Hi List, I am new at this and trying to set up shorewall. I was using mnf-en to do it but it was using an old version of shorewall (shorewall-2.0.8-2mdk) and didn''t have the features I wanted. So I''ve installed shorewall-2.4.0-1mdk. Other bits of interest: iproute2-2.6.10-1mdk iptables-1.2.9-8mdk I''m trying to get the providers feature working. show capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available ROUTE Target: Not available Extended MARK Target: Not available CONNMARK Target: Available Connmark Match: Available I have been following http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 my providers looks like this: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS INT1 1 1 main eth1 172.16.0.1 track,balance IP1 2 2 main eth2 172.16.0.2 track,balance shorewall debug start log looks like this: + ensure_and_save_command ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 + eval ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 ++ ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 + echo ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 + read net route + case $net in + ensure_and_save_command ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope link src 172.16.0.4 + eval ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope link src 172.16.0.4 ++ ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope link src 172.16.0.4 RTNETLINK answers: File exists IP route looks like this: 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 172.16.0.0/25 dev eth2 proto kernel scope link src 172.16.0.4 192.168.1.0/24 dev eth0.3 proto kernel scope link src 192.168.1.254 192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.254 Shorewall fails to start with "Terminated" as the result. Any ideas? Ben _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
On Monday 27 June 2005 10:59, Benji Booble wrote:> Hi List,Hi Ben,> > I have been following > http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 > > my providers looks like this: > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS > INT1 1 1 main eth1 172.16.0.1 > track,balance > IP1 2 2 main eth2 172.16.0.2 > track,balance > > shorewall debug start log looks like this: > + ensure_and_save_command ip route add table 1 172.16.0.0/25 dev eth1 proto > kernel scope link src 172.16.0.3 > + eval ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link > src 172.16.0.3 > ++ ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link src > 172.16.0.3 > + echo ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link > src 172.16.0.3 > + read net route > + case $net in > + ensure_and_save_command ip route add table 1 172.16.0.0/25 dev eth2 proto > kernel scope link src 172.16.0.4 > + eval ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope link > src 172.16.0.4 > ++ ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope link src > 172.16.0.4 > RTNETLINK answers: File exists > > IP route looks like this: > 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 > 172.16.0.0/25 dev eth2 proto kernel scope link src 172.16.0.4 > 192.168.1.0/24 dev eth0.3 proto kernel scope link src 192.168.1.254 > 192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.254 > > Shorewall fails to start with "Terminated" as the result. > > Any ideas?Yup, but only ideas, because I don''t really understand your setup yet. What shorewall does is to create routing entries for BOTH provider entries into routing table 1! But the route for the second provider should go into table "2" as written in the provider config file. Result: duplicated routing entries for network 172.16.0.0/25 in table 1 => rtnetlink: File exists. But: Your provider file seems to be unlogical for me. In this file you should specify 2 different providers (default gateways/default routes to the internet or another network). But you seem to try to route your traffic via the same network, means both "gateways" are in the same 172.16.0.0/25 network, also eth1 and eth2 are connected to the SAME network, but they should be connected to 2 separate ISP''s/networks. HTH, Alex
Ah, thanks Alex, my firewall is behind two modems(billion router/fw) and they are both interfacing internally to 172.16.0.0/128. I will change that to two seperate networks then. Cheers, Ben>From: Alexander Wilms <alex.wilms@adminguru.org> >Reply-To: Mailing List for Shorewall >Users<shorewall-users@lists.shorewall.net> >To: Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] RTNETLINK answers: File exists >Date: Mon, 27 Jun 2005 11:34:44 +0200 > >On Monday 27 June 2005 10:59, Benji Booble wrote: > > Hi List, >Hi Ben, > > > > > I have been following > > http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 > > > > my providers looks like this: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > > OPTIONS > > INT1 1 1 main eth1 172.16.0.1 > > track,balance > > IP1 2 2 main eth2 172.16.0.2 > > track,balance > > > > shorewall debug start log looks like this: > > + ensure_and_save_command ip route add table 1 172.16.0.0/25 dev eth1 >proto > > kernel scope link src 172.16.0.3 > > + eval ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope >link > > src 172.16.0.3 > > ++ ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope link >src > > 172.16.0.3 > > + echo ip route add table 1 172.16.0.0/25 dev eth1 proto kernel scope >link > > src 172.16.0.3 > > + read net route > > + case $net in > > + ensure_and_save_command ip route add table 1 172.16.0.0/25 dev eth2 >proto > > kernel scope link src 172.16.0.4 > > + eval ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope >link > > src 172.16.0.4 > > ++ ip route add table 1 172.16.0.0/25 dev eth2 proto kernel scope link >src > > 172.16.0.4 > > RTNETLINK answers: File exists > > > > IP route looks like this: > > 172.16.0.0/25 dev eth1 proto kernel scope link src 172.16.0.3 > > 172.16.0.0/25 dev eth2 proto kernel scope link src 172.16.0.4 > > 192.168.1.0/24 dev eth0.3 proto kernel scope link src 192.168.1.254 > > 192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.254 > > > > Shorewall fails to start with "Terminated" as the result. > > > > Any ideas? >Yup, but only ideas, because I don''t really understand your setup yet. >What shorewall does is to create routing entries for BOTH provider entries >into routing table 1! But the route for the second provider should go into >table "2" as written in the provider config file. Result: duplicated >routing >entries for network 172.16.0.0/25 in table 1 => rtnetlink: File exists. > >But: Your provider file seems to be unlogical for me. In this file you >should >specify 2 different providers (default gateways/default routes to the >internet or another network). > >But you seem to try to route your traffic via the same network, means both >"gateways" are in the same 172.16.0.0/25 network, also eth1 and eth2 are >connected to the SAME network, but they should be connected to 2 separate >ISP''s/networks. > >HTH, >Alex > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Don''t just search. Find. Check out the new MSN Search! http://search.msn.com/