I have squid running on the firewall. Traffic from the lan to port 80 is redirected to port 8080 where squid deals with it. I want to send that out provider 2: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 2 $FW 0.0.0.0/0 tcp 80 Is this the correct to achieve this? Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason wrote:> I have squid running on the firewall. Traffic from the lan to port 80 is > redirected to port 8080 where squid deals with it. I want to send that > out provider 2: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST > # PORT(S) > 2 $FW 0.0.0.0/0 tcp 80 > > Is this the correct to achieve this?I''m no expert in tc, but that looks right. Possible issues: - any traffic not destined for port 80, which happens all too frequently. - what you''re doing with traffic marked 2 in your tcclasses Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Paul Gear wrote:> I''m no expert in tc, but that looks right. >It seems to be working. When I measure the traffic in iptraf, I see port 80 traffic on that interface.> Possible issues: > - any traffic not destined for port 80, which happens all too frequently. > - what you''re doing with traffic marked 2 in your tcclasses >I don''t have any. I have not done anything with traffic shaping as I need all port 80 to go eth1, at which point I don''t care about priority, and all VOIP to go eth0. I _would_ like to prioritize IAX2 (4569) over any other traffic on eth0, but I have no idea how to do that. Thanks for the input.> >-- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Paul Gear wrote:> Chris Mason wrote: >> I have squid running on the firewall. Traffic from the lan to port 80 is >> redirected to port 8080 where squid deals with it. I want to send that >> out provider 2: >> >> #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST >> # PORT(S) >> 2 $FW 0.0.0.0/0 tcp 80 >> >> Is this the correct to achieve this? >While this seems very successful, I am also trying to route ftp traffic from the lan to external hosts using the second rule in tcrules: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 2 $FW 0.0.0.0/0 tcp 80 # http goes out eth1 2:P 192.168.200.0/24 0.0.0.0/0 tcp 21 # ftp Connections are failing but there is no log entries. There is a connection shown with shorewall show connections: tcp 6 3 SYN_SENT src=192.168.200.8 dst=207.22.194.3 sport=4117 dport=21 packets=3 bytes=144 [UNREPLIED] src=207.44.194.3 dst=69.57.237.118 sport=21 dport=4117 packets=0 bytes=0 mark=0 use=1 Any suggestions? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Chris Mason (Lists) wrote:> > Connections are failing but there is no log entries. There is a > connection shown with shorewall show connections: > > > tcp 6 3 SYN_SENT src=192.168.200.8 dst=207.22.194.3 sport=4117 > dport=21 packets=3 bytes=144 [UNREPLIED] src=207.44.194.3 > dst=69.57.237.118 sport=21 dport=4117 packets=0 bytes=0 mark=0 use=1 > > Any suggestions? >The above conntrack looks normal for an SNATed connection out of eth1 that hasn''t yet been replied to. Have you looked at this with Ethereal or tcpdump? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> The above conntrack looks normal for an SNATed connection out of eth1 > that hasn''t yet been replied to. Have you looked at this with Ethereal > or tcpdump? > > -Tom ># shorewall show connections. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642