Here is my /lib/iptables directory:
total 468
-rwxr-xr-x 1 root root 3660 Feb 21 17:43 libipt_ah.so
-rwxr-xr-x 1 root root 2836 Feb 21 17:43 libipt_CLASSIFY.so
-rwxr-xr-x 1 root root 3204 Feb 21 17:43 libipt_connlimit.so
-rwxr-xr-x 1 root root 3844 Feb 21 17:43 libipt_CONNMARK.so
-rwxr-xr-x 1 root root 3124 Feb 21 17:43 libipt_connmark.so
-rwxr-xr-x 1 root root 8100 Feb 21 17:43 libipt_conntrack.so
-rwxr-xr-x 1 root root 4080 Feb 21 17:43 libipt_DNAT.so
-rwxr-xr-x 1 root root 3872 Feb 21 17:43 libipt_DSCP.so
-rwxr-xr-x 1 root root 4192 Feb 21 17:43 libipt_dscp.so
-rwxr-xr-x 1 root root 3452 Feb 21 17:43 libipt_ECN.so
-rwxr-xr-x 1 root root 3692 Feb 21 17:43 libipt_ecn.so
-rwxr-xr-x 1 root root 3660 Feb 21 17:43 libipt_esp.so
-rwxr-xr-x 1 root root 2704 Feb 21 17:43 libipt_helper.so
-rwxr-xr-x 1 root root 5604 Feb 21 17:43 libipt_icmp.so
-rwxr-xr-x 1 root root 3872 Feb 21 17:43 libipt_iprange.so
-rwxr-xr-x 1 root root 3440 Feb 21 17:43 libipt_length.so
-rwxr-xr-x 1 root root 3952 Feb 21 17:43 libipt_limit.so
-rwxr-xr-x 1 root root 4756 Feb 21 17:43 libipt_LOG.so
-rwxr-xr-x 1 root root 3084 Feb 21 17:43 libipt_mac.so
-rwxr-xr-x 1 root root 2640 Feb 21 17:43 libipt_MARK.so
-rwxr-xr-x 1 root root 3088 Feb 21 17:43 libipt_mark.so
-rwxr-xr-x 1 root root 3220 Feb 21 17:43 libipt_MASQUERADE.so
-rwxr-xr-x 1 root root 1824 Feb 21 17:43 libipt_MIRROR.so
-rwxr-xr-x 1 root root 4404 Feb 21 17:43 libipt_multiport.so
-rwxr-xr-x 1 root root 3344 Feb 21 17:43 libipt_NETMAP.so
-rwxr-xr-x 1 root root 1824 Feb 21 17:43 libipt_NOTRACK.so
-rwxr-xr-x 1 root root 4848 Feb 21 17:43 libipt_owner.so
-rwxr-xr-x 1 root root 4688 Feb 21 17:43 libipt_physdev.so
-rwxr-xr-x 1 root root 3460 Feb 21 17:43 libipt_pkttype.so
-rwxr-xr-x 1 root root 3088 Feb 21 17:43 libipt_realm.so
-rwxr-xr-x 1 root root 6208 Feb 21 17:43 libipt_recent.so
-rwxr-xr-x 1 root root 3220 Feb 21 17:43 libipt_REDIRECT.so
-rwxr-xr-x 1 root root 4452 Feb 21 17:43 libipt_REJECT.so
-rwxr-xr-x 1 root root 5404 Feb 21 17:43 libipt_rpc.so
-rwxr-xr-x 1 root root 3680 Feb 21 17:43 libipt_SAME.so
-rwxr-xr-x 1 root root 8412 Feb 21 17:43 libipt_sctp.so
-rwxr-xr-x 1 root root 4048 Feb 21 17:43 libipt_SNAT.so
-rwxr-xr-x 1 root root 1892 Feb 21 17:43 libipt_standard.so
-rwxr-xr-x 1 root root 3440 Feb 21 17:43 libipt_state.so
-rwxr-xr-x 1 root root 1964 Feb 21 17:43 libipt_TARPIT.so
-rwxr-xr-x 1 root root 2912 Feb 21 17:43 libipt_TCPMSS.so
-rwxr-xr-x 1 root root 3344 Feb 21 17:43 libipt_tcpmss.so
-rwxr-xr-x 1 root root 6604 Feb 21 17:43 libipt_tcp.so
-rwxr-xr-x 1 root root 3380 Feb 21 17:43 libipt_TOS.so
-rwxr-xr-x 1 root root 3636 Feb 21 17:43 libipt_tos.so
-rwxr-xr-x 1 root root 1824 Feb 21 17:43 libipt_TRACE.so
-rwxr-xr-x 1 root root 3244 Feb 21 17:43 libipt_TTL.so
-rwxr-xr-x 1 root root 3324 Feb 21 17:43 libipt_ttl.so
-rwxr-xr-x 1 root root 4476 Feb 21 17:43 libipt_udp.so
-rwxr-xr-x 1 root root 4320 Feb 21 17:43 libipt_ULOG.so
-rwxr-xr-x 1 root root 1820 Feb 21 17:43 libipt_unclean.so
Here is my netfilter kernel modules directory:
total 876
-rwxr--r-- 1 root root 4864 Jun 8 20:38 arptable_filter.ko
-rwxr--r-- 1 root root 17100 Jun 8 20:38 arp_tables.ko
-rwxr--r-- 1 root root 3996 Jun 8 20:38 arpt_mangle.ko
-rwxr--r-- 1 root root 6860 Jun 8 20:38 ip_conntrack_amanda.ko
-rwxr--r-- 1 root root 9356 Jun 8 20:38 ip_conntrack_ftp.ko
-rwxr--r-- 1 root root 8752 Jun 8 20:38 ip_conntrack_irc.ko
-rwxr--r-- 1 root root 48160 Jun 8 20:38 ip_conntrack.ko
-rwxr--r-- 1 root root 9492 Jun 8 20:38 ip_conntrack_proto_sctp.ko
-rwxr--r-- 1 root root 5780 Jun 8 20:38 ip_conntrack_tftp.ko
-rwxr--r-- 1 root root 4368 Jun 8 20:38 ip_nat_amanda.ko
-rwxr--r-- 1 root root 6508 Jun 8 20:38 ip_nat_ftp.ko
-rwxr--r-- 1 root root 5896 Jun 8 20:38 ip_nat_irc.ko
-rwxr--r-- 1 root root 14204 Jun 8 20:38 ip_nat_snmp_basic.ko
-rwxr--r-- 1 root root 5372 Jun 8 20:38 ip_nat_tftp.ko
-rwxr--r-- 1 root root 12840 Jun 8 20:38 ip_queue.ko
-rwxr--r-- 1 root root 5680 Jun 8 20:38 iptable_filter.ko
-rwxr--r-- 1 root root 5880 Jun 8 20:38 iptable_mangle.ko
-rwxr--r-- 1 root root 28248 Jun 8 20:38 iptable_nat.ko
-rwxr--r-- 1 root root 4124 Jun 8 20:38 iptable_raw.ko
-rwxr--r-- 1 root root 21784 Jun 8 20:38 ip_tables.ko
-rwxr--r-- 1 root root 3532 Jun 8 20:38 ipt_addrtype.ko
-rwxr--r-- 1 root root 3404 Jun 8 20:38 ipt_ah.ko
-rwxr--r-- 1 root root 3660 Jun 8 20:38 ipt_CLASSIFY.ko
-rwxr--r-- 1 root root 3068 Jun 8 20:38 ipt_comment.ko
-rwxr--r-- 1 root root 4008 Jun 8 20:38 ipt_conntrack.ko
-rwxr--r-- 1 root root 3980 Jun 8 20:38 ipt_DSCP.ko
-rwxr--r-- 1 root root 3064 Jun 8 20:38 ipt_dscp.ko
-rwxr--r-- 1 root root 4908 Jun 8 20:38 ipt_ECN.ko
-rwxr--r-- 1 root root 3644 Jun 8 20:38 ipt_ecn.ko
-rwxr--r-- 1 root root 3412 Jun 8 20:38 ipt_esp.ko
-rw-r--r-- 1 root root 145503 Jun 24 16:43 ipt_hashlimit.ko
-rwxr--r-- 1 root root 3448 Jun 8 20:38 ipt_helper.ko
-rwxr--r-- 1 root root 3448 Jun 8 20:38 ipt_iprange.ko
-rwxr--r-- 1 root root 3064 Jun 8 20:38 ipt_length.ko
-rwxr--r-- 1 root root 4772 Jun 8 20:38 ipt_limit.ko
-rwxr--r-- 1 root root 9612 Jun 8 20:38 ipt_LOG.ko
-rwxr--r-- 1 root root 3516 Jun 8 20:38 ipt_mac.ko
-rwxr--r-- 1 root root 3508 Jun 8 20:38 ipt_MARK.ko
-rwxr--r-- 1 root root 3064 Jun 8 20:38 ipt_mark.ko
-rwxr--r-- 1 root root 5564 Jun 8 20:38 ipt_MASQUERADE.ko
-rwxr--r-- 1 root root 3544 Jun 8 20:38 ipt_multiport.ko
-rwxr--r-- 1 root root 3656 Jun 8 20:38 ipt_NETMAP.ko
-rwxr--r-- 1 root root 3484 Jun 8 20:38 ipt_NOTRACK.ko
-rwxr--r-- 1 root root 6400 Jun 8 20:38 ipt_owner.ko
-rwxr--r-- 1 root root 3552 Jun 8 20:38 ipt_physdev.ko
-rwxr--r-- 1 root root 3068 Jun 8 20:38 ipt_pkttype.ko
-rwxr--r-- 1 root root 3488 Jun 8 20:38 ipt_realm.ko
-rwxr--r-- 1 root root 18340 Jun 8 20:38 ipt_recent.ko
-rwxr--r-- 1 root root 3676 Jun 8 20:38 ipt_REDIRECT.ko
-rwxr--r-- 1 root root 9076 Jun 8 20:38 ipt_REJECT.ko
-rwxr--r-- 1 root root 4404 Jun 8 20:38 ipt_SAME.ko
-rwxr--r-- 1 root root 4244 Jun 8 20:38 ipt_sctp.ko
-rwxr--r-- 1 root root 3456 Jun 8 20:38 ipt_state.ko
-rwxr--r-- 1 root root 5704 Jun 8 20:38 ipt_TCPMSS.ko
-rwxr--r-- 1 root root 3780 Jun 8 20:38 ipt_tcpmss.ko
-rwxr--r-- 1 root root 3980 Jun 8 20:38 ipt_TOS.ko
-rwxr--r-- 1 root root 3032 Jun 8 20:38 ipt_tos.ko
-rwxr--r-- 1 root root 3476 Jun 8 20:38 ipt_ttl.ko
-rwxr--r-- 1 root root 10064 Jun 8 20:38 ipt_ULOG.ko
As you see not CONNMARK module! patch-o-matic
can''t patch the kernel to produce it! Always
the same error. Here is the output of Patch-
o-matic-ng (last version) with the source of
the current kernel (2.6.9.11.EL) and iptables
(1.3.1) source directory:
Script started on Sun 26 Jun 2005 01:10:44 AM EDT
]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
patch-o-matic-ng-20050622]# ./runme
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux]
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]
Loading patchlet
definitions.......................................................................................
done
[H[2JWelcome to Patch-o-matic ($Revision: 3733 $)!
Kernel: 2.6.9, /usr/src/linux
Iptables: 1.3.1, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don''t apply what you don''t need!
-------------------------------------------------------
Already applied:
Testing CLASSIFY... applied
[H[2JWelcome to Patch-o-matic ($Revision: 3733 $)!
Kernel: 2.6.9, /usr/src/linux
Iptables: 1.3.1, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don''t apply what you don''t need!
-------------------------------------------------------
Already applied: CLASSIFY
Testing CLUSTERIP... not applied
The CLUSTERIP patch:
Author: Harald Welte <laforge@netfilter.org>
Status: Part of 2.6.x mainline
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] n
[H[2JWelcome to Patch-o-matic ($Revision: 3733 $)!
Kernel: 2.6.9, /usr/src/linux
Iptables: 1.3.1, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don''t apply what you don''t need!
-------------------------------------------------------
Already applied: CLASSIFY
Testing CONNMARK... not applied
The CONNMARK patch:
Author: Henrik Nordstrom <hno@marasystems.com>
Status: Part of 2.6.x mainline
This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.
Usage:
connmark
This module matches the netfilter mark field associated
with a connection (which can be set using the CONNMARK
target below).
--mark value[/mask]
Matches packets in connections with the given
unsigned mark value (if a mask is specified, this
is logically ANDed with the mark before the comparison).
CONNMARK
This is used to set the netfilter mark value associated
with the connection
--set-mark mark
Set connection mark
--save-mark
Set connection mark to the same as the one on the
packet
--restore-mark
Set the netfilter packet mark value to the one
associated with the connection. This is only valid
in the mangle table.
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
cannot apply (1 rejects out of 2 hunks)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] n q
Excellent! Source trees are ready for compilation.
]0;root@rubicon:/usr/src/patch-o-matic-ng-20050622[root@rubicon
patch-o-matic-ng-20050622]# exit
Script done on Sun 26 Jun 2005 01:11:16 AM EDT
Error message not very clear!!
In attachements the tar.gz of /etc/shorewall
working (only one ISP -> ADSL) and not working
(trying with providers, tcrules and masq).
Here are the output of "shorewall restart"
when I''m usinf the "nor working" config:
[root@rubicon shorewall]# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
ROUTE Target: Not available
Extended MARK Target: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Determining Zones...
Zones: adsl cable loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
ADSL Zone: eth1:0.0.0.0/0
Cable Zone: eth2:0.0.0.0/0
Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /usr/share/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowICMPs...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Processing /etc/shorewall/providers...
Provider ADSL 1 1 main eth1 72.0.207.1 track Added
Provider CABLE 2 2 main eth2 24.200.170.1 track Added
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark !
--mark 0 -j CONNMARK --restore-mark" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated
Normal restarting with only one ISP configuration:
[root@rubicon shorewall]# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall Not Currently Running
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
ROUTE Target: Not available
Extended MARK Target: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Determining Zones...
Zones: adsl cable loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
ADSL Zone: eth1:0.0.0.0/0
Cable Zone: eth2:0.0.0.0/0
Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /usr/share/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowICMPs...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/ipsec...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw adsl tcp 53" added.
Rule "ACCEPT fw adsl udp 53" added.
Rule "ACCEPT fw cable tcp 53" added.
Rule "ACCEPT fw cable udp 53" added.
Rule "ACCEPT fw loc tcp 53" added.
Rule "ACCEPT fw loc udp 53" added.
Rule "ACCEPT fw loc icmp -" added.
Rule "ACCEPT loc fw icmp -" added.
Rule "ACCEPT loc fw udp 514" added.
Rule "ACCEPT loc fw tcp 514" added.
Rule "ACCEPT fw loc udp 123" added.
Rule "DNAT adsl loc:192.168.100.200 udp 123" added.
Rule "DNAT cable loc:192.168.100.200 udp 123" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT adsl fw tcp 80" added.
Rule "ACCEPT adsl fw tcp 443" added.
Rule "ACCEPT cable fw tcp 80" added.
Rule "ACCEPT cable fw tcp 443" added.
Rule "ACCEPT loc fw tcp 80" added.
Rule "ACCEPT loc fw tcp 443" added.
Rule "ACCEPT fw loc tcp 80" added.
Rule "ACCEPT fw loc tcp 443" added.
Rule "ACCEPT loc fw tcp 80" added.
Rule "ACCEPT loc fw tcp 443" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 30080" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 30443" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 25" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 21" added.
Rule "DNAT adsl loc:192.168.100.200 udp 53" added.
Rule "DNAT cable loc:192.168.100.200 udp 53" added.
Rule "DNAT adsl:65.93.231.51 loc:192.168.100.200 tcp 53" added.
Rule "DNAT cable:65.93.231.51 loc:192.168.100.200 tcp 53" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 21" added.
Rule "DNAT cable loc:192.168.100.200 tcp 21" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 143" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 993" added.
Rule "DNAT cable loc:192.168.100.200 tcp 143" added.
Rule "DNAT cable loc:192.168.100.200 tcp 993" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 25" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30025" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30025" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 465" added.
Rule "DNAT cable loc:192.168.100.200 tcp 465" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30080" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30443" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30080" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30443" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30389" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30636" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30389" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30636" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30200" added.
Rule "DNAT adsl loc:192.168.100.10 tcp 30010" added.
Rule "DNAT adsl loc:192.168.100.30 tcp 30030" added.
Rule "DNAT adsl loc:192.168.100.35 tcp 30035" added.
Rule "DNAT adsl loc:192.168.100.15 tcp 30015" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30200" added.
Rule "DNAT cable loc:192.168.100.10 tcp 30010" added.
Rule "DNAT cable loc:192.168.100.30 tcp 30030" added.
Rule "DNAT cable loc:192.168.100.35 tcp 30035" added.
Rule "DNAT cable loc:192.168.100.15 tcp 30015" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 1723" added.
Rule "DNAT cable loc:192.168.100.200 tcp 1723" added.
Rule "DNAT adsl loc:192.168.100.200 47" added.
Rule "DNAT cable loc:192.168.100.200 47" added.
Rule "ACCEPT loc adsl 47" added.
Rule "ACCEPT loc cable 47" added.
Processing Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "DropSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "RejectSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed" added.
Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
Rule "DROP - - udp 135" added.
Rule "DROP - - udp 137:139" added.
Rule "DROP - - udp 445" added.
Rule "DROP - - tcp 135" added.
Rule "DROP - - tcp 139" added.
Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to adsl using chain fw2adsl
Policy ACCEPT for fw to cable using chain fw2cable
Policy ACCEPT for fw to loc using chain all2all
Policy ACCEPT for adsl to fw using chain adsl2all
Policy ACCEPT for adsl to loc using chain adsl2all
Policy ACCEPT for cable to fw using chain cable2all
Policy ACCEPT for cable to loc using chain cable2all
Policy ACCEPT for loc to fw using chain all2all
Policy ACCEPT for loc to adsl using chain loc2adsl
Policy ACCEPT for loc to cable using chain loc2cable
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth1
To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth1
To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth2
To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
added.
Rule "ACCEPT loc fw tcp 80" added.
Rule "ACCEPT loc fw tcp 443" added.
Rule "ACCEPT fw loc tcp 80" added.
Rule "ACCEPT fw loc tcp 443" added.
Rule "ACCEPT loc fw tcp 80" added.
Rule "ACCEPT loc fw tcp 443" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 30080" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 30443" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 25" added.
Rule "ACCEPT fw loc:192.168.100.200 tcp 21" added.
Rule "DNAT adsl loc:192.168.100.200 udp 53" added.
Rule "DNAT cable loc:192.168.100.200 udp 53" added.
Rule "DNAT adsl:65.93.231.51 loc:192.168.100.200 tcp 53" added.
Rule "DNAT cable:65.93.231.51 loc:192.168.100.200 tcp 53" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 21" added.
Rule "DNAT cable loc:192.168.100.200 tcp 21" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 143" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 993" added.
Rule "DNAT cable loc:192.168.100.200 tcp 143" added.
Rule "DNAT cable loc:192.168.100.200 tcp 993" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 25" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30025" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30025" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 465" added.
Rule "DNAT cable loc:192.168.100.200 tcp 465" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30080" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30443" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30080" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30443" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30389" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30636" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30389" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30636" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 30200" added.
Rule "DNAT adsl loc:192.168.100.10 tcp 30010" added.
Rule "DNAT adsl loc:192.168.100.30 tcp 30030" added.
Rule "DNAT adsl loc:192.168.100.35 tcp 30035" added.
Rule "DNAT adsl loc:192.168.100.15 tcp 30015" added.
Rule "DNAT cable loc:192.168.100.200 tcp 30200" added.
Rule "DNAT cable loc:192.168.100.10 tcp 30010" added.
Rule "DNAT cable loc:192.168.100.30 tcp 30030" added.
Rule "DNAT cable loc:192.168.100.35 tcp 30035" added.
Rule "DNAT cable loc:192.168.100.15 tcp 30015" added.
Rule "DNAT adsl loc:192.168.100.200 tcp 1723" added.
Rule "DNAT cable loc:192.168.100.200 tcp 1723" added.
Rule "DNAT adsl loc:192.168.100.200 47" added.
Rule "DNAT cable loc:192.168.100.200 47" added.
Rule "ACCEPT loc adsl 47" added.
Rule "ACCEPT loc cable 47" added.
Processing Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "DropSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "RejectSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed" added.
Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
Rule "DROP - - udp 135" added.
Rule "DROP - - udp 137:139" added.
Rule "DROP - - udp 445" added.
Rule "DROP - - tcp 135" added.
Rule "DROP - - tcp 139" added.
Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to adsl using chain fw2adsl
Policy ACCEPT for fw to cable using chain fw2cable
Policy ACCEPT for fw to loc using chain all2all
Policy ACCEPT for adsl to fw using chain adsl2all
Policy ACCEPT for adsl to loc using chain adsl2all
Policy ACCEPT for cable to fw using chain cable2all
Policy ACCEPT for cable to loc using chain cable2all
Policy ACCEPT for loc to fw using chain all2all
Policy ACCEPT for loc to adsl using chain loc2adsl
Policy ACCEPT for loc to cable using chain loc2cable
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth1
To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth1
To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth2
To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
ion.DropDNSrep for Chain DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to adsl using chain fw2adsl
Policy ACCEPT for fw to cable using chain fw2cable
Policy ACCEPT for fw to loc using chain all2all
Policy ACCEPT for adsl to fw using chain adsl2all
Policy ACCEPT for adsl to loc using chain adsl2all
Policy ACCEPT for cable to fw using chain cable2all
Policy ACCEPT for cable to loc using chain cable2all
Policy ACCEPT for loc to fw using chain all2all
Policy ACCEPT for loc to adsl using chain loc2adsl
Policy ACCEPT for loc to cable using chain loc2cable
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth1
To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth1
To 0.0.0.0/0 (all) from 192.168.100.0/24 through eth2
To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
Not read your refered Web Page yet.
If it works for you, can you tell me the
flavor of Linux, the kernel and iptables
versions and your shorewall configuration?
PLEASE!!
Thank you.
----- Original Message -----
From: "Alexander Wilms" <alex.wilms@adminguru.org>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, June 25, 2005 5:40 AM
Subject: Re: [Shorewall-users] Is it that difficult?
On Friday 24 June 2005 23:26, Yves Bélanger wrote:> Hello,
>
> You will find in attachment the layout of my
> current physical configuration.
>
> For now, the Cable ISP is not used. Since it
> is a dynamic ISP, my mailserver is rejected and
> my domain name registers on blacklists like ORDB
> and al.
>
> I want it to be used as a default gateway except
> for my mail server that would be seen as coming
> from my "honest" ADSL ISP.
>
> Here is what I want:
>
> + Cable ISP
>
> - default gateway to use for fast communi-
> cations
>
> + ADSL ISP
>
> - used to receive and send mail
>
> I tried to enable EVERY network options in my
> kernel but it doesn''t work.
What shows the output of ''shorewall check'' after
"Shorewall has detected the
following iptables/netfilter capabilities:" ?
>
> I tried tcrules, providers, masq configuration but
> nothing works.
Did you read http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 ?
>
> patch-o-matic tells me "missing files" and many
> other errors when I try to patch both my iptables
> and kernel for CONNTRACK support.
Are you sure that you don''t have CONNTRACK support?
Did you use the correct path for patch-o-matic-ng?
>
> Is there someone out there who succeeded to use
> 2 ISP with selective default route by port use?
Yep :-)
>
> It''s been 2 weeks I try everyday to make it work
> and I''m desparate!!!
>
> Please please please!!!
>
> Thank you.
>
>
> Yves
HTH, Alex
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm