Shorewall users - Jan 2006 - Multiple ISP's on one Linux box

Hi!
I have three nic''s on my pc (FEDORA CORE4 +shorewall version-3.1.2).
eth0 = connected to another box (masqueraded =ISP1)
eth1= to switch with another lan
and eth2= I have another cable directly from ISP2 (another)
how to use internet from ISP1 and ISP2 for my lan(eth1)
1:ISP2
2:Internet from masquerading system (ISP1)
for my lan+firewall machine
thanks and regards
Anuj


--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Wednesday 18 January 2006 09:21, anuj singh wrote:
> Hi!
> I have three nic''s on my pc (FEDORA CORE4 +shorewall
version-3.1.2).
> eth0 = connected to another box (masqueraded =ISP1)
> eth1= to switch with another lan
> and eth2= I have another cable directly from ISP2 (another)
> how to use internet from ISP1 and ISP2 for my lan(eth1)
> 1:ISP2
> 2:Internet from masquerading system (ISP1)
> for my lan+firewall machine
You really need to start reading the documentation BEFORE you post. 

See http://www.shorewall.net/MultiISP.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hello!
Sorry for my incomplete question.
my providers list has this entry
#NAME NUMBER   MARK DUPLICATE INTERFACE GATEWAY OPTIONS
ISP1     1    1  main  eth0       DETECT   -
ISP2     2    2  main  eth2       DETECT    -

My eth0 is connected to a server with masquerading enabled.
(eth0= 192.192.192.10)
and my eth2 is connected to another ISP
(eth2=172.16.6.49)
my eth1 is connected to another lan
(eth1=192.168.1.1)

Shorewall starts without any error when I have my :
default gateway=192.192.192.10

#route -n



On 1/18/06, Tom Eastep <teastep@shorewall.net>
wrote:
> On Wednesday 18 January 2006 09:21, anuj singh wrote:
> > Hi!
> > I have three nic''s on my pc (FEDORA CORE4 +shorewall
version-3.1.2).
> > eth0 = connected to another box (masqueraded =ISP1)
> > eth1= to switch with another lan
> > and eth2= I have another cable directly from ISP2 (another)
> > how to use internet from ISP1 and ISP2 for my lan(eth1)
> > 1:ISP2
> > 2:Internet from masquerading system (ISP1)
> > for my lan+firewall machine
>
> You really need to start reading the documentation BEFORE you post.
>
> See http://www.shorewall.net/MultiISP.html
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Hello!
Sorry for my incomplete question.
my providers list has this entry
#NAME NUMBER   MARK DUPLICATE INTERFACE GATEWAY OPTIONS
ISP1     1    1  main  eth0       DETECT   -
ISP2     2    2  main  eth2       DETECT    -

My eth0 is connected to a server with masquerading enabled.
(eth0= 192.192.192.10)
and my eth2 is connected to another ISP
(eth2=172.16.6.49)
my eth1 is connected to another lan
(eth1=192.168.1.1)

Shorewall starts without any error when I have my :
default gateway=192.192.192.10

#ip rule show
0:      from all lookup local
10001:  from all fwmark 0x1 lookup ISP1
10002:  from all fwmark 0x2 lookup ISP2
20001:  from 192.192.192.15 lookup ISP1
20002:  from 172.16.6.50 lookup ISP2
32766:  from all lookup main
32767:  from all lookup default


#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.6.0      0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.192.192.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         192.192.192.10  0.0.0.0         UG    0      0        0 eth0

Now when my default gw is (connection directly from ISP to eth2)
#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.6.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.192.192.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0            172.16.6.49     0.0.0.0         UG    0      0        0 eth2

Now shorewall restart shows

Processing /etc/shorewall/providers...
   ERROR: Unable to detect the gateway through interface eth0
Processing /etc/shorewall/stop ...

At this moment I can ping my Masquerading(eth0) server and it''s
namerserver, as well as my isp''s gateway and namserver (on eth2).


Thanks and regards
Anuj


On 1/18/06, Tom Eastep <teastep@shorewall.net>
wrote:
> On Wednesday 18 January 2006 09:21, anuj singh wrote:
> > Hi!
> > I have three nic''s on my pc (FEDORA CORE4 +shorewall
version-3.1.2).
> > eth0 = connected to another box (masqueraded =ISP1)
> > eth1= to switch with another lan
> > and eth2= I have another cable directly from ISP2 (another)
> > how to use internet from ISP1 and ISP2 for my lan(eth1)
> > 1:ISP2
> > 2:Internet from masquerading system (ISP1)
> > for my lan+firewall machine
>
> You really need to start reading the documentation BEFORE you post.
>
> See http://www.shorewall.net/MultiISP.html
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

anuj singh wrote:
> Hello!
> Sorry for my incomplete question.
> my providers list has this entry
> #NAME NUMBER   MARK DUPLICATE INTERFACE GATEWAY OPTIONS
> ISP1     1    1  main  eth0       DETECT   -
> ISP2     2    2  main  eth2       DETECT    -
> 
> My eth0 is connected to a server with masquerading enabled.
> (eth0= 192.192.192.10)
> and my eth2 is connected to another ISP
> (eth2=172.16.6.49)
> my eth1 is connected to another lan
> (eth1=192.168.1.1)
> 
> Shorewall starts without any error when I have my :
> default gateway=192.192.192.10
> 
If you know what the gateway is and the gateway is not assigned by dhcp 
or pppd, USE THAT GATEWAY ADDRESS.

> #ip rule show
> 0:      from all lookup local
> 10001:  from all fwmark 0x1 lookup ISP1
> 10002:  from all fwmark 0x2 lookup ISP2
> 20001:  from 192.192.192.15 lookup ISP1
> 20002:  from 172.16.6.50 lookup ISP2
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> 
> #route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 172.16.6.0      0.0.0.0         255.255.255.0   U     0      0        0
eth2
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 192.192.192.0   0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 0.0.0.0         192.192.192.10  0.0.0.0         UG    0      0        0
eth0
> 
> Now when my default gw is (connection directly from ISP to eth2)
> #route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 172.16.6.0        0.0.0.0         255.255.255.0   U     0      0        0
eth2
> 192.168.1.0      0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 192.192.192.0   0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0      0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 0.0.0.0            172.16.6.49     0.0.0.0         UG    0      0        0
eth2
> 
> Now shorewall restart shows
> 
> Processing /etc/shorewall/providers...
>    ERROR: Unable to detect the gateway through interface eth0
> Processing /etc/shorewall/stop ...
> 
> At this moment I can ping my Masquerading(eth0) server and it''s
> namerserver, as well as my isp''s gateway and namserver (on eth2).
> 
The problem is, out of the box, most distros don''t handle 2 gateways 
very well, most will replace one gateway with the other gateway. This 
will not change until the network init scripts handle 2 gateways in a 
better manor. If you have 2 dhcp providers, all bets are off unless you
hack the dhcp client scripts.

Jerry




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

One of my Gateway(from masqueraing server on LAN and ISP1)
eth0
gw=192.192.192.10
nameserver=4.2.2.2

eth2
Second ISP''s
gw=172.16.6.49
nameserver=172.16.0.1

My shorewall works fine if my default gateway is 192.192.192.10 (on my
local network)
If I change my default gateway to 172.16.6.49
It gives me error
Processing /etc/shorewall/providers...
  ERROR: Unable to detect the gateway through interface eth0
Processing /etc/shorewall/stop ...




On 1/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> anuj singh wrote:
> > Hello!
> > Sorry for my incomplete question.
> > my providers list has this entry
> > #NAME NUMBER   MARK DUPLICATE INTERFACE GATEWAY OPTIONS
> > ISP1     1    1  main  eth0       DETECT   -
> > ISP2     2    2  main  eth2       DETECT    -
> >
> > My eth0 is connected to a server with masquerading enabled.
> > (eth0= 192.192.192.10)
> > and my eth2 is connected to another ISP
> > (eth2=172.16.6.49)
> > my eth1 is connected to another lan
> > (eth1=192.168.1.1)
> >
> > Shorewall starts without any error when I have my :
> > default gateway=192.192.192.10
> >
> If you know what the gateway is and the gateway is not assigned by dhcp
> or pppd, USE THAT GATEWAY ADDRESS.
>
>
> > #ip rule show
> > 0:      from all lookup local
> > 10001:  from all fwmark 0x1 lookup ISP1
> > 10002:  from all fwmark 0x2 lookup ISP2
> > 20001:  from 192.192.192.15 lookup ISP1
> > 20002:  from 172.16.6.50 lookup ISP2
> > 32766:  from all lookup main
> > 32767:  from all lookup default
> >
> >
> > #route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use Iface
> > 172.16.6.0      0.0.0.0         255.255.255.0   U     0      0       
0 eth2
> > 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0       
0 eth1
> > 192.192.192.0   0.0.0.0         255.255.255.0   U     0      0       
0 eth0
> > 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0       
0 eth0
> > 0.0.0.0         192.192.192.10  0.0.0.0         UG    0      0       
0 eth0
> >
> > Now when my default gw is (connection directly from ISP to eth2)
> > #route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use Iface
> > 172.16.6.0        0.0.0.0         255.255.255.0   U     0      0      
0 eth2
> > 192.168.1.0      0.0.0.0         255.255.255.0   U     0      0       
0 eth1
> > 192.192.192.0   0.0.0.0         255.255.255.0   U     0      0       
0 eth0
> > 169.254.0.0      0.0.0.0         255.255.0.0     U     0      0       
0 eth0
> > 0.0.0.0            172.16.6.49     0.0.0.0         UG    0      0     
0 eth2
> >
> > Now shorewall restart shows
> >
> > Processing /etc/shorewall/providers...
> >    ERROR: Unable to detect the gateway through interface eth0
> > Processing /etc/shorewall/stop ...
> >
> > At this moment I can ping my Masquerading(eth0) server and
it''s
> > namerserver, as well as my isp''s gateway and namserver (on
eth2).
> >
>
> The problem is, out of the box, most distros don''t handle 2
gateways
> very well, most will replace one gateway with the other gateway. This
> will not change until the network init scripts handle 2 gateways in a
> better manor. If you have 2 dhcp providers, all bets are off unless you
> hack the dhcp client scripts.
>
> Jerry
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

anuj singh wrote:
> One of my Gateway(from masqueraing server on LAN and ISP1)
> eth0
> gw=192.192.192.10
> nameserver=4.2.2.2
> 
> eth2
> Second ISP''s
> gw=172.16.6.49
> nameserver=172.16.0.1
> 
> My shorewall works fine if my default gateway is 192.192.192.10 (on my
> local network)
> If I change my default gateway to 172.16.6.49
> It gives me error
> Processing /etc/shorewall/providers...
>   ERROR: Unable to detect the gateway through interface eth0
> Processing /etc/shorewall/stop ...
> 
>
If shorewall starts, I''ll bet that the multi-hop gateways
don''t get
created.
> 
> 
> On 1/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> 
>>anuj singh wrote:
>>
>>>Hello!
>>>Sorry for my incomplete question.
>>>my providers list has this entry
>>>#NAME NUMBER   MARK DUPLICATE INTERFACE GATEWAY OPTIONS
>>>ISP1     1    1  main  eth0       DETECT   -
>>>ISP2     2    2  main  eth2       DETECT    -
>>>
You really should be using track and balance as options here. There 
should be a copy column for the later versions of shorewall. What 
version of shorewall is this?
>>>My eth0 is connected to a server with masquerading enabled.
>>>(eth0= 192.192.192.10)
>>>and my eth2 is connected to another ISP
>>>(eth2=172.16.6.49)
>>>my eth1 is connected to another lan
>>>(eth1=192.168.1.1)
>>>
>>>Shorewall starts without any error when I have my :
>>>default gateway=192.192.192.10
>>>
>>
>>If you know what the gateway is and the gateway is not assigned by dhcp
>>or pppd, USE THAT GATEWAY ADDRESS.
>>
I guess that I should of expanded that a little bit further, don''t use 
DETECT, use the gateway address. Only use DETECT if your interface uses
dhcp, pppd or pppoe.


Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Hello !
I am using shorewall version-3.1.2 on Fedora core 4

Now it is running without any error!
 I need some more help ....
I have 4 zones (including the default fw)
Zones
fw      firewall
loc     ipv4
net     ipv4
inet    ipv4

interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0             detect
loc     eth1             detect
inet    eth2             detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



providers
ISP1     1       1         main           eth2          192.168.1.2   
track,balance    eth1
ISP2     2       2         main           eth0          
192.192.192.10 track,balance    eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

masq
eth0                     eth1
eth2                     192.192.192.221

My Rules file
ACCEPT   fw              net
ACCEPT   fw              loc
ACCEPT   fw              inet
ACCEPT   loc             net
ACCEPT   loc             fw
REDIRECT  net             8080    tcp   80
REDIRECT  net:192.192.192.11             8080    tcp   80
REDIRECT  net:192.192.192.118             8080    tcp   80
ACCEPT   net:192.192.192.118             fw    tcp   443
ACCEPT   net:192.192.192.11             fw    tcp   443
ACCEPT   net:192.192.192.221   inet
ACCEPT   loc             fw             icmp      8
DNAT:info net             loc:192.168.1.2   tcp    80
DNAT:info net             loc:192.168.1.2   tcp    22
DROP:info  all    all


My Policy File
fw              net             ACCEPT
fw              inet            ACCEPT
fw              loc            ACCEPT
loc             net             ACCEPT
loc             inet             ACCEPT
inet            fw              DROP
inet            loc             DROP
inet            net             DROP              info
all             all             REJECT            info


I connected my firewall to
1: another system on the zone net (the network simulating my ISP1)
where 192.192.192.10 is ISP1 and this system (test system with ip
addres 192.192.192.221 + it''s gate way is my firewall (192.192.192.15)
+ nameserver = MY ISP2 (zone=inet)
2:I connected another PC (Zone loc , ip= 192.168.0.2 , eth1)
3:My third nic is connected to eth2 = (ISP2, IP=172.16.x.x)


from my firewall I can use both the ISP''s (checked it after successful
shorewall startup and disabling eth0 (ISP1) + traceroute command > it
goes from ISP2 vice-versa.

I set my default gw of fw to ISP2 =(172.16.x.x)
traceroute gives me the path of ISP2
while my local machine (on eth1) which I gave the ISP1''s nameserver
goes as I wanted i.e. threw ISP1.

On the other hand my Second machine  is on the zone net with a
different ip (192.192.192.221) + gateway = my fw(192.192.192.15) and
nameserver =ISP2 givs me Unknown Host.

My tcdevices file
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth1             5000kbit         500kbit
eth2             6000kbit         500kbit
eth0             7000kbit         700kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


tcclasses file
#INTERFACE      MARK    RATE    CEIL    PRIORITY        OPTIONS
eth0            1       100kbit  full   1            tcp-ack,tos-minimize-delay
eth0            2       100kbit  200kbit 2
eth0            3       full/3    full    3       default


eth1            1       100kbit  full   1            tcp-ack,tos-minimize-delay
eth1            2       100kbit  200kbit 2
eth1            3       full/3    full    3       default

eth2            1       100kbit  full   1            tcp-ack,tos-minimize-delay
eth2            2       100kbit  200kbit 2
eth2            3       full/3    full    3       default

tcrules file
#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
#                                                       PORT(S)
225:P      192.192.192.221   192.168.1.2   -      -          -         - -

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


thanks and regards
Anuj

On 1/21/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> anuj singh wrote:
> > One of my Gateway(from masqueraing server on LAN and ISP1)
> > eth0
> > gw=192.192.192.10
> > nameserver=4.2.2.2
> >
> > eth2
> > Second ISP''s
> > gw=172.16.6.49
> > nameserver=172.16.0.1
> >
> > My shorewall works fine if my default gateway is 192.192.192.10 (on my
> > local network)
> > If I change my default gateway to 172.16.6.49
> > It gives me error
> > Processing /etc/shorewall/providers...
> >   ERROR: Unable to detect the gateway through interface eth0
> > Processing /etc/shorewall/stop ...
> >
> >
> If shorewall starts, I''ll bet that the multi-hop gateways
don''t get
> created.
>
> >
> >
> > On 1/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> >
> >>anuj singh wrote:
> >>
> >>>Hello!
> >>>Sorry for my incomplete question.
> >>>my providers list has this entry
> >>>#NAME NUMBER   MARK DUPLICATE INTERFACE GATEWAY OPTIONS
> >>>ISP1     1    1  main  eth0       DETECT   -
> >>>ISP2     2    2  main  eth2       DETECT    -
> >>>
>
> You really should be using track and balance as options here. There
> should be a copy column for the later versions of shorewall. What
> version of shorewall is this?
>
> >>>My eth0 is connected to a server with masquerading enabled.
> >>>(eth0= 192.192.192.10)
> >>>and my eth2 is connected to another ISP
> >>>(eth2=172.16.6.49)
> >>>my eth1 is connected to another lan
> >>>(eth1=192.168.1.1)
> >>>
> >>>Shorewall starts without any error when I have my :
> >>>default gateway=192.192.192.10
> >>>
> >>
> >>If you know what the gateway is and the gateway is not assigned by
dhcp
> >>or pppd, USE THAT GATEWAY ADDRESS.
> >>
>
> I guess that I should of expanded that a little bit further, don''t
use
> DETECT, use the gateway address. Only use DETECT if your interface uses
> dhcp, pppd or pppoe.
>
>
> Jerry
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

anuj singh wrote:
> Hello !
> I am using shorewall version-3.1.2 on Fedora core 4
>
Your now running the testing branch.
> Now it is running without any error!
>  I need some more help ....
You need to slow down and apply some of the examples.
> I have 4 zones (including the default fw)
> Zones
> fw      firewall
> loc     ipv4
> net     ipv4
> inet    ipv4
> 
> interfaces
> 
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth0             detect
> loc     eth1             detect
> inet    eth2             detect
explanation below, change:

inet	eth2	detect,routeback
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 
> 
> providers
> ISP1     1       1         main           eth2          192.168.1.2   
> track,balance    eth1
> ISP2     2       2         main           eth0          
> 192.192.192.10 track,balance    eth1
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> masq
> eth0                     eth1
> eth2                     192.192.192.221
>
add:
eth2:192.192.192.221	192.192.192.15

> My Rules file
> ACCEPT   fw              net
> ACCEPT   fw              loc
> ACCEPT   fw              inet
> ACCEPT   loc             net
> ACCEPT   loc             fw
> REDIRECT  net             8080    tcp   80
> REDIRECT  net:192.192.192.11             8080    tcp   80
> REDIRECT  net:192.192.192.118             8080    tcp   80
> ACCEPT   net:192.192.192.118             fw    tcp   443
> ACCEPT   net:192.192.192.11             fw    tcp   443
> ACCEPT   net:192.192.192.221   inet
That should cover the eth0 -> eth2, you may need eth0 -> eth0
ACCEPT   net:192.192.192.221   net
> ACCEPT   loc             fw             icmp      8
> DNAT:info net             loc:192.168.1.2   tcp    80
> DNAT:info net             loc:192.168.1.2   tcp    22
> DROP:info  all    all
> 
> 
> My Policy File
> fw              net             ACCEPT
> fw              inet            ACCEPT
> fw              loc            ACCEPT
> loc             net             ACCEPT
> loc             inet             ACCEPT
> inet            fw              DROP
> inet            loc             DROP
> inet            net             DROP              info
> all             all             REJECT            info
> 
> 
> I connected my firewall to
> 1: another system on the zone net (the network simulating my ISP1)
> where 192.192.192.10 is ISP1 and this system (test system with ip
> addres 192.192.192.221 + it''s gate way is my firewall
(192.192.192.15)
> + nameserver = MY ISP2 (zone=inet)
hold it, "where 192.192.192.10 is ISP1" "MY ISP2" = ISP2 in
the
providers file? Don''t flip the names around like that....

> 2:I connected another PC (Zone loc , ip= 192.168.0.2 , eth1)
> 3:My third nic is connected to eth2 = (ISP2, IP=172.16.x.x)
>
and eth2 is now what? that is not what is in the providers....
> 
> from my firewall I can use both the ISP''s (checked it after
successful
> shorewall startup and disabling eth0 (ISP1) + traceroute command > it
> goes from ISP2 vice-versa.
> 
> I set my default gw of fw to ISP2 =(172.16.x.x)
> traceroute gives me the path of ISP2
> while my local machine (on eth1) which I gave the ISP1''s
nameserver
> goes as I wanted i.e. threw ISP1.
What command are you using to change the gateway? That could really mess 
things up if you don''t get that right, your not using "route"
are you?
> 
> On the other hand my Second machine  is on the zone net with a
> different ip (192.192.192.221) + gateway = my fw(192.192.192.15) and
> nameserver =ISP2 givs me Unknown Host.
At this point I have no clue in what ISP2 referring to.. 
"nameserver=ISP2" is available though eth0 or eth2?

If the route to this server passes though 192.192.192.10, then you''ll 
need what I posted above. As soon as you stop mixing up the files that 
you post and their examples the clearer it becomes to the rest of us. 
Please use the support guidelines for your version as found on 
http://www.shorewall.net/support.html


Jerry



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

hello Jerry!
I am testing with two internet providers:

Machine= Fedora Core 4
Shorewall version=3.1.3

interfaces = eth0,eth1,eth2

zones net(eth0 , with ip =192.192.192.15)
Connects to the another machine (already masqueraded with
local address = 192.192.192.10). I am using it as my ISP1

loc(eth1,  with ip = 192.168.0.1)
I connected this ethernet to another pc (as my local zone with ip= 192.168.0.2)
Target I want this machine to get routed (ONLY) threw ISP1.


inet(eth2, with ip =192.168.1.102)
I connected this ethernet to another machine with ip=192.168.1.2
(This is my monowall machine connected directly to another ISP and
configured it to allow all traffic from 192.168.1.102(My Shorewall
eth2, ip=192.168.1.102) to WAN (nameserver=172.16.6.49,
gw=172.16.6.49).
Note I am using it as my ISP2


NOW  i configured another test machine on the lan (in my net zone with
ip address = 192.192.192.221

I configured this test machines Default Gateway by editing my
/etc/sysconfig/network-scripts/ifcfg-eth0
I added one Line
GATEWAY=192.192.192.15

route -n gives me default gw= 192.192.192.15 (Machine running
shorewall) and I gave it''s  /etc/resolv.conf
nameserver 172.16.6.49
nameserver 192.192.192.15
Target I want this machine to use ONLY ISP2  via my Shorewall machine
(192.192.192.15)

My local machine is getting routed via(On local zone machine with ip
192.168.0.2):
#traceroute tldp.org
traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
 1  192.168.0.1 (192.168.0.1)  0.248 ms  0.192 ms  0.179 ms
 2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.265 ms  0.342 ms  0.276 ms
3. My ISP1 and so on

But the another test machine which residies in the net zone with ip
(192.192.192.221) gives me no route to host though I configured it to
use my shorewall machine(192.192.192.15) as it''s default gw and gave
nameserver=172.16.6.49
 which is My ISP2 via monowall machine!


thanks and regards
Anuj

On 1/24/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> anuj singh wrote:
> > Hello !
> > I am using shorewall version-3.1.2 on Fedora core 4
> >
> Your now running the testing branch.
>
> > Now it is running without any error!
> >  I need some more help ....
>
> You need to slow down and apply some of the examples.
>
> > I have 4 zones (including the default fw)
> > Zones
> > fw      firewall
> > loc     ipv4
> > net     ipv4
> > inet    ipv4
> >
> > interfaces
> >
> > #ZONE   INTERFACE       BROADCAST       OPTIONS
> > net     eth0             detect
> > loc     eth1             detect
> > inet    eth2             detect
>
> explanation below, change:
>
> inet    eth2    detect,routeback
>
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
> >
> >
> > providers
> > ISP1     1       1         main           eth2          192.168.1.2
> > track,balance    eth1
> > ISP2     2       2         main           eth0
> > 192.192.192.10 track,balance    eth1
> > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> >
> > masq
> > eth0                     eth1
> > eth2                     192.192.192.221
> >
> add:
> eth2:192.192.192.221    192.192.192.15
>
>
> > My Rules file
> > ACCEPT   fw              net
> > ACCEPT   fw              loc
> > ACCEPT   fw              inet
> > ACCEPT   loc             net
> > ACCEPT   loc             fw
> > REDIRECT  net             8080    tcp   80
> > REDIRECT  net:192.192.192.11             8080    tcp   80
> > REDIRECT  net:192.192.192.118             8080    tcp   80
> > ACCEPT   net:192.192.192.118             fw    tcp   443
> > ACCEPT   net:192.192.192.11             fw    tcp   443
> > ACCEPT   net:192.192.192.221   inet
>
> That should cover the eth0 -> eth2, you may need eth0 -> eth0
> ACCEPT   net:192.192.192.221   net
>
> > ACCEPT   loc             fw             icmp      8
> > DNAT:info net             loc:192.168.1.2   tcp    80
> > DNAT:info net             loc:192.168.1.2   tcp    22
> > DROP:info  all    all
> >
> >
> > My Policy File
> > fw              net             ACCEPT
> > fw              inet            ACCEPT
> > fw              loc            ACCEPT
> > loc             net             ACCEPT
> > loc             inet             ACCEPT
> > inet            fw              DROP
> > inet            loc             DROP
> > inet            net             DROP              info
> > all             all             REJECT            info
> >
> >
> > I connected my firewall to
> > 1: another system on the zone net (the network simulating my ISP1)
> > where 192.192.192.10 is ISP1 and this system (test system with ip
> > addres 192.192.192.221 + it''s gate way is my firewall
(192.192.192.15)
> > + nameserver = MY ISP2 (zone=inet)
>
> hold it, "where 192.192.192.10 is ISP1" "MY ISP2" =
ISP2 in the
> providers file? Don''t flip the names around like that....
>
>
> > 2:I connected another PC (Zone loc , ip= 192.168.0.2 , eth1)
> > 3:My third nic is connected to eth2 = (ISP2, IP=172.16.x.x)
> >
> and eth2 is now what? that is not what is in the providers....
>
> >
> > from my firewall I can use both the ISP''s (checked it after
successful
> > shorewall startup and disabling eth0 (ISP1) + traceroute command >
it
> > goes from ISP2 vice-versa.
> >
> > I set my default gw of fw to ISP2 =(172.16.x.x)
> > traceroute gives me the path of ISP2
> > while my local machine (on eth1) which I gave the ISP1''s
nameserver
> > goes as I wanted i.e. threw ISP1.
>
> What command are you using to change the gateway? That could really mess
> things up if you don''t get that right, your not using
"route" are you?
>
> >
> > On the other hand my Second machine  is on the zone net with a
> > different ip (192.192.192.221) + gateway = my fw(192.192.192.15) and
> > nameserver =ISP2 givs me Unknown Host.
>
> At this point I have no clue in what ISP2 referring to..
> "nameserver=ISP2" is available though eth0 or eth2?
>
> If the route to this server passes though 192.192.192.10, then
you''ll
> need what I posted above. As soon as you stop mixing up the files that
> you post and their examples the clearer it becomes to the rest of us.
> Please use the support guidelines for your version as found on
> http://www.shorewall.net/support.html
>
>
> Jerry
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

anuj singh wrote:
> hello Jerry!
> I am testing with two internet providers:
> 
> Machine= Fedora Core 4
> Shorewall version=3.1.3
> 
> interfaces = eth0,eth1,eth2
> 
> zones > net(eth0 , with ip =192.192.192.15)
> Connects to the another machine (already masqueraded with
> local address = 192.192.192.10). I am using it as my ISP1
> 
> loc(eth1,  with ip = 192.168.0.1)
> I connected this ethernet to another pc (as my local zone with ip=
192.168.0.2)
> Target I want this machine to get routed (ONLY) threw ISP1.
> 
> 
> inet(eth2, with ip =192.168.1.102)
> I connected this ethernet to another machine with ip=192.168.1.2
> (This is my monowall machine connected directly to another ISP and
> configured it to allow all traffic from 192.168.1.102(My Shorewall
> eth2, ip=192.168.1.102) to WAN (nameserver=172.16.6.49,
> gw=172.16.6.49).
> Note I am using it as my ISP2
> 
> 
> NOW  i configured another test machine on the lan (in my net zone with
> ip address = 192.192.192.221
> 
> I configured this test machines Default Gateway by editing my
> /etc/sysconfig/network-scripts/ifcfg-eth0
> I added one Line
> GATEWAY=192.192.192.15
> 
> route -n gives me default gw= 192.192.192.15 (Machine running
> shorewall) and I gave it''s  /etc/resolv.conf
> nameserver 172.16.6.49
> nameserver 192.192.192.15
> Target I want this machine to use ONLY ISP2  via my Shorewall machine
> (192.192.192.15)
>
OK, that cleared things up.
> My local machine is getting routed via(On local zone machine with ip
> 192.168.0.2):
> #traceroute tldp.org
> traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
>  1  192.168.0.1 (192.168.0.1)  0.248 ms  0.192 ms  0.179 ms
>  2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.265 ms  0.342 ms  0.276 ms
> 3. My ISP1 and so on
> 
> But the another test machine which residies in the net zone with ip
> (192.192.192.221) gives me no route to host though I configured it to
> use my shorewall machine(192.192.192.15) as it''s default gw and
gave
> nameserver=172.16.6.49
>  which is My ISP2 via monowall machine!
> 
Just a question, looks like you want to run a proxy for the 
192.192.192.0/? network, do you want/need to have this proxy open to the 
rest of the internet? There is also a dnat entry for net2loc for port 
80. What do you want to have work, squid (for just 192.192.192.0/? or 
the rest of the internet?) or the webserver that has the dnat rule?

Think you trying to use shorewall''s 2 isp support a little outside of 
its intended use. By default when you use track as an option, all 
inbound traffic is marked with the providers mark from the providers file.


There wouldn''t be a routing table created to handle that type of isp1 
<-> isp2 traffic. Try doing a "ip route ls table ISP1" and
"ip route ls
table ISP2" to see what I mean.

I maybe able to get this to work, but not without lots of trial and 
errors, but I have no wish to spend all my time chasing other people''s 
wants.

I think what you may need is another entry in the providers file to 
create a routing table for that traffic to use and then use the tcrules 
file to mark the packets for use in that table, overwriting the what 
would of been marked by the track option, in providers something like:

test  5    5      main        eth2          192.168.1.2   -     eth0

and in tcrules:
5:P	192.192.192.221		0.0.0.0/0	all	


Are you checking your logs? If shorewall is blocking the traffic, the 
dropped traffic will get logged.  This is where we need to see a 
shorewall dump. I''d prefer to see all the config files also. No dump,
no
more help.


Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Hello Jerry!
First of all thanks a lot for your support!

I reinstalled shorewall and started everything from the scratch:
OS=Fedora Core4
Shorewall Version=3.1.3
ethernet cards= 3


eth0 = net zone , with ip =192.192.192.15, Connected to another
machine (via switch)"192.192.192.10" (this machine is a masquerading
machine connected to my first ISP) I am using this machine
(192.192.192.10) as my ISP1

eth1= zone loc, with ip 192.168.0.1
I connected my eth1 to my test machine2(192.168.0.2) (directly with a
cross cable).

eth2=zone inet , with ip 192.168.1.102
This eth2 is connected to test machine 2 (ip=192.168.1.2) with cross
over cable (This machine is running monowall + Connected to ISP2,  gw
172.16.0.1 + nameserver 172.16.6.49)

_________________________________________________________
At the moment my Firewall Machine is using both the ISP''s:
I checked it with (after successful shorewall startup):
when all the ethernet cards are up.
#traceroute tldp.org
traceroute tldp.org
traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
 1  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.301 ms  0.419 ms  0.220 ms
2 :My ISP1 and so on

a:Disbled my ISP1 i.e. No connection to 192.192.192.15
#ifdown eth0
traceroute tldp.org
traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
 1  192.168.1.2 (192.168.1.2)  0.248 ms  0.363 ms  0.218 ms
 2  172.16.6.49 (172.16.6.49)  0.557 ms  0.566 ms  0.500 ms
3 My ISP2 and so on.

b:Enabled my eth0 (connection is up for 192.192.192.15) and disbaled
my eth2 (connection to ISP2 (via 192.168.1.2 is down )
traceroute tldp.org
traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
 1  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.447 ms  0.392 ms  0.373 ms
 2  ISP1 and so on
____________________________________________________
Question : When the both ISPs are up i.e. eth0 and eth2 are up
sometimes my traceroute command shows me routing path via ISP1 and
sometimes via ISP2....while I have my default gw is set to 192.168.1.2
(monowall machine)...why?
______________________________________________________

Now I on my loc zone i.e. the machine(with ip 192.168.0.2) connected
to eth1 (192.168.0.1).
I gave it the gateway = my fw machine 192.168.0.1 and
#/etc/resolv.conf has
nameserver= 4.2.2.2
nameserver=192.192.192.10
on this machine traceroute gives me the same routing path as I
configured it to(via. ISP1).
Output of traceroute on this machine(loc zone)
# traceroute tldp.org
traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
 1  192.168.0.1 (192.168.0.1)  0.233 ms  0.197 ms  0.142 ms
 2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.339 ms  0.364 ms  0.302 ms
3 MY ISP1 and so on

________________________________________________________

Now I configured another machine in the same way to use ONLY ISP2
this machine is with ip = 192.192.192.221
Point to note: This machine is from the net zone.
I gave it the default gw = my firewall machine i.e. 192.192.192.15
and nameserver = ISP2 (172.16.6.49)
a) I can ping the monowall machine (192.168.1.2)
b) I am able to get in to login page of monowll from this machine.

#traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 72.14.207.99
traceroute to google.com (72.14.207.99), 30 hops max, 38 byte packets
 1  ws015.ltsp (192.192.192.15)  0.339 ms  0.267 ms  0.225 ms
 2  192.168.1.2 (192.168.1.2)  0.435 ms  0.295 ms  0.302 ms
 3  172.16.6.49 (172.16.6.49)  0.691 ms  0.648 ms  0.630 ms
 4 ISP2 and so on.

________________________________________________________
Ok cool now this is what I was trying to do .... currently both the machines
[local zone machine(192.168.0.2) via ISP1(192.192.192.10)]
and  the second machine (192.192.192.221) is getting routed via
ISP2
_________________________________________________________
I need to fine-tune my tcrules and tcclasses
files....frankly it will be a lot more helpful for me if you can
provide me some basics..I have confusion in tcclasses and
tcrules(mainly traffic shaping). My confusion is what is causing the
control? Have to read the provided documentation with more
concentration.


________________________________________________________
Now My configuration files(minimum)
zones:
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
inet    ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net      eth0
loc      eth1
inet     eth2
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

providers:
############################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY       
 OPTIONS         COPY
ISP1     1       1        main          eth2            192.168.1.2   
 track,balance
ISP2     2       2        main          eth0            192.192.192.10
 track,balance
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

policy:
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              all             ACCEPT
loc             net             ACCEPT
net             inet            ACCEPT
inet            all             DROP             info
all             all             DROP             info
#LAST LINE -- DO NOT REMOVE

rules:
#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE        
 ORIGINAL        RATE    USER/
#                                               PORT    PORT(S)       
 DEST            LIMIT   GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
ACCEPT       fw              all

REDIRECT    net             8080           tcp     80
ACCEPT       fw              net            tcp     443

ACCEPT          net             inet
ACCEPT:info    loc             net
ACCEPT   loc             fw             tcp      22
ACCEPT   loc             fw             icmp     8
DROP     all             all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tcdevices:
###############################################################################
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth0             6000kbit        500kbit
eth2             6000kbit        500kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tcclasses:
###############################################################################
#INTERFACE      MARK    RATE    CEIL    PRIORITY        OPTIONS
eth2             1      100kbit  full      1         tcp-ack,tos-minimize-delay
eth2             2      100kbit  200kbit   2
eth2             3      full/3   full      3          default


eth0             1      100kbit  full      1         tcp-ack,tos-minimize-delay
eth0             2      100kbit  200kbit   2
eth0             3      full/3   full      3          default

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



tcrules:
###############################################################################
#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER  
 TEST    LENGTH
#                                                       PORT(S)
1:P     192.192.192.221  192.168.1.2           -           -    -     
    -    -         -

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


On 1/24/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> anuj singh wrote:
> > hello Jerry!
> > I am testing with two internet providers:
> >
> > Machine= Fedora Core 4
> > Shorewall version=3.1.3
> >
> > interfaces = eth0,eth1,eth2
> >
> > zones > > net(eth0 , with ip =192.192.192.15)
> > Connects to the another machine (already masqueraded with
> > local address = 192.192.192.10). I am using it as my ISP1
> >
> > loc(eth1,  with ip = 192.168.0.1)
> > I connected this ethernet to another pc (as my local zone with ip=
192.168.0.2)
> > Target I want this machine to get routed (ONLY) threw ISP1.
> >
> >
> > inet(eth2, with ip =192.168.1.102)
> > I connected this ethernet to another machine with ip=192.168.1.2
> > (This is my monowall machine connected directly to another ISP and
> > configured it to allow all traffic from 192.168.1.102(My Shorewall
> > eth2, ip=192.168.1.102) to WAN (nameserver=172.16.6.49,
> > gw=172.16.6.49).
> > Note I am using it as my ISP2
> >
> >
> > NOW  i configured another test machine on the lan (in my net zone with
> > ip address = 192.192.192.221
> >
> > I configured this test machines Default Gateway by editing my
> > /etc/sysconfig/network-scripts/ifcfg-eth0
> > I added one Line
> > GATEWAY=192.192.192.15
> >
> > route -n gives me default gw= 192.192.192.15 (Machine running
> > shorewall) and I gave it''s  /etc/resolv.conf
> > nameserver 172.16.6.49
> > nameserver 192.192.192.15
> > Target I want this machine to use ONLY ISP2  via my Shorewall machine
> > (192.192.192.15)
> >
>
> OK, that cleared things up.
>
> > My local machine is getting routed via(On local zone machine with ip
> > 192.168.0.2):
> > #traceroute tldp.org
> > traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
> >  1  192.168.0.1 (192.168.0.1)  0.248 ms  0.192 ms  0.179 ms
> >  2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.265 ms  0.342 ms 
0.276 ms
> > 3. My ISP1 and so on
> >
> > But the another test machine which residies in the net zone with ip
> > (192.192.192.221) gives me no route to host though I configured it to
> > use my shorewall machine(192.192.192.15) as it''s default gw
and gave
> > nameserver=172.16.6.49
> >  which is My ISP2 via monowall machine!
> >
>
> Just a question, looks like you want to run a proxy for the
> 192.192.192.0/? network, do you want/need to have this proxy open to the
> rest of the internet? There is also a dnat entry for net2loc for port
> 80. What do you want to have work, squid (for just 192.192.192.0/? or
> the rest of the internet?) or the webserver that has the dnat rule?
>
> Think you trying to use shorewall''s 2 isp support a little outside
of
> its intended use. By default when you use track as an option, all
> inbound traffic is marked with the providers mark from the providers file.
>
>
> There wouldn''t be a routing table created to handle that type of
isp1
> <-> isp2 traffic. Try doing a "ip route ls table ISP1" and
"ip route ls
> table ISP2" to see what I mean.
>
> I maybe able to get this to work, but not without lots of trial and
> errors, but I have no wish to spend all my time chasing other
people''s
> wants.
>
> I think what you may need is another entry in the providers file to
> create a routing table for that traffic to use and then use the tcrules
> file to mark the packets for use in that table, overwriting the what
> would of been marked by the track option, in providers something like:
>
> test  5    5      main        eth2          192.168.1.2   -     eth0
>
> and in tcrules:
> 5:P     192.192.192.221         0.0.0.0/0       all
>
>
> Are you checking your logs? If shorewall is blocking the traffic, the
> dropped traffic will get logged.  This is where we need to see a
> shorewall dump. I''d prefer to see all the config files also. No
dump, no
> more help.
>
>
> Jerry
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
===========Linux Rocks


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Think you need to do some homework on policy routing.
> At the moment my Firewall Machine is using both the ISP''s:
> I checked it with (after successful shorewall startup):
> when all the ethernet cards are up.
> #traceroute tldp.org
> traceroute tldp.org
> traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
>  1  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.301 ms  0.419 ms  0.220 ms
> 2 :My ISP1 and so on
> 
> a:Disbled my ISP1 i.e. No connection to 192.192.192.15
> #ifdown eth0
> traceroute tldp.org
> traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
>  1  192.168.1.2 (192.168.1.2)  0.248 ms  0.363 ms  0.218 ms
>  2  172.16.6.49 (172.16.6.49)  0.557 ms  0.566 ms  0.500 ms
> 3 My ISP2 and so on.
> 
Don''t use ifup/ifdown here to test. When an interface is brought up or 
down, the stock network initscripts for your distro will tend to reset 
the advanced routing that shorewall has setup for you. When I was 
testing this, I''d pull the cable to the nic instead.

> b:Enabled my eth0 (connection is up for 192.192.192.15) and disbaled
> my eth2 (connection to ISP2 (via 192.168.1.2 is down )
> traceroute tldp.org
> traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
>  1  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.447 ms  0.392 ms  0.373 ms
>  2  ISP1 and so on
> ____________________________________________________
> Question : When the both ISPs are up i.e. eth0 and eth2 are up
> sometimes my traceroute command shows me routing path via ISP1 and
> sometimes via ISP2....while I have my default gw is set to 192.168.1.2
> (monowall machine)...why?
> ______________________________________________________
>
Your playing around with advanced routing, don''t you "route"
here, you
need to use "ip route ls" to check the gateways. When you have 2
gateway
showing with "ip route ls" any client connections are free to use
either
interface as a source address.
> Now I on my loc zone i.e. the machine(with ip 192.168.0.2) connected
> to eth1 (192.168.0.1).
> I gave it the gateway = my fw machine 192.168.0.1 and
> #/etc/resolv.conf has
> nameserver= 4.2.2.2
> nameserver=192.192.192.10
> on this machine traceroute gives me the same routing path as I
> configured it to(via. ISP1).
> Output of traceroute on this machine(loc zone)
> # traceroute tldp.org
> traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
>  1  192.168.0.1 (192.168.0.1)  0.233 ms  0.197 ms  0.142 ms
>  2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.339 ms  0.364 ms  0.302 ms
> 3 MY ISP1 and so on
> 
> ________________________________________________________
> 
> Now I configured another machine in the same way to use ONLY ISP2
> this machine is with ip = 192.192.192.221
> Point to note: This machine is from the net zone.
> I gave it the default gw = my firewall machine i.e. 192.192.192.15
> and nameserver = ISP2 (172.16.6.49)
> a) I can ping the monowall machine (192.168.1.2)
> b) I am able to get in to login page of monowll from this machine.
> 
> #traceroute google.com
> traceroute: Warning: google.com has multiple addresses; using 72.14.207.99
> traceroute to google.com (72.14.207.99), 30 hops max, 38 byte packets
>  1  ws015.ltsp (192.192.192.15)  0.339 ms  0.267 ms  0.225 ms
>  2  192.168.1.2 (192.168.1.2)  0.435 ms  0.295 ms  0.302 ms
>  3  172.16.6.49 (172.16.6.49)  0.691 ms  0.648 ms  0.630 ms
>  4 ISP2 and so on.
> 
> ________________________________________________________
> Ok cool now this is what I was trying to do .... currently both the
machines
> [local zone machine(192.168.0.2) via ISP1(192.192.192.10)]
> and  the second machine (192.192.192.221) is getting routed via
> ISP2
> _________________________________________________________
> I need to fine-tune my tcrules and tcclasses
> files....frankly it will be a lot more helpful for me if you can
> provide me some basics..I have confusion in tcclasses and
> tcrules(mainly traffic shaping). My confusion is what is causing the
> control? Have to read the provided documentation with more
> concentration.
> 
The tcrules file forms the bases of traffic control, read the notes in 
the file, and the docs.
> 
> ________________________________________________________
> Now My configuration files(minimum)
> zones:
> #ZONE   TYPE            OPTIONS         IN                      OUT
> #                                       OPTIONS                 OPTIONS
> fw      firewall
> net     ipv4
> loc     ipv4
> inet    ipv4
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> 
> interfaces:
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net      eth0
> loc      eth1
> inet     eth2
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> providers:
>
############################################################################################
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY       
>  OPTIONS         COPY
> ISP1     1       1        main          eth2            192.168.1.2   
>  track,balance
> ISP2     2       2        main          eth0            192.192.192.10
>  track,balance
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
Your going to shoot yourself in the foot without using the copy column 
here when you try to shape traffic originating from the firewall, you 
have one ISP in the other ISP''s table. That is why I suggested that 
third entry in the providers file, to create a routing table for that 
traffic.

Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

It''s not working again.....I am attaching the dump file


On 1/25/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> Think you need to do some homework on policy routing.
> > At the moment my Firewall Machine is using both the ISP''s:
> > I checked it with (after successful shorewall startup):
> > when all the ethernet cards are up.
> > #traceroute tldp.org
> > traceroute tldp.org
> > traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
> >  1  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.301 ms  0.419 ms 
0.220 ms
> > 2 :My ISP1 and so on
> >
> > a:Disbled my ISP1 i.e. No connection to 192.192.192.15
> > #ifdown eth0
> > traceroute tldp.org
> > traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
> >  1  192.168.1.2 (192.168.1.2)  0.248 ms  0.363 ms  0.218 ms
> >  2  172.16.6.49 (172.16.6.49)  0.557 ms  0.566 ms  0.500 ms
> > 3 My ISP2 and so on.
> >
>
> Don''t use ifup/ifdown here to test. When an interface is brought
up or
> down, the stock network initscripts for your distro will tend to reset
> the advanced routing that shorewall has setup for you. When I was
> testing this, I''d pull the cable to the nic instead.
>
>
> > b:Enabled my eth0 (connection is up for 192.192.192.15) and disbaled
> > my eth2 (connection to ISP2 (via 192.168.1.2 is down )
> > traceroute tldp.org
> > traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
> >  1  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.447 ms  0.392 ms 
0.373 ms
> >  2  ISP1 and so on
> > ____________________________________________________
> > Question : When the both ISPs are up i.e. eth0 and eth2 are up
> > sometimes my traceroute command shows me routing path via ISP1 and
> > sometimes via ISP2....while I have my default gw is set to 192.168.1.2
> > (monowall machine)...why?
> > ______________________________________________________
> >
>
> Your playing around with advanced routing, don''t you
"route" here, you
> need to use "ip route ls" to check the gateways. When you have 2
gateway
> showing with "ip route ls" any client connections are free to use
either
> interface as a source address.
>
> > Now I on my loc zone i.e. the machine(with ip 192.168.0.2) connected
> > to eth1 (192.168.0.1).
> > I gave it the gateway = my fw machine 192.168.0.1 and
> > #/etc/resolv.conf has
> > nameserver= 4.2.2.2
> > nameserver=192.192.192.10
> > on this machine traceroute gives me the same routing path as I
> > configured it to(via. ISP1).
> > Output of traceroute on this machine(loc zone)
> > # traceroute tldp.org
> > traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
> >  1  192.168.0.1 (192.168.0.1)  0.233 ms  0.197 ms  0.142 ms
> >  2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.339 ms  0.364 ms 
0.302 ms
> > 3 MY ISP1 and so on
> >
> > ________________________________________________________
> >
> > Now I configured another machine in the same way to use ONLY ISP2
> > this machine is with ip = 192.192.192.221
> > Point to note: This machine is from the net zone.
> > I gave it the default gw = my firewall machine i.e. 192.192.192.15
> > and nameserver = ISP2 (172.16.6.49)
> > a) I can ping the monowall machine (192.168.1.2)
> > b) I am able to get in to login page of monowll from this machine.
> >
> > #traceroute google.com
> > traceroute: Warning: google.com has multiple addresses; using
72.14.207.99
> > traceroute to google.com (72.14.207.99), 30 hops max, 38 byte packets
> >  1  ws015.ltsp (192.192.192.15)  0.339 ms  0.267 ms  0.225 ms
> >  2  192.168.1.2 (192.168.1.2)  0.435 ms  0.295 ms  0.302 ms
> >  3  172.16.6.49 (172.16.6.49)  0.691 ms  0.648 ms  0.630 ms
> >  4 ISP2 and so on.
> >
> > ________________________________________________________
> > Ok cool now this is what I was trying to do .... currently both the
machines
> > [local zone machine(192.168.0.2) via ISP1(192.192.192.10)]
> > and  the second machine (192.192.192.221) is getting routed via
> > ISP2
> > _________________________________________________________
> > I need to fine-tune my tcrules and tcclasses
> > files....frankly it will be a lot more helpful for me if you can
> > provide me some basics..I have confusion in tcclasses and
> > tcrules(mainly traffic shaping). My confusion is what is causing the
> > control? Have to read the provided documentation with more
> > concentration.
> >
>
> The tcrules file forms the bases of traffic control, read the notes in
> the file, and the docs.
>
> >
> > ________________________________________________________
> > Now My configuration files(minimum)
> > zones:
> > #ZONE   TYPE            OPTIONS         IN                      OUT
> > #                                       OPTIONS                
OPTIONS
> > fw      firewall
> > net     ipv4
> > loc     ipv4
> > inet    ipv4
> > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> >
> > interfaces:
> > #ZONE   INTERFACE       BROADCAST       OPTIONS
> > net      eth0
> > loc      eth1
> > inet     eth2
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
> > providers:
> >
############################################################################################
> > #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
> >  OPTIONS         COPY
> > ISP1     1       1        main          eth2            192.168.1.2
> >  track,balance
> > ISP2     2       2        main          eth0            192.192.192.10
> >  track,balance
> > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> >
>
> Your going to shoot yourself in the foot without using the copy column
> here when you try to shape traffic originating from the firewall, you
> have one ISP in the other ISP''s table. That is why I suggested
that
> third entry in the providers file, to create a routing table for that
> traffic.
>
> Jerry
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
===========Linux Rocks

anuj singh wrote:
> It''s not working again.....I am attaching the dump file
> 
> Jan 25 23:57:40 FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.192.192.221
DST=72.14.207.99 LEN=38 TOS=0x00 PREC=0x00 TTL=14 ID=51584 PROTO=UDP SPT=32838
DPT=33479 LEN=18
> Chain tcpre (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 MARK       all  --  *      *       192.192.192.221     
192.168.1.2         MARK set 0x1
> 
Your marking the packets for a destination of 192.168.1.2 only, while 
your target is 72.14.207.99 Change 192.168.1.2 to 0.0.0.0/0

Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642