Shorewall users - Jun 2005 - Is it that difficult?

Hello,

  You will find in attachment the layout of my
  current physical configuration.

  For now, the Cable ISP is not used.  Since it
  is a dynamic ISP, my mailserver is rejected and
  my domain name registers on blacklists like ORDB
  and al.

  I want it to be used as a default gateway except
  for my mail server that would be seen as coming
  from my "honest" ADSL ISP.

  Here is what I want:

     + Cable ISP

       - default gateway to use for fast communi-
         cations

     + ADSL ISP

       - used to receive and send mail

  I tried to enable EVERY network options in my
  kernel but it doesn''t work.

  I tried tcrules, providers, masq configuration but
  nothing works.

  patch-o-matic tells me "missing files" and many
  other errors when I try to patch both my iptables
  and kernel for CONNTRACK support.

  Is there someone out there who succeeded to use
  2 ISP with selective default route by port use?

  It''s been 2 weeks I try everyday to make it work
  and I''m desparate!!!

  Please please please!!!

  Thank you.


Yves

On Friday 24 June 2005 23:26, Yves Bélanger wrote:
>   Hello,
>
>   You will find in attachment the layout of my
>   current physical configuration.
>
>   For now, the Cable ISP is not used.  Since it
>   is a dynamic ISP, my mailserver is rejected and
>   my domain name registers on blacklists like ORDB
>   and al.
>
>   I want it to be used as a default gateway except
>   for my mail server that would be seen as coming
>   from my "honest" ADSL ISP.
>
>   Here is what I want:
>
>      + Cable ISP
>
>        - default gateway to use for fast communi-
>          cations
>
>      + ADSL ISP
>
>        - used to receive and send mail
>
>   I tried to enable EVERY network options in my
>   kernel but it doesn''t work.
What shows the output of ''shorewall check'' after
"Shorewall has detected the
following iptables/netfilter capabilities:" ?
>
>   I tried tcrules, providers, masq configuration but
>   nothing works.
Did you read http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 ?
>
>   patch-o-matic tells me "missing files" and many
>   other errors when I try to patch both my iptables
>   and kernel for CONNTRACK support.
Are you sure that you don''t have CONNTRACK support?
Did you use the correct path for patch-o-matic-ng?
>
>   Is there someone out there who succeeded to use
>   2 ISP with selective default route by port use?
Yep :-)
>
>   It''s been 2 weeks I try everyday to make it work
>   and I''m desparate!!!
>
>   Please please please!!!
>
>   Thank you.
>
>
> Yves
HTH, Alex

Here is my /lib/iptables directory:

total 468
-rwxr-xr-x  1 root root 3660 Feb 21 17:43 libipt_ah.so
-rwxr-xr-x  1 root root 2836 Feb 21 17:43 libipt_CLASSIFY.so
-rwxr-xr-x  1 root root 3204 Feb 21 17:43 libipt_connlimit.so
-rwxr-xr-x  1 root root 3844 Feb 21 17:43 libipt_CONNMARK.so
-rwxr-xr-x  1 root root 3124 Feb 21 17:43 libipt_connmark.so
-rwxr-xr-x  1 root root 8100 Feb 21 17:43 libipt_conntrack.so
-rwxr-xr-x  1 root root 4080 Feb 21 17:43 libipt_DNAT.so
-rwxr-xr-x  1 root root 3872 Feb 21 17:43 libipt_DSCP.so
-rwxr-xr-x  1 root root 4192 Feb 21 17:43 libipt_dscp.so
-rwxr-xr-x  1 root root 3452 Feb 21 17:43 libipt_ECN.so
-rwxr-xr-x  1 root root 3692 Feb 21 17:43 libipt_ecn.so
-rwxr-xr-x  1 root root 3660 Feb 21 17:43 libipt_esp.so
-rwxr-xr-x  1 root root 2704 Feb 21 17:43 libipt_helper.so
-rwxr-xr-x  1 root root 5604 Feb 21 17:43 libipt_icmp.so
-rwxr-xr-x  1 root root 3872 Feb 21 17:43 libipt_iprange.so
-rwxr-xr-x  1 root root 3440 Feb 21 17:43 libipt_length.so
-rwxr-xr-x  1 root root 3952 Feb 21 17:43 libipt_limit.so
-rwxr-xr-x  1 root root 4756 Feb 21 17:43 libipt_LOG.so
-rwxr-xr-x  1 root root 3084 Feb 21 17:43 libipt_mac.so
-rwxr-xr-x  1 root root 2640 Feb 21 17:43 libipt_MARK.so
-rwxr-xr-x  1 root root 3088 Feb 21 17:43 libipt_mark.so
-rwxr-xr-x  1 root root 3220 Feb 21 17:43 libipt_MASQUERADE.so
-rwxr-xr-x  1 root root 1824 Feb 21 17:43 libipt_MIRROR.so
-rwxr-xr-x  1 root root 4404 Feb 21 17:43 libipt_multiport.so
-rwxr-xr-x  1 root root 3344 Feb 21 17:43 libipt_NETMAP.so
-rwxr-xr-x  1 root root 1824 Feb 21 17:43 libipt_NOTRACK.so
-rwxr-xr-x  1 root root 4848 Feb 21 17:43 libipt_owner.so
-rwxr-xr-x  1 root root 4688 Feb 21 17:43 libipt_physdev.so
-rwxr-xr-x  1 root root 3460 Feb 21 17:43 libipt_pkttype.so
-rwxr-xr-x  1 root root 3088 Feb 21 17:43 libipt_realm.so
-rwxr-xr-x  1 root root 6208 Feb 21 17:43 libipt_recent.so
-rwxr-xr-x  1 root root 3220 Feb 21 17:43 libipt_REDIRECT.so
-rwxr-xr-x  1 root root 4452 Feb 21 17:43 libipt_REJECT.so
-rwxr-xr-x  1 root root 5404 Feb 21 17:43 libipt_rpc.so
-rwxr-xr-x  1 root root 3680 Feb 21 17:43 libipt_SAME.so
-rwxr-xr-x  1 root root 8412 Feb 21 17:43 libipt_sctp.so
-rwxr-xr-x  1 root root 4048 Feb 21 17:43 libipt_SNAT.so
-rwxr-xr-x  1 root root 1892 Feb 21 17:43 libipt_standard.so
-rwxr-xr-x  1 root root 3440 Feb 21 17:43 libipt_state.so
-rwxr-xr-x  1 root root 1964 Feb 21 17:43 libipt_TARPIT.so
-rwxr-xr-x  1 root root 2912 Feb 21 17:43 libipt_TCPMSS.so
-rwxr-xr-x  1 root root 3344 Feb 21 17:43 libipt_tcpmss.so
-rwxr-xr-x  1 root root 6604 Feb 21 17:43 libipt_tcp.so
-rwxr-xr-x  1 root root 3380 Feb 21 17:43 libipt_TOS.so
-rwxr-xr-x  1 root root 3636 Feb 21 17:43 libipt_tos.so
-rwxr-xr-x  1 root root 1824 Feb 21 17:43 libipt_TRACE.so
-rwxr-xr-x  1 root root 3244 Feb 21 17:43 libipt_TTL.so
-rwxr-xr-x  1 root root 3324 Feb 21 17:43 libipt_ttl.so
-rwxr-xr-x  1 root root 4476 Feb 21 17:43 libipt_udp.so
-rwxr-xr-x  1 root root 4320 Feb 21 17:43 libipt_ULOG.so
-rwxr-xr-x  1 root root 1820 Feb 21 17:43 libipt_unclean.so


  Here is my netfilter kernel modules directory:

total 876
-rwxr--r--  1 root root   4864 Jun  8 20:38 arptable_filter.ko
-rwxr--r--  1 root root  17100 Jun  8 20:38 arp_tables.ko
-rwxr--r--  1 root root   3996 Jun  8 20:38 arpt_mangle.ko
-rwxr--r--  1 root root   6860 Jun  8 20:38 ip_conntrack_amanda.ko
-rwxr--r--  1 root root   9356 Jun  8 20:38 ip_conntrack_ftp.ko
-rwxr--r--  1 root root   8752 Jun  8 20:38 ip_conntrack_irc.ko
-rwxr--r--  1 root root  48160 Jun  8 20:38 ip_conntrack.ko
-rwxr--r--  1 root root   9492 Jun  8 20:38 ip_conntrack_proto_sctp.ko
-rwxr--r--  1 root root   5780 Jun  8 20:38 ip_conntrack_tftp.ko
-rwxr--r--  1 root root   4368 Jun  8 20:38 ip_nat_amanda.ko
-rwxr--r--  1 root root   6508 Jun  8 20:38 ip_nat_ftp.ko
-rwxr--r--  1 root root   5896 Jun  8 20:38 ip_nat_irc.ko
-rwxr--r--  1 root root  14204 Jun  8 20:38 ip_nat_snmp_basic.ko
-rwxr--r--  1 root root   5372 Jun  8 20:38 ip_nat_tftp.ko
-rwxr--r--  1 root root  12840 Jun  8 20:38 ip_queue.ko
-rwxr--r--  1 root root   5680 Jun  8 20:38 iptable_filter.ko
-rwxr--r--  1 root root   5880 Jun  8 20:38 iptable_mangle.ko
-rwxr--r--  1 root root  28248 Jun  8 20:38 iptable_nat.ko
-rwxr--r--  1 root root   4124 Jun  8 20:38 iptable_raw.ko
-rwxr--r--  1 root root  21784 Jun  8 20:38 ip_tables.ko
-rwxr--r--  1 root root   3532 Jun  8 20:38 ipt_addrtype.ko
-rwxr--r--  1 root root   3404 Jun  8 20:38 ipt_ah.ko
-rwxr--r--  1 root root   3660 Jun  8 20:38 ipt_CLASSIFY.ko
-rwxr--r--  1 root root   3068 Jun  8 20:38 ipt_comment.ko
-rwxr--r--  1 root root   4008 Jun  8 20:38 ipt_conntrack.ko
-rwxr--r--  1 root root   3980 Jun  8 20:38 ipt_DSCP.ko
-rwxr--r--  1 root root   3064 Jun  8 20:38 ipt_dscp.ko
-rwxr--r--  1 root root   4908 Jun  8 20:38 ipt_ECN.ko
-rwxr--r--  1 root root   3644 Jun  8 20:38 ipt_ecn.ko
-rwxr--r--  1 root root   3412 Jun  8 20:38 ipt_esp.ko
-rw-r--r--  1 root root 145503 Jun 24 16:43 ipt_hashlimit.ko
-rwxr--r--  1 root root   3448 Jun  8 20:38 ipt_helper.ko
-rwxr--r--  1 root root   3448 Jun  8 20:38 ipt_iprange.ko
-rwxr--r--  1 root root   3064 Jun  8 20:38 ipt_length.ko
-rwxr--r--  1 root root   4772 Jun  8 20:38 ipt_limit.ko
-rwxr--r--  1 root root   9612 Jun  8 20:38 ipt_LOG.ko
-rwxr--r--  1 root root   3516 Jun  8 20:38 ipt_mac.ko
-rwxr--r--  1 root root   3508 Jun  8 20:38 ipt_MARK.ko
-rwxr--r--  1 root root   3064 Jun  8 20:38 ipt_mark.ko
-rwxr--r--  1 root root   5564 Jun  8 20:38 ipt_MASQUERADE.ko
-rwxr--r--  1 root root   3544 Jun  8 20:38 ipt_multiport.ko
-rwxr--r--  1 root root   3656 Jun  8 20:38 ipt_NETMAP.ko
-rwxr--r--  1 root root   3484 Jun  8 20:38 ipt_NOTRACK.ko
-rwxr--r--  1 root root   6400 Jun  8 20:38 ipt_owner.ko
-rwxr--r--  1 root root   3552 Jun  8 20:38 ipt_physdev.ko
-rwxr--r--  1 root root   3068 Jun  8 20:38 ipt_pkttype.ko
-rwxr--r--  1 root root   3488 Jun  8 20:38 ipt_realm.ko
-rwxr--r--  1 root root  18340 Jun  8 20:38 ipt_recent.ko
-rwxr--r--  1 root root   3676 Jun  8 20:38 ipt_REDIRECT.ko
-rwxr--r--  1 root root   9076 Jun  8 20:38 ipt_REJECT.ko
-rwxr--r--  1 root root   4404 Jun  8 20:38 ipt_SAME.ko
-rwxr--r--  1 root root   4244 Jun  8 20:38 ipt_sctp.ko
-rwxr--r--  1 root root   3456 Jun  8 20:38 ipt_state.ko
-rwxr--r--  1 root root   5704 Jun  8 20:38 ipt_TCPMSS.ko
-rwxr--r--  1 root root   3780 Jun  8 20:38 ipt_tcpmss.ko
-rwxr--r--  1 root root   3980 Jun  8 20:38 ipt_TOS.ko
-rwxr--r--  1 root root   3032 Jun  8 20:38 ipt_tos.ko
-rwxr--r--  1 root root   3476 Jun  8 20:38 ipt_ttl.ko
-rwxr--r--  1 root root  10064 Jun  8 20:38 ipt_ULOG.ko


  As you see not CONNMARK module!  patch-o-matic
  can''t patch the kernel to produce it!  Always
  the same error.  Here is the output of Patch-
  o-matic-ng (last version) with the source of
  the current kernel (2.6.9.11.EL) and iptables
  (1.3.1) source directory:

Script started on Sun 26 Jun 2005 01:10:44 AM EDT
]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
patch-o-matic-ng-20050622]# ./runme
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] 
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] 
Loading patchlet
definitions.......................................................................................
done

[H[2JWelcome to Patch-o-matic ($Revision: 3733 $)!

Kernel:   2.6.9, /usr/src/linux
Iptables: 1.3.1, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don''t apply what you don''t need!
-------------------------------------------------------
Already applied: 

Testing CLASSIFY... applied
[H[2JWelcome to Patch-o-matic ($Revision: 3733 $)!

Kernel:   2.6.9, /usr/src/linux
Iptables: 1.3.1, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don''t apply what you don''t need!
-------------------------------------------------------
Already applied: CLASSIFY

Testing CLUSTERIP... not applied
The CLUSTERIP patch:
   Author: Harald Welte <laforge@netfilter.org>
   Status: Part of 2.6.x mainline

-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] n
[H[2JWelcome to Patch-o-matic ($Revision: 3733 $)!

Kernel:   2.6.9, /usr/src/linux
Iptables: 1.3.1, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don''t apply what you don''t need!
-------------------------------------------------------
Already applied: CLASSIFY

Testing CONNMARK... not applied
The CONNMARK patch:
   Author: Henrik Nordstrom <hno@marasystems.com>
   Status: Part of 2.6.x mainline


This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.

Usage:

   connmark
       This  module  matches  the netfilter mark field associated
       with a connection (which can be  set  using  the  CONNMARK
       target below).

       --mark value[/mask]
              Matches  packets  in  connections  with  the  given
              unsigned mark value (if a mask is  specified,  this
              is logically ANDed with the mark before the comparison).


   CONNMARK
       This  is  used  to set the netfilter mark value associated
       with the connection

       --set-mark mark
              Set connection mark

       --save-mark
              Set connection mark to the same as the one  on  the
              packet

       --restore-mark
              Set  the  netfilter  packet  mark  value to the one
              associated with the connection. This is only  valid
              in the mangle table.
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
cannot apply (1 rejects out of 2 hunks)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] n q

Excellent! Source trees are ready for compilation.

]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
patch-o-matic-ng-20050622]# exit

Script done on Sun 26 Jun 2005 01:11:16 AM EDT

  Error message not very clear!!

  In attachements the tar.gz of /etc/shorewall
  working (only one ISP -> ADSL) and not working
  (trying with providers, tcrules and masq).

  Here are the output of "shorewall restart"
  when I''m usinf the "nor working" config:

[root@rubicon shorewall]# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
Determining Zones...
   Zones: adsl cable loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   ADSL Zone: eth1:0.0.0.0/0
   Cable Zone: eth2:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowPOP3...
   Pre-processing /usr/share/shorewall/action.AllowICMPs...
   Pre-processing /usr/share/shorewall/action.AllowIMAP...
   Pre-processing /usr/share/shorewall/action.AllowTelnet...
   Pre-processing /usr/share/shorewall/action.AllowVNC...
   Pre-processing /usr/share/shorewall/action.AllowVNCL...
   Pre-processing /usr/share/shorewall/action.AllowNTP...
   Pre-processing /usr/share/shorewall/action.AllowRdate...
   Pre-processing /usr/share/shorewall/action.AllowNNTP...
   Pre-processing /usr/share/shorewall/action.AllowTrcrt...
   Pre-processing /usr/share/shorewall/action.AllowSNMP...
   Pre-processing /usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Processing /etc/shorewall/providers...
   Provider ADSL 1 1 main eth1 72.0.207.1 track Added
   Provider CABLE 2 2 main eth2 24.200.170.1 track Added
iptables: No chain/target/match by that name
   ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark !
--mark 0 -j CONNMARK --restore-mark" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated


  Normal restarting with only one ISP configuration:

[root@rubicon shorewall]# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall Not Currently Running
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
Determining Zones...
   Zones: adsl cable loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   ADSL Zone: eth1:0.0.0.0/0
   Cable Zone: eth2:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowPOP3...
   Pre-processing /usr/share/shorewall/action.AllowICMPs...
   Pre-processing /usr/share/shorewall/action.AllowIMAP...
   Pre-processing /usr/share/shorewall/action.AllowTelnet...
   Pre-processing /usr/share/shorewall/action.AllowVNC...
   Pre-processing /usr/share/shorewall/action.AllowVNCL...
   Pre-processing /usr/share/shorewall/action.AllowNTP...
   Pre-processing /usr/share/shorewall/action.AllowRdate...
   Pre-processing /usr/share/shorewall/action.AllowNNTP...
   Pre-processing /usr/share/shorewall/action.AllowTrcrt...
   Pre-processing /usr/share/shorewall/action.AllowSNMP...
   Pre-processing /usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/ipsec...
Processing /etc/shorewall/rules...
   Rule "ACCEPT fw adsl tcp 53" added.
   Rule "ACCEPT fw adsl udp 53" added.
   Rule "ACCEPT fw cable tcp 53" added.
   Rule "ACCEPT fw cable udp 53" added.
   Rule "ACCEPT fw loc tcp 53" added.
   Rule "ACCEPT fw loc udp 53" added.
   Rule "ACCEPT fw loc icmp -" added.
   Rule "ACCEPT loc fw icmp -" added.
   Rule "ACCEPT loc fw udp 514" added.
   Rule "ACCEPT loc fw tcp 514" added.
   Rule "ACCEPT fw loc udp 123" added.
   Rule "DNAT adsl loc:192.168.100.200 udp 123" added.
   Rule "DNAT cable loc:192.168.100.200 udp 123" added.
   Rule "ACCEPT loc fw tcp 22" added.
   Rule "ACCEPT adsl fw tcp 80" added.
   Rule "ACCEPT adsl fw tcp 443" added.
   Rule "ACCEPT cable fw tcp 80" added.
   Rule "ACCEPT cable fw tcp 443" added.
   Rule "ACCEPT loc fw tcp 80" added.
   Rule "ACCEPT loc fw tcp 443" added.
   Rule "ACCEPT fw loc tcp 80" added.
   Rule "ACCEPT fw loc tcp 443" added.
   Rule "ACCEPT loc fw tcp 80" added.
   Rule "ACCEPT loc fw tcp 443" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 30080" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 30443" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 25" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 21" added.
   Rule "DNAT adsl loc:192.168.100.200 udp 53" added.
   Rule "DNAT cable loc:192.168.100.200 udp 53" added.
   Rule "DNAT adsl:65.93.231.51 loc:192.168.100.200 tcp 53" added.
   Rule "DNAT cable:65.93.231.51 loc:192.168.100.200 tcp 53" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 21" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 21" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 143" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 993" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 143" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 993" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 25" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30025" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30025" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 465" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 465" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30080" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30443" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30080" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30443" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30389" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30636" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30389" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30636" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30200" added.
   Rule "DNAT adsl loc:192.168.100.10 tcp 30010" added.
   Rule "DNAT adsl loc:192.168.100.30 tcp 30030" added.
   Rule "DNAT adsl loc:192.168.100.35 tcp 30035" added.
   Rule "DNAT adsl loc:192.168.100.15 tcp 30015" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30200" added.
   Rule "DNAT cable loc:192.168.100.10 tcp 30010" added.
   Rule "DNAT cable loc:192.168.100.30 tcp 30030" added.
   Rule "DNAT cable loc:192.168.100.35 tcp 30035" added.
   Rule "DNAT cable loc:192.168.100.15 tcp 30015" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 1723" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 1723" added.
   Rule "DNAT adsl loc:192.168.100.200 47" added.
   Rule "DNAT cable loc:192.168.100.200 47" added.
   Rule "ACCEPT loc adsl 47" added.
   Rule "ACCEPT loc cable 47" added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "AllowICMPs - - icmp" added.
   Rule "dropInvalid" added.
   Rule "DropSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn - - tcp" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "AllowICMPs - - icmp" added.
   Rule "dropInvalid" added.
   Rule "RejectSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn - - tcp" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
   Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed" added.
   Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
   Rule "DROP - - udp 135" added.
   Rule "DROP - - udp 137:139" added.
   Rule "DROP - - udp 445" added.
   Rule "DROP - - tcp 135" added.
   Rule "DROP - - tcp 139" added.
   Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
   Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to adsl using chain fw2adsl
   Policy ACCEPT for fw to cable using chain fw2cable
   Policy ACCEPT for fw to loc using chain all2all
   Policy ACCEPT for adsl to fw using chain adsl2all
   Policy ACCEPT for adsl to loc using chain adsl2all
   Policy ACCEPT for cable to fw using chain cable2all
   Policy ACCEPT for cable to loc using chain cable2all
   Policy ACCEPT for loc to fw using chain all2all
   Policy ACCEPT for loc to adsl using chain loc2adsl
   Policy ACCEPT for loc to cable using chain loc2cable
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth1
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth1
   To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth2
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
 added.
   Rule "ACCEPT loc fw tcp 80" added.
   Rule "ACCEPT loc fw tcp 443" added.
   Rule "ACCEPT fw loc tcp 80" added.
   Rule "ACCEPT fw loc tcp 443" added.
   Rule "ACCEPT loc fw tcp 80" added.
   Rule "ACCEPT loc fw tcp 443" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 30080" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 30443" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 25" added.
   Rule "ACCEPT fw loc:192.168.100.200 tcp 21" added.
   Rule "DNAT adsl loc:192.168.100.200 udp 53" added.
   Rule "DNAT cable loc:192.168.100.200 udp 53" added.
   Rule "DNAT adsl:65.93.231.51 loc:192.168.100.200 tcp 53" added.
   Rule "DNAT cable:65.93.231.51 loc:192.168.100.200 tcp 53" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 21" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 21" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 143" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 993" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 143" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 993" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 25" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30025" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30025" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 465" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 465" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30080" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30443" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30080" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30443" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30389" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30636" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30389" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30636" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 30200" added.
   Rule "DNAT adsl loc:192.168.100.10 tcp 30010" added.
   Rule "DNAT adsl loc:192.168.100.30 tcp 30030" added.
   Rule "DNAT adsl loc:192.168.100.35 tcp 30035" added.
   Rule "DNAT adsl loc:192.168.100.15 tcp 30015" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 30200" added.
   Rule "DNAT cable loc:192.168.100.10 tcp 30010" added.
   Rule "DNAT cable loc:192.168.100.30 tcp 30030" added.
   Rule "DNAT cable loc:192.168.100.35 tcp 30035" added.
   Rule "DNAT cable loc:192.168.100.15 tcp 30015" added.
   Rule "DNAT adsl loc:192.168.100.200 tcp 1723" added.
   Rule "DNAT cable loc:192.168.100.200 tcp 1723" added.
   Rule "DNAT adsl loc:192.168.100.200 47" added.
   Rule "DNAT cable loc:192.168.100.200 47" added.
   Rule "ACCEPT loc adsl 47" added.
   Rule "ACCEPT loc cable 47" added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "AllowICMPs - - icmp" added.
   Rule "dropInvalid" added.
   Rule "DropSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn - - tcp" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "AllowICMPs - - icmp" added.
   Rule "dropInvalid" added.
   Rule "RejectSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn - - tcp" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
   Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed" added.
   Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
   Rule "DROP - - udp 135" added.
   Rule "DROP - - udp 137:139" added.
   Rule "DROP - - udp 445" added.
   Rule "DROP - - tcp 135" added.
   Rule "DROP - - tcp 139" added.
   Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
   Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to adsl using chain fw2adsl
   Policy ACCEPT for fw to cable using chain fw2cable
   Policy ACCEPT for fw to loc using chain all2all
   Policy ACCEPT for adsl to fw using chain adsl2all
   Policy ACCEPT for adsl to loc using chain adsl2all
   Policy ACCEPT for cable to fw using chain cable2all
   Policy ACCEPT for cable to loc using chain cable2all
   Policy ACCEPT for loc to fw using chain all2all
   Policy ACCEPT for loc to adsl using chain loc2adsl
   Policy ACCEPT for loc to cable using chain loc2cable
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth1
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth1
   To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth2
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
ion.DropDNSrep for Chain DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to adsl using chain fw2adsl
   Policy ACCEPT for fw to cable using chain fw2cable
   Policy ACCEPT for fw to loc using chain all2all
   Policy ACCEPT for adsl to fw using chain adsl2all
   Policy ACCEPT for adsl to loc using chain adsl2all
   Policy ACCEPT for cable to fw using chain cable2all
   Policy ACCEPT for cable to loc using chain cable2all
   Policy ACCEPT for loc to fw using chain all2all
   Policy ACCEPT for loc to adsl using chain loc2adsl
   Policy ACCEPT for loc to cable using chain loc2cable
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth1
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth1
   To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth2
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...

  Not read your refered Web Page yet.

  If it works for you, can you tell me the
  flavor of Linux, the kernel and iptables
  versions and your shorewall configuration?
  PLEASE!!

  Thank you.


----- Original Message ----- 
From: "Alexander Wilms" <alex.wilms@adminguru.org>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, June 25, 2005 5:40 AM
Subject: Re: [Shorewall-users] Is it that difficult?


On Friday 24 June 2005 23:26, Yves Bélanger wrote:
>   Hello,
>
>   You will find in attachment the layout of my
>   current physical configuration.
>
>   For now, the Cable ISP is not used.  Since it
>   is a dynamic ISP, my mailserver is rejected and
>   my domain name registers on blacklists like ORDB
>   and al.
>
>   I want it to be used as a default gateway except
>   for my mail server that would be seen as coming
>   from my "honest" ADSL ISP.
>
>   Here is what I want:
>
>      + Cable ISP
>
>        - default gateway to use for fast communi-
>          cations
>
>      + ADSL ISP
>
>        - used to receive and send mail
>
>   I tried to enable EVERY network options in my
>   kernel but it doesn''t work.
What shows the output of ''shorewall check'' after
"Shorewall has detected the
following iptables/netfilter capabilities:" ?
>
>   I tried tcrules, providers, masq configuration but
>   nothing works.
Did you read http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 ?
>
>   patch-o-matic tells me "missing files" and many
>   other errors when I try to patch both my iptables
>   and kernel for CONNTRACK support.
Are you sure that you don''t have CONNTRACK support?
Did you use the correct path for patch-o-matic-ng?
>
>   Is there someone out there who succeeded to use
>   2 ISP with selective default route by port use?
Yep :-)
>
>   It''s been 2 weeks I try everyday to make it work
>   and I''m desparate!!!
>
>   Please please please!!!
>
>   Thank you.
>
>
> Yves
HTH, Alex
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Kernel 2.6.8.11.EL is the CentOS 4.1 standard kernel.

  I think it is also the standard kernel of the last
  update of Fedora Core.  In this one it is RHEL instead
  of EL, I think...

  I''d tried Kernel-2.6.12 (I think - the last stable
  kernel) but it lacks graphical boot and even if Shorewall
  was working, the FW was not able to communicate will any
  other machine outside my network with the same rules in
  Shorewall that ACCEPTed it...  So I reverted to the last
  available from CentOS site.

  What is you kernel version?  Can you send me the missing
  modules?


----- Original Message ----- 
From: "Alexander Wilms" <alex.wilms@adminguru.org>
To: "Yves Bélanger" <belanger@dariustech.qc.ca>
Sent: Sunday, June 26, 2005 7:03 AM
Subject: Re: [Shorewall-users] Is it that difficult?

> On Sunday 26 June 2005 07:24, you wrote:
>>   Here is my /lib/iptables directory:
> 
> <snip>
> 
>>   As you see not CONNMARK module!  patch-o-matic
>>   can''t patch the kernel to produce it!  Always
>>   the same error.  Here is the output of Patch-
>>   o-matic-ng (last version) with the source of
>>   the current kernel (2.6.9.11.EL) and iptables
>>   (1.3.1) source directory:
> 
> Is this 2.6.9.11.EL a patched distribution kernel? Which one? If yes I
guess
> it has incompatible patches already applied. Just try patch-o-matic on a 
> vanilla kernel instead. I guess it will work directly.
> 
> I have no clue to which distro this "EL" kernel belongs to, so I
can''t tell
> you how to build this distro kernel without the incompatible patch(es).
> 
>>
>> Script started on Sun 26 Jun 2005 01:10:44 AM EDT
>> ]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
>> patch-o-matic-ng-20050622]# ./runme Hey! KERNEL_DIR is not set.
>> Where is your kernel source directory? [/usr/src/linux]
>> Hey! IPTABLES_DIR is not set.
>> Where is your iptables source code directory? [/usr/src/iptables]
>> Loading patchlet
>>
definitions................................................................
>>....................... done
> 
> <snip>
> 
> 
>> -----------------------------------------------------------------
>> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
>> cannot apply (1 rejects out of 2 hunks)
>> -----------------------------------------------------------------
>> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] n q
>>
>> Excellent! Source trees are ready for compilation.
> 
> 
> AFAIK there should be a .reject file (or something similar) in the 
> patch-o-matic folder. I don''t have the time now to reproduce such
an error
> now, but from this rejected hunk you should understand what''s
going wrong.
> 
> 
>>
>> ]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
>> patch-o-matic-ng-20050622]# exit
>>
>> Script done on Sun 26 Jun 2005 01:11:16 AM EDT
>>
>>   Error message not very clear!!
> 
> See above.
> 
>>
>>   In attachements the tar.gz of /etc/shorewall
>>   working (only one ISP -> ADSL) and not working
>>   (trying with providers, tcrules and masq).
>>
>>   Here are the output of "shorewall restart"
>>   when I''m usinf the "nor working" config:
>>
>> [root@rubicon shorewall]# shorewall restart
>> Loading /usr/share/shorewall/functions...
>> Processing /etc/shorewall/params ...
>> Processing /etc/shorewall/shorewall.conf...
>> Loading Modules...
>> Restarting Shorewall...
>> Initializing...
>> Shorewall has detected the following iptables/netfilter capabilities:
>>    NAT: Available
>>    Packet Mangling: Available
>>    Multi-port Match: Available
>>    Extended Multi-port Match: Not available
>>    Connection Tracking Match: Available
>>    Packet Type Match: Available
>>    Policy Match: Not available
>>    Physdev Match: Available
>>    IP range Match: Available
>>    Recent Match: Available
>>    Owner Match: Available
>>    Ipset Match: Not available
>>    ROUTE Target: Not available
>>    Extended MARK Target: Not available
>>    CONNMARK Target: Not available
>>    Connmark Match: Not available
> 
> Yep, those last 2 modules are definitely needed for Multi ISP support.
> 
> Conclusion:
> You will have to find out how to build your preferred distro kernel without
> the interfering patches so that you can apply the patch-o-matic instead.
> 
> 
> HTH,
> Alex
>

Oupsss...  It''s kernel 2.6.9-11.EL

----- Original Message ----- 
From: "Yves Bélanger" <belanger@dariustech.qc.ca>
To: "Alexander Wilms" <alex.wilms@adminguru.org>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Sunday, June 26, 2005 6:15 PM
Subject: Re: [Shorewall-users] Is it that difficult?



  Kernel 2.6.8.11.EL is the CentOS 4.1 standard kernel.

  I think it is also the standard kernel of the last
  update of Fedora Core.  In this one it is RHEL instead
  of EL, I think...

  I''d tried Kernel-2.6.12 (I think - the last stable
  kernel) but it lacks graphical boot and even if Shorewall
  was working, the FW was not able to communicate will any
  other machine outside my network with the same rules in
  Shorewall that ACCEPTed it...  So I reverted to the last
  available from CentOS site.

  What is you kernel version?  Can you send me the missing
  modules?


----- Original Message ----- 
From: "Alexander Wilms" <alex.wilms@adminguru.org>
To: "Yves Bélanger" <belanger@dariustech.qc.ca>
Sent: Sunday, June 26, 2005 7:03 AM
Subject: Re: [Shorewall-users] Is it that difficult?

> On Sunday 26 June 2005 07:24, you wrote:
>>   Here is my /lib/iptables directory:
>
> <snip>
>
>>   As you see not CONNMARK module!  patch-o-matic
>>   can''t patch the kernel to produce it!  Always
>>   the same error.  Here is the output of Patch-
>>   o-matic-ng (last version) with the source of
>>   the current kernel (2.6.9.11.EL) and iptables
>>   (1.3.1) source directory:
>
> Is this 2.6.9.11.EL a patched distribution kernel? Which one? If yes I 
> guess
> it has incompatible patches already applied. Just try patch-o-matic on a
> vanilla kernel instead. I guess it will work directly.
>
> I have no clue to which distro this "EL" kernel belongs to, so I
can''t
> tell
> you how to build this distro kernel without the incompatible patch(es).
>
>>
>> Script started on Sun 26 Jun 2005 01:10:44 AM EDT
>> ]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
>> patch-o-matic-ng-20050622]# ./runme Hey! KERNEL_DIR is not set.
>> Where is your kernel source directory? [/usr/src/linux]
>> Hey! IPTABLES_DIR is not set.
>> Where is your iptables source code directory? [/usr/src/iptables]
>> Loading patchlet
>>
definitions................................................................
>>....................... done
>
> <snip>
>
>
>> -----------------------------------------------------------------
>> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
>> cannot apply (1 rejects out of 2 hunks)
>> -----------------------------------------------------------------
>> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] n q
>>
>> Excellent! Source trees are ready for compilation.
>
>
> AFAIK there should be a .reject file (or something similar) in the
> patch-o-matic folder. I don''t have the time now to reproduce such
an error
> now, but from this rejected hunk you should understand what''s
going wrong.
>
>
>>
>> ]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
>> patch-o-matic-ng-20050622]# exit
>>
>> Script done on Sun 26 Jun 2005 01:11:16 AM EDT
>>
>>   Error message not very clear!!
>
> See above.
>
>>
>>   In attachements the tar.gz of /etc/shorewall
>>   working (only one ISP -> ADSL) and not working
>>   (trying with providers, tcrules and masq).
>>
>>   Here are the output of "shorewall restart"
>>   when I''m usinf the "nor working" config:
>>
>> [root@rubicon shorewall]# shorewall restart
>> Loading /usr/share/shorewall/functions...
>> Processing /etc/shorewall/params ...
>> Processing /etc/shorewall/shorewall.conf...
>> Loading Modules...
>> Restarting Shorewall...
>> Initializing...
>> Shorewall has detected the following iptables/netfilter capabilities:
>>    NAT: Available
>>    Packet Mangling: Available
>>    Multi-port Match: Available
>>    Extended Multi-port Match: Not available
>>    Connection Tracking Match: Available
>>    Packet Type Match: Available
>>    Policy Match: Not available
>>    Physdev Match: Available
>>    IP range Match: Available
>>    Recent Match: Available
>>    Owner Match: Available
>>    Ipset Match: Not available
>>    ROUTE Target: Not available
>>    Extended MARK Target: Not available
>>    CONNMARK Target: Not available
>>    Connmark Match: Not available
>
> Yep, those last 2 modules are definitely needed for Multi ISP support.
>
> Conclusion:
> You will have to find out how to build your preferred distro kernel 
> without
> the interfering patches so that you can apply the patch-o-matic instead.
>
>
> HTH,
> Alex
>
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe: 
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

2005/6/26, Yves Bélanger <belanger@dariustech.qc.ca>:
>   If it works for you, can you tell me the
>   flavor of Linux, the kernel and iptables
>   versions and your shorewall configuration?
>   PLEASE!!
> 
Flavor : SUSE Linux 9.2

kernel and iptables : Default kernel,no additional compiling,no mess,
just works(tm)

> >   Is there someone out there who succeeded to use
> >   2 ISP with selective default route by port use?
working here, nothing strange, just the Tom''s instructions.

Thanks to everyone who help me getting the result I wanted!

  Here is the winning configuration:

    SuSE 9.3
      + the kernel already contain the CONNMARK modules!
      + iptables-1.3.1 is already installed but need a
        patch provided by the FTP site of Shorewall to
        get --restore-mark and --save-mark working with
        many providers, so I needed to recompile from
        iptables sources.

    Shorewall 2.4.0

  Thanks again.

  

----- Original Message ----- 
From: "Alexander Wilms" <alex.wilms@adminguru.org>
To: "Yves Bélanger" <belanger@dariustech.qc.ca>
Sent: Monday, June 27, 2005 4:25 AM
Subject: Re: [Shorewall-users] Is it that difficult?

> 
> 
> Yves Bélanger wrote:
> 
>>
>> Oupsss...  It''s kernel 2.6.9-11.EL
>>
>> ----- Original Message ----- From: "Yves Bélanger" 
>> <belanger@dariustech.qc.ca>
>> To: "Alexander Wilms" <alex.wilms@adminguru.org>
>> Cc: <shorewall-users@lists.shorewall.net>
>> Sent: Sunday, June 26, 2005 6:15 PM
>> Subject: Re: [Shorewall-users] Is it that difficult?
>>
>>
>>
>>  Kernel 2.6.8.11.EL is the CentOS 4.1 standard kernel.
>>
>>  I think it is also the standard kernel of the last
>>  update of Fedora Core.  In this one it is RHEL instead
>>  of EL, I think...
>>
>>  I''d tried Kernel-2.6.12 (I think - the last stable
>>  kernel) but it lacks graphical boot and even if Shorewall
>>  was working, the FW was not able to communicate will any
>>  other machine outside my network with the same rules in
>>  Shorewall that ACCEPTed it...  
> 
> This sounds like a shorewall misconfiguration, not like a kernel problem.
> 
> 
>> So I reverted to the last
>>  available from CentOS site.
>>
>>  What is you kernel version?  Can you send me the missing
>>  modules?
> 
> I use various SuSE 9.x versions. In the SuSE kernels the needed CONNMARK 
> module is already built-in. Of course I could send you the module, but 
> it won''t fit your kernel.
> So you still have to find out how to compile your CentOS/RH Kernel 
> without the interferring (already aplied) patches. I have no clue how 
> CentOS is doing the patch handling during their kernel build process.
> Maybe somebody else on the list can give some hints?
> 
>