Hi,
I''m happily working with Shorewall for a single-ISP about one year -
BTW: thanks for this great utility!
Now I''m trying to use the multi-ISP feature, which is working so far,
but I get lost and confused at some points.
Shorewall-configs shown below are working for each ISP when
corresponding setup for single-ISP.
The problem is now that, when testing this setup, everything is working
(so far), but when studying logs on the "test-destination-server", I
see
that "shorewall" connects with the wrong outgoing IP (as configured in
tcrules) - sometimes with the IP from ADSL, sometimes with the IP from
SDSL. Looks like that balancing is working but ignoring tcrules... At
this point I''m really helpless ;)
Any clues are welcome; thanks in advance...
-
Oliver
Kernel: 2.6.11
iptables: 1.3.2
iproute2: 2.6.11
Netfilter are all in Kernel
Network-setup is as the following:
eth0 - 192.168.xxx.2 (as gateway for the local subnet), connected to switch
eth1 - is "up" only for ppp0, connected to DSL-Modem
eth2 - 2xx.1xx.2xx.203 SDSL leased line, connected to Cisco-Router
ppp0 - dynamic IP, dialup-ADSL
No default route set, as I think that shorewall will decide which route
to set and use.
After starting shorewall, shorewall sets the following routes:
- route -n:
195.14.247.95 0.0.0.0 255.255.255.255 UH 0 0 0 0 ppp0
2xx.1xx.2xx.200 0.0.0.0 255.255.255.248 U 0 0 0 0 eth2
192.168.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 195.14.247.95 0.0.0.0 UG 0 0 0 ppp0
- ip route ls:
195.14.247.95 dev ppp0 proto kernel scope link src 2xx.1xx.2xx.46
2xx.1xx.2xx.200/29 dev eth2 proto kernel scope link src 2xx.1xx.2xx.203
192.168.xxx.0/24 dev eth0 proto kernel scope link src 192.168.xxx.2
127.0.0.0/8 dev lo scope link
default
nexthop via 195.14.247.95 dev ppp0 weight 1
nexthop via 2xx.1xx.2xx.201 dev eth2 weight 1
Shorewall-configs:
- interfaces:
net ppp0 detect dhcp,routefilter,norfc1918,tcpflags
net eth2 2xx.1xx.2xx.207 routefilter,norfc1918,tcpflags
loc eth0 detect tcpflags
- masq:
ppp0 eth0
eth2 eth0
- modules:
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
- policy:
net net DROP
loc net DROP info
fw net ACCEPT
net all DROP warning
all all REJECT warning
- providers:
ppp 1 1 main ppp0 detect track,balance eth0
fix 2 2 main eth2 2xx.1xx.2xx.201 track,balance eth0
- rules:
(to long to list ;) I let them as there are in single-ISP)
- tcrules:
2:P eth0 0.0.0.0/0 tcp 143,993
1 fw 0.0.0.0/0 tcp 80,443,123
1:P eth0 0.0.0.0/0 tcp 80,443,123
2 fw 0.0.0.0/0 tcp 20,21,22
2:P eth0 0.0.0.0/0 tcp 20,21,22
2:P eth0 0.0.0.0/0 tcp 873,2401,5999
2:P eth0 0.0.0.0/0 udp 1194
1:P eth0 0.0.0.0/0 tcp 5900:5950
1 fw 0.0.0.0/0 tcp 110
1:P eth0 0.0.0.0/0 tcp 110
- zones:
net Net Internet
loc Local Local Networks
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
----- Original Message -----> > The problem is now that, when testing this setup, everything is working > (so far), but when studying logs on the "test-destination-server", I see > that "shorewall" connects with the wrong outgoing IP (as configured in > tcrules) - sometimes with the IP from ADSL, sometimes with the IP from > SDSL. Looks like that balancing is working but ignoring tcrules... At > this point I''m really helpless ;) > > Any clues are welcome; thanks in advance... >TC_ENABLED=yes is set in the shorewall.conf? Just to clear things up, the lan clients are obeying the tcrules? and the firewall is not? or both? <snip>> - masq: > ppp0 eth0 > eth2 eth0I''d, use snat here: ppp0 192.168.xxx.0/24 2xx.1xx.2xx.46 eth2 192.168.xxx.0/24 2xx.1xx.2xx.203 But that is just me. <snip>> - tcrules: > 2:P eth0 0.0.0.0/0 tcp 143,993 > 1 fw 0.0.0.0/0 tcp 80,443,123 > 1:P eth0 0.0.0.0/0 tcp 80,443,123 > 2 fw 0.0.0.0/0 tcp 20,21,22 > 2:P eth0 0.0.0.0/0 tcp 20,21,22 > 2:P eth0 0.0.0.0/0 tcp 873,2401,5999 > 2:P eth0 0.0.0.0/0 udp 1194 > 1:P eth0 0.0.0.0/0 tcp 5900:5950 > 1 fw 0.0.0.0/0 tcp 110 > 1:P eth0 0.0.0.0/0 tcp 110I don''t use the same routing table, for the firewall''s outbound, I use tcrules to mark the packet with a different mark than what is used for the ''providers''. The routing table for that mark has just a gateway to use, like the squid example. my providers: shaw2 5 5 - eth2 detect test2 4 4 - eth1 10.50.0.254 shaw 1 1 main eth2 detect track,balance eth0 test 2 2 main eth1 10.50.0.254 track,balance eth0 tcrules: 5 $FW 0.0.0.0/0 tcp 21 - - 5 $FW 0.0.0.0/0 tcp 80 - - 5 $FW 0.0.0.0/0 tcp 53 - - 5 $FW 0.0.0.0/0 udp 53 - - 5 $FW:24.78.220.109 0.0.0.0/0 tcp 25 - - 5 $FW:10.50.0.1 0.0.0.0/0 tcp 25 - - 4:P 10.3.0.0/24 0.0.0.0/0 tcp 80 - - 1:P 10.3.0.0/24 0.0.0.0/0 tcp 25 - - 1:P 10.3.0.0/24 !10.5.0.0/24 tcp 110 - - 1:P 10.3.0.0/24 !10.5.0.0/24 tcp 443 - - Please sumit a shorewall status, as you need to capture the correct chains in order to see if the tcout and tcpre chains are being marked as needed. Thanks Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
...very interesting, thank you! Will be checked; unfortunately I''m out for business now ''till monday *grrr* ;) So: ...will be continued... - Oliver ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl