Dario Lesca
2006-Jan-17 18:02 UTC
Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Hi! I have reprise try to resolve this problem, suspended from 17 dec 2005 I have try to apply the suggest of Jerry (see above). The problem still exist. See attach shorewall config, dump and tcpdump when I check to exit whit SSH from firewall... In the masq file is reported the last my attempt in order to resolve my problem, however I have test also the example reported in MultiISP.html, but none is changed Many thanks to All> Da: > Jerry Vonau <jvonau@shaw.ca> > Rispondi-a: > shorewall-users@lists.sourceforge.net > A: > shorewall-users@lists.sourceforge.net > Oggetto: > Re: [Shorewall-users] Multiple > ISPs: How to force > traffic generated from FW to > a specific ISP > Data: > Sat, 17 Dec 2005 11:26:25 -0600 > (18:26 CET) > > > ----- Original Message ----- > > All config files and debug files is into attachment tar file. > > > > > Thanks, > > Thanks you Tom! > > > >From the dump that you posted: > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 1 60 MARK tcp -- * * 0.0.0.0/0 ! > 192.168.0.0/16 tcp dpt:22 MARK set 0x5 > 7 420 MARK tcp -- * * 0.0.0.0/0 ! > 192.168.0.0/16 tcp dpt:25 MARK set 0x5 > > Chain eth1_masq (1 references) > pkts bytes target prot opt in out source > destination > 7 420 SNAT all -- * * 192.168.0.2 > 0.0.0.0/0 to:80.18.151.125 > 10 677 SNAT all -- * * 0.0.0.0/0 > 0.0.0.0/0 to:80.18.151.125 > 0 0 SNAT all -- * * 0.0.0.0/0 > 0.0.0.0/0 to:80.18.151.125 > > Note the 7 pkts, 420 bytes that are common to both chains, there > should be 8 pkts, 480 bytes for > the eth1_masq chain if the ssh client used 192.168.0.2 as a source > address, and leaves me > wondering what the source address the ssh clinet is actually using. > > With tcrules the last match gets to mark the packet, so to help debug > this could you try these tcrules: > > 5 $FW: !192.168.0.0/16 tcp 22 > 5 $FW:192.168.1.254 !192.168.0.0/16 tcp 22 > 5 $FW:172.16.1.1 !192.168.0.0/16 tcp 22 > 5 $FW:80.18.151.125 !192.168.0.0/16 tcp 22 > 5 $FW:192.168.0.2 !192.168.0.0/16 tcp 22 > > 5 $FW: !192.168.0.0/16 tcp 25 > 5 $FW:192.168.1.254 !192.168.0.0/16 tcp 25 > 5 $FW:172.16.1.1 !192.168.0.0/16 tcp 25 > 5 $FW:80.18.151.125 !192.168.0.0/16 tcp 25 > 5 $FW:192.168.0.2 !192.168.0.0/16 tcp 25 > > The first rule should catch anything not below it, the second/third > rules should catch > anything that comes from the loc/dmz interfaces, and the forth/fifth > rules should catch > anything from your isp''s interfaces. > > "shorewall restart", then "shorewall reset" and retest, then sumit a > "shorewall dump" again. > > Jerry > >-- Dario Lesca <d.lesca@solinos.it> -- Dario Lesca <d.lesca@solinos.it>
Jerry Vonau
2006-Jan-18 02:57 UTC
Re: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Dario Lesca wrote:> Hi! > I have reprise try to resolve this problem, suspended from 17 dec 2005 > > I have try to apply the suggest of Jerry (see above). > > The problem still exist. > > See attach shorewall config, dump and tcpdump when I check to exit whit > SSH from firewall... > > In the masq file is reported the last my attempt in order to resolve my > problem, however I have test also the example reported in MultiISP.html, > but none is changed >In the prior dump that was submitted there was a masq rule: $NET_IF 192.168.0.2 80.18.151.125 It''s not in your config anymore? Why bother with this workaround for ssh, just use the -b flag with the source address to be used. from man ssh: -b bind_address Use bind_address on the local machine as the source address of the connection. Only useful on systems with more than one address. This has been referred to as "binding the client application to a single source address" on this list. Your mail client *might* (should?) have a similar option. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Dario Lesca
2006-Jan-19 18:57 UTC
Re: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Il giorno mar, 17/01/2006 alle 20.57 -0600, Jerry Vonau ha scritto:> In the prior dump that was submitted there was a masq rule: > $NET_IF 192.168.0.2 80.18.151.125 > It''s not in your config anymore?this is no the same thing? $NET_IT 0.0.0.0/0 80.18.151.125> > Why bother with this workaround for ssh, just use the -b flag with the > source address to be used.If I use -b 80.18.151.125 the ssh work. If I use -b 192.168.0.2 not work and not for all application is possible to specific a bind ip> This has been referred to as "binding the client application to a single > source address" on this list. Your mail client *might* (should?) have a > similar option.I use a mail server (qmail) and I not bind it to a specific IP ... I would have? this is my IP configurations [root@payprox ~]# ip a 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:46:46:76:1d brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0 inet6 fe80::20c:46ff:fe46:761d/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:d8:0c:d6:43 brd ff:ff:ff:ff:ff:ff inet 80.18.151.125/29 brd 80.18.151.127 scope global eth1 inet 80.18.151.122/29 brd 80.18.151.127 scope global secondary eth1:1 inet 80.18.151.123/29 brd 80.18.151.127 scope global secondary eth1:2 inet6 fe80::211:d8ff:fe0c:d643/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0e:2e:20:35:6e brd ff:ff:ff:ff:ff:ff inet 172.16.1.1/24 brd 172.16.1.255 scope global eth2 inet6 fe80::20e:2eff:fe20:356e/64 scope link valid_lft forever preferred_lft forever 5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:48:54:01:18:60 brd ff:ff:ff:ff:ff:ff inet 192.168.0.2/24 brd 192.168.0.255 scope global eth3 inet6 fe80::248:54ff:fe01:1860/64 scope link valid_lft forever preferred_lft forever 6: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 13: tun3: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1255 qdisc pfifo_fast qlen 500 link/[65534] inet 192.168.1.253 peer 192.168.3.250/32 scope global tun3 14: tun2: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 500 link/[65534] inet 192.168.1.249 peer 192.168.1.250/32 scope global tun2 [root@payprox ~]# ip r 80.18.151.121 dev eth2 scope link 192.168.1.250 dev tun2 proto kernel scope link src 192.168.1.249 192.168.3.250 dev tun3 proto kernel scope link src 192.168.1.253 80.18.151.124 dev eth2 scope link 80.18.151.120/29 dev eth1 proto kernel scope link src 80.18.151.125 192.168.3.0/24 via 192.168.3.250 dev tun3 192.168.2.0/24 via 192.168.1.250 dev tun2 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 192.168.0.0/24 dev eth3 proto kernel scope link src 192.168.0.2 172.16.1.0/24 dev eth2 proto kernel scope link src 172.16.1.1 default nexthop via 80.18.151.126 dev eth1 weight 1 nexthop via 192.168.0.1 dev eth3 weight 10 other useful information: FC3 [root@payprox tmp]# tc -V tc utility, iproute2-ss040831 [root@payprox tmp]# iptables -V iptables v1.2.11 [root@payprox tmp]# uname -rv 2.6.12-1.1378_FC3smp #1 SMP Wed Sep 14 04:52:36 EDT 2005 and this is my last shorewall config: (see attach) I have also test the "Child from KoRn" suggest, but none is changed: pleas, someone can help me? Many thanks to all. -- Dario Lesca <d.lesca@solinos.it>
Jerry Vonau
2006-Jan-20 01:54 UTC
Re: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Dario Lesca wrote:> Il giorno mar, 17/01/2006 alle 20.57 -0600, Jerry Vonau ha scritto: > > >>In the prior dump that was submitted there was a masq rule: >>$NET_IF 192.168.0.2 80.18.151.125 >>It''s not in your config anymore? > > > this is no the same thing? > $NET_IT 0.0.0.0/0 80.18.151.125 >You''d think that it was, but it''s not really... In your current masq file your using this: $NET_IF $DMZ_IF 80.18.151.125 that results in these rules: 0 0 SNAT all -- * * 80.18.151.121 0.0.0.0/0 to:80.18.151.125 0 0 SNAT all -- * * 80.18.151.124 0.0.0.0/0 to:80.18.151.125 That really defeats the purpose of proxyarp, you could be changing a public ip address, to the firewall''s ip address.>>Why bother with this workaround for ssh, just use the -b flag with the >>source address to be used. > > > If I use -b 80.18.151.125 the ssh work. > If I use -b 192.168.0.2 not work >Was that with the masq rule below in place? $NET_IF 192.168.0.2 80.18.151.125> and not for all application is possible to specific a bind ip > >Then you better get this working... ;) <snip>> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:d8:0c:d6:43 brd ff:ff:ff:ff:ff:ff > inet 80.18.151.125/29 brd 80.18.151.127 scope global eth1 > inet 80.18.151.122/29 brd 80.18.151.127 scope global secondary > eth1:1 > inet 80.18.151.123/29 brd 80.18.151.127 scope global secondary > eth1:2 > inet6 fe80::211:d8ff:fe0c:d643/64 scope link > valid_lft forever preferred_lft forever$DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is not in the params file, copy & paste error again? .122 above shows up in the dump that you posted, so I''ll assume that both of the variables above are .122. From your current dump: Chain tcout (1 references) pkts bytes target prot opt in out source destination 1 60 MARK tcp -- * * 0.0.0.0/0 !192.168.0.0/16 tcp dpt:22 MARK set 0x5 0 0 MARK tcp -- * * 192.168.1.254 !192.168.0.0/16 tcp dpt:22 MARK set 0x5 0 0 MARK tcp -- * * 172.16.1.1 !192.168.0.0/16 tcp dpt:22 MARK set 0x5 0 0 MARK tcp -- * * 80.18.151.125 !192.168.0.0/16 tcp dpt:22 MARK set 0x5 1 60 MARK tcp -- * * 192.168.0.2 !192.168.0.0/16 tcp dpt:22 MARK set 0x5 The first rule marked a packet that didn''t have a source address that was defined below it. To help debug this further could you add these to tcrules: 5 $FW:80.18.151.122 !192.168.0.0/16 tcp 22,25 5 $FW:80.18.151.123 !192.168.0.0/16 tcp 22,25 5 $FW:192.168.1.249 !192.168.0.0/16 tcp 22,25 5 $FW:192.168.1.253 !192.168.0.0/16 tcp 22,25 That should cover every src address that is shown in "ip route ls" reset, restart, retest. Just trying to get a handle on what source address is being used without the -b flag. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Dario Lesca
2006-Feb-01 15:22 UTC
R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Il giorno gio, 19/01/2006 alle 19.54 -0600, Jerry Vonau ha scritto:> $DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is not > in the params file, copy & paste error again?Yes, sorry.> The first rule marked a packet that didn''t have a source address that > was defined below it. To help debug this further could you add these to > tcrules: > 5 $FW:80.18.151.122 !192.168.0.0/16 tcp 22,25 > 5 $FW:80.18.151.123 !192.168.0.0/16 tcp 22,25 > 5 $FW:192.168.1.249 !192.168.0.0/16 tcp 22,25 > 5 $FW:192.168.1.253 !192.168.0.0/16 tcp 22,25 > > That should cover every src address that is shown in "ip route ls" > > reset, restart, retest. Just trying to get a handle on what source > address is being used without the -b flag.Not work. :-( If I telnet out on port 25 [root@payprox ~]# telnet 82.186.161.26 25 & I exit on eth1 (80.18.151.125) and connect to 82.186.161.26 then the external host connect to me on 80.18.151.125, but the telnet is bind to 192.168.0.2 [root@payprox ~]# netstat -natp|grep telnet tcp 0 1 192.168.0.2:48129 82.186.161.26:25 SYN_SENT 27960/telnet and the connection not work. Attach there is the last config files and dump.... please help me. Many thanks -- Dario Lesca <d.lesca@solinos.it>
Jerry Vonau
2006-Feb-01 16:03 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Dario Lesca wrote:> Il giorno gio, 19/01/2006 alle 19.54 -0600, Jerry Vonau ha scritto: > > >>$DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is not >>in the params file, copy & paste error again? > > Yes, sorry. > > >>The first rule marked a packet that didn''t have a source address that >>was defined below it. To help debug this further could you add these to >>tcrules: >>5 $FW:80.18.151.122 !192.168.0.0/16 tcp 22,25 >>5 $FW:80.18.151.123 !192.168.0.0/16 tcp 22,25 >>5 $FW:192.168.1.249 !192.168.0.0/16 tcp 22,25 >>5 $FW:192.168.1.253 !192.168.0.0/16 tcp 22,25 >> >>That should cover every src address that is shown in "ip route ls" >> >>reset, restart, retest. Just trying to get a handle on what source >>address is being used without the -b flag. > > > Not work. :-( > > If I telnet out on port 25 > [root@payprox ~]# telnet 82.186.161.26 25 & > I exit on eth1 (80.18.151.125) and connect to 82.186.161.26 > then the external host connect to me on 80.18.151.125, but the telnet is > bind to 192.168.0.2 > > [root@payprox ~]# netstat -natp|grep telnet > tcp 0 1 192.168.0.2:48129 82.186.161.26:25 SYN_SENT 27960/telnet > > and the connection not work. > > Attach there is the last config files and dump.... > please help me.Could you humor me, in your policy file add to the top of the list: fw net ACCEPT info thanks Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Jerry Vonau
2006-Feb-01 22:47 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Dario Lesca wrote:> Il giorno gio, 19/01/2006 alle 19.54 -0600, Jerry Vonau ha scritto: > > >>$DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is not >>in the params file, copy & paste error again? > > Yes, sorry. > > >>The first rule marked a packet that didn''t have a source address that >>was defined below it. To help debug this further could you add these to >>tcrules: >>5 $FW:80.18.151.122 !192.168.0.0/16 tcp 22,25 >>5 $FW:80.18.151.123 !192.168.0.0/16 tcp 22,25 >>5 $FW:192.168.1.249 !192.168.0.0/16 tcp 22,25 >>5 $FW:192.168.1.253 !192.168.0.0/16 tcp 22,25 >> >>That should cover every src address that is shown in "ip route ls" >> >>reset, restart, retest. Just trying to get a handle on what source >>address is being used without the -b flag. > > > Not work. :-( > > If I telnet out on port 25 > [root@payprox ~]# telnet 82.186.161.26 25 & > I exit on eth1 (80.18.151.125) and connect to 82.186.161.26 > then the external host connect to me on 80.18.151.125, but the telnet is > bind to 192.168.0.2 > > [root@payprox ~]# netstat -natp|grep telnet > tcp 0 1 192.168.0.2:48129 82.186.161.26:25 SYN_SENT 27960/telnet > > and the connection not work. >---- 1 60 MARK tcp -- * * 192.168.0.2 !192.168.0.0/16 tcp dpt:22 MARK set 0x5 ---- Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 2 147 SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 to:80.18.151.125 <snip> 1 60 SNAT all -- * * 192.168.0.2 0.0.0.0/0 to:80.18.151.125 ---- So the outbound is tagged, and masq''d. Shoot, from your dump: ---- tcp 6 15 SYN_RECV src=192.168.0.2 dst=82.186.161.26 sport=52183 dport=22 packets=1 bytes=60 src=82.186.161.26 dst=80.18.151.125 sport=22 dport=52183 packets=6 bytes=360 mark=1 use=1 ---- and the config files: FASTACCEPT=No ---- guess you didn''t read the warning from the webpage: ---quote--- RESTRICTION: If you specify FASTACCEPT=Yes in /etc/shorewall/shorewall.conf then the ESTABLISHED and RELATED sections must be empty. Caution Unless you understand Netfilter well enough to be comfortable with the difference between ESTABLISHED, RELATED, INVALID and NEW connection tracking states, you should omit the ESTABLISHED and RELATED sections and place all of your rules in the NEW section. ---/quote--- I''ll invert the meaning for you, if you have fastaccept=no then you must have entries in the ESTABLISHED and RELATED sections. To put things in perspective, *I* have not played with those features yet.... Go ahead, you can tell me how it works, OK? Lets try setting that to yes and try again. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Dario Lesca
2006-Feb-12 22:10 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Il giorno mer, 01/02/2006 alle 10.03 -0600, Jerry Vonau ha scritto:> Could you humor me, in your policy file add to the top of the list: > fw net ACCEPT infokernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth3 SRC=192.168.0.2 DST=82.186.161.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10101 DF PROTO=TCP SPT=35691 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 If the traffic is generate from a local IP (192.168.0.2) of the local eth3 interface, it is possible to redirect it on another interface (eth1) and masquerate it whit another IP (80.18.151.125) ?? How to do this? I still have my initial problem. -- Dario Lesca <d.lesca@solinos.it> ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Dario Lesca
2006-Feb-12 22:24 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Il giorno mer, 01/02/2006 alle 16.47 -0600, Jerry Vonau ha scritto:> I''ll invert the meaning for you, if you have fastaccept=no then you must > have entries in the ESTABLISHED and RELATED sections. To put things in > perspective, *I* have not played with those features yet.... Go ahead, > you can tell me how it works, OK? > > Lets try setting that to yes and try again. >Not work, the problem still the same: the local traffic generated from local application bind to a local IP of eth3 is not send and mask to another interface (eth1) Attach is a new dump and new shorewall config (I have simplify some things into tcrules). Some other suggest? Many thanks! -- Dario Lesca <d.lesca@solinos.it>
Tom Eastep
2006-Feb-12 23:29 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
On Sunday 12 February 2006 14:10, Dario Lesca wrote:> Il giorno mer, 01/02/2006 alle 10.03 -0600, Jerry Vonau ha scritto: > > Could you humor me, in your policy file add to the top of the list: > > fw net ACCEPT info > > kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth3 SRC=192.168.0.2 > DST=82.186.161.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10101 DF PROTO=TCP > SPT=35691 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 >You cant'' use Shorewall logging to determine which interface this traffic actually goes out of. You must use tcpdump. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jerry Vonau
2006-Feb-13 00:21 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Dario Lesca wrote:> Il giorno mer, 01/02/2006 alle 16.47 -0600, Jerry Vonau ha scritto: > > >>I''ll invert the meaning for you, if you have fastaccept=no then you must >>have entries in the ESTABLISHED and RELATED sections. To put things in >>perspective, *I* have not played with those features yet.... Go ahead, >>you can tell me how it works, OK? >> >>Lets try setting that to yes and try again. >> > > Not work, the problem still the same: the local traffic generated from > local application bind to a local IP of eth3 is not send and mask to > another interface (eth1) > > Attach is a new dump and new shorewall config (I have simplify some > things into tcrules). > > Some other suggest? > > Many thanks! > >Well lets think out loud abit here... You have: >1 60 MARK tcp -- * * 192.168.0.0/24 >82.186.161.24/29 tcp dpt:22 MARK set 0x5 >1 60 SNAT all -- * * 192.168.0.0/24 >0.0.0.0/0 to:80.18.151.125 >Feb 12 23:14:23 fw2net:ACCEPT:IN= OUT=eth3 SRC=192.168.0.2 >DST=82.186.161.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3449 DF PROTO=TCP >SPT=50564 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 This all looks fine but this: >tcp 6 37 SYN_RECV src=192.168.0.2 dst=82.186.161.26 sport=50564 >dport=22 packets=1 bytes=60 src=82.186.161.26 dst=80.18.151.125 >sport=22 dport=50564 packets=5 bytes=300 mark=1 use=1 Judging from the source port the connection looks to be masq''d, and the replies are there, but using "mark 1" and no "assured". Lets not fight with it and try using "1" as the mark in tcrules. IF that works for you, then you can remove the "FwOut" from the providers file. I''m not using the "routefilter" or "tcpflags" in the interfaces file, that is the only other thing I can think of at this time. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Dario Lesca
2006-Feb-17 20:28 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Il giorno dom, 12/02/2006 alle 18.21 -0600, Jerry Vonau ha scritto:> Judging from the source port the connection looks to be masq''d, and the > replies are there, but using "mark 1" and no "assured". Lets not fight > with it and try using "1" as the mark in tcrules. IF that works for you, > then you can remove the "FwOut" from the providers file. I''m not using > the "routefilter" or "tcpflags" in the interfaces file, that is the only > other thing I can think of at this time.Still not work. I have remove the routefilter and tcpflag, I have remove FwOut and use mark 1 but none is changed: If I use "ssh -b so.me.fw.ip -v remote" work for all IP except the 192.168.0.2! this is the only fw-ip witch not work. Someone can explain me why? I do not know what I can to try for resolve this problem. please give me some suggest... Attached there are the last fwconf and fwdump log. Many thanks -- Dario Lesca <d.lesca@solinos.it>
Jerry Vonau
2006-Feb-17 23:13 UTC
Re: R: Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)
Dario Lesca wrote:> Il giorno dom, 12/02/2006 alle 18.21 -0600, Jerry Vonau ha scritto: > > >>Judging from the source port the connection looks to be masq''d, and the >>replies are there, but using "mark 1" and no "assured". Lets not fight >>with it and try using "1" as the mark in tcrules. IF that works for you, >>then you can remove the "FwOut" from the providers file. I''m not using >>the "routefilter" or "tcpflags" in the interfaces file, that is the only >>other thing I can think of at this time. > > > Still not work. > > I have remove the routefilter and tcpflag, I have remove FwOut and use > mark 1 but none is changed: > > If I use "ssh -b so.me.fw.ip -v remote" work for all IP except the > 192.168.0.2! this is the only fw-ip witch not work. > > Someone can explain me why? > > I do not know what I can to try for resolve this problem. > > please give me some suggest... > > Attached there are the last fwconf and fwdump log. > > Many thanks >Looks like just removing "routefilter" is not enough by itself, you need to reset the /proc entries by hand, or a network restart might fix it. Can you try: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter Hope this works, I''m out of ideas. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642