ftp for it. How does the rule should look
like? I have an example here -->

REDIRECT   subnet1  isp2  tcp  1863,5190,21 - -

Or any other suggestions are welcomed. Thanks for your
 time.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> Hi there. Currently, our network design has two ISP
> lines and 3 subnets for LAN. Below are some details :-
> 
> 
> eth0 - isp1
> eth1 - isp2
> eth2 - subnet1
> eth3 - subnet2
> eth4 - subnet3
> 
> What i wanted to do is to assign incoming port 80 to
> our local squid server running on the firewall itself
> and assigned it to eth0(ISP1). I think it shouldnt be
> a problem as /etc/shorewall/rules provides a sample of
> the rule. For ISP2, i wanted to assign yahoo msgr, msn
> msgr and ftp for it. How does the rule should look
> like? I have an example here -->
> 
> REDIRECT   subnet1  isp2  tcp  1863,5190,21 - -
> 
> Or any other suggestions are welcomed. Thanks for your
>  time.
> 
Not in rules, use tcrules, just state the posts that you want marked 
for each provider. 

Jerry



Jerry

> Not in rules, use tcrules, just state the posts that you want marked 
> for each provider. 
> 
> Jerry
 make posts > ports
coffee time...

Jerry

okay. im still quite new to tcrules and not really
understand of the "marked" packets. What does that
really means? Does that means if the packets are
marked, it will be redirect to designated isp
provider?

--- Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> 
> 
> > Hi there. Currently, our network design has two
> ISP
> > lines and 3 subnets for LAN. Below are some
> details :-
> > 
> > 
> > eth0 - isp1
> > eth1 - isp2
> > eth2 - subnet1
> > eth3 - subnet2
> > eth4 - subnet3
> > 
> > What i wanted to do is to assign incoming port 80
> to
> > our local squid server running on the firewall
> itself
> > and assigned it to eth0(ISP1). I think it shouldnt
> be
> > a problem as /etc/shorewall/rules provides a
> sample of
> > the rule. For ISP2, i wanted to assign yahoo msgr,
> msn
> > msgr and ftp for it. How does the rule should look
> > like? I have an example here -->
> > 
> > REDIRECT   subnet1  isp2  tcp  1863,5190,21 - -
> > 
> > Or any other suggestions are welcomed. Thanks for
> your
> >  time.
> > 
> Not in rules, use tcrules, just state the posts that
> you want marked 
> for each provider. 
> 
> Jerry
> 
> 
> 
> Jerry
> 
> 
> 
> 
>  
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 


		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail

The tcrules file sets up the marking of the packets, all they do
is tag the packet, based on what paramaters you provide.
The howto for squid shows a redirect to a second machine using this file.

These mark can also be for the "policy routing" portion of a 2 ISP
config.
These marks, along with the providers file, set the ground work for
the multipule routing tables, and the policy routing that is involved.

Depending on what the loc to net policy, is you may not even need a rule
for it. ''Redirect'' is not quite the term I would use,
"policy routed"
maybe,
and yes it would. At this point, do you have the 2-ISPs working?

Jerry
> okay. im still quite new to tcrules and not really
> understand of the "marked" packets. What does that
> really means? Does that means if the packets are
> marked, it will be redirect to designated isp
> provider?
>
> --- Jerry Vonau <jvonau@shaw.ca> wrote:
>
> >
> >
> >
> > > Hi there. Currently, our network design has two
> > ISP
> > > lines and 3 subnets for LAN. Below are some
> > details :-
> > >
> > >
> > > eth0 - isp1
> > > eth1 - isp2
> > > eth2 - subnet1
> > > eth3 - subnet2
> > > eth4 - subnet3
> > >
> > > What i wanted to do is to assign incoming port 80
> > to
> > > our local squid server running on the firewall
> > itself
> > > and assigned it to eth0(ISP1). I think it shouldnt
> > be
> > > a problem as /etc/shorewall/rules provides a
> > sample of
> > > the rule. For ISP2, i wanted to assign yahoo msgr,
> > msn
> > > msgr and ftp for it. How does the rule should look
> > > like? I have an example here -->
> > >
> > > REDIRECT   subnet1  isp2  tcp  1863,5190,21 - -
> > >
> > > Or any other suggestions are welcomed. Thanks for
> > your
> > >  time.
> > >
> > Not in rules, use tcrules, just state the posts that
> > you want marked
> > for each provider.
> >
> > Jerry

No..Not really. The other ISP line is ready and im
still figuring out how to do it. Either i distinguish
one ISP for subnet1 and ISP2 for other subnet. Or i
should stick back to this tcrules. Do i need to
provide a user-supplied file in tcstart before it all
can works?

--- Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> The tcrules file sets up the marking of the packets,
> all they do
> is tag the packet, based on what paramaters you
> provide.
> The howto for squid shows a redirect to a second
> machine using this file.
> 
> These mark can also be for the "policy routing"
> portion of a 2 ISP config.
> These marks, along with the providers file, set the
> ground work for
> the multipule routing tables, and the policy routing
> that is involved.
> 
> Depending on what the loc to net policy, is you may
> not even need a rule
> for it. ''Redirect'' is not quite the term I would
> use, "policy routed"
> maybe,
> and yes it would. At this point, do you have the
> 2-ISPs working?
> 
> Jerry
> 
> > okay. im still quite new to tcrules and not really
> > understand of the "marked" packets. What does that
> > really means? Does that means if the packets are
> > marked, it will be redirect to designated isp
> > provider?
> >
> > --- Jerry Vonau <jvonau@shaw.ca> wrote:
> >
> > >
> > >
> > >
> > > > Hi there. Currently, our network design has
> two
> > > ISP
> > > > lines and 3 subnets for LAN. Below are some
> > > details :-
> > > >
> > > >
> > > > eth0 - isp1
> > > > eth1 - isp2
> > > > eth2 - subnet1
> > > > eth3 - subnet2
> > > > eth4 - subnet3
> > > >
> > > > What i wanted to do is to assign incoming port
> 80
> > > to
> > > > our local squid server running on the firewall
> > > itself
> > > > and assigned it to eth0(ISP1). I think it
> shouldnt
> > > be
> > > > a problem as /etc/shorewall/rules provides a
> > > sample of
> > > > the rule. For ISP2, i wanted to assign yahoo
> msgr,
> > > msn
> > > > msgr and ftp for it. How does the rule should
> look
> > > > like? I have an example here -->
> > > >
> > > > REDIRECT   subnet1  isp2  tcp  1863,5190,21 -
> -
> > > >
> > > > Or any other suggestions are welcomed. Thanks
> for
> > > your
> > > >  time.
> > > >
> > > Not in rules, use tcrules, just state the posts
> that
> > > you want marked
> > > for each provider.
> > >
> > > Jerry
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> No..Not really. The other ISP line is ready and im
> still figuring out how to do it. Either i distinguish
> one ISP for subnet1 and ISP2 for other subnet. Or i
> should stick back to this tcrules. Do i need to
> provide a user-supplied file in tcstart before it all
> can works?
>
Tcstart, no, only if you want to play with tos stuff. The providers file
sets up the "routing tables", while the tcrules file marks the
packets,
for which isp table to use. Note the port entry in the tcrule file, that is
where you can state a destination port of the traffic, tagging such traffic
for one isp only.

Jerry

Alright. I try my best to solve this problem.thanks
anyway...

--- Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> 
> 
> 
> > No..Not really. The other ISP line is ready and im
> > still figuring out how to do it. Either i
> distinguish
> > one ISP for subnet1 and ISP2 for other subnet. Or
> i
> > should stick back to this tcrules. Do i need to
> > provide a user-supplied file in tcstart before it
> all
> > can works?
> >
> 
> Tcstart, no, only if you want to play with tos
> stuff. The providers file
> sets up the "routing tables", while the tcrules file
> marks the packets,
> for which isp table to use. Note the port entry in
> the tcrule file, that is
> where you can state a destination port of the
> traffic, tagging such traffic
> for one isp only.
> 
> Jerry
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com