Mark Pavlichuk wrote:
> I''ve installed Shorewall 3.0.5 on a Debian Sarge box, and
I''m
> attempting to route internet traffic through a couple of ISPs, and
> I''ve come up against some problems.
>
> The first is that one of my links is a pppoe connection to a wireless
> modem, and I can''t configure it to have a static IP address...
> therefore I can''t see how I can set up the two additional masq
entries
> as per Tom Easteps how-to on multiple internet connections.
Hello,
I have the same setup here so here is my config:
- File providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
nerim 200 200 main ppp0 detect
track,balance eth2,eth3,eth4
n9uf 201 201 main ppp1 detect
track,balance eth2,eth3,eth4
- Masq file:
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
IPSEC
$IFISP1 eth2 $IPISP1
$IFISP2 eth2 $IPISP2
$IFISP1 eth3 $IPISP1
$IFISP2 eth3 $IPISP2
$IFISP1 eth4 $IPISP1
$IFISP2 eth4 $IPISP2
- Interfaces file:
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
net ppp0 detect norfc1918,blacklist
net ppp1 detect norfc1918,blacklist
I use ppp interfaces as I connect via pppoe
- params file:
IFISP1=ppp0
IFISP2=ppp1
IPISP1=`find_interface_addresses ppp0 `
IPISP2=`find_interface_addresses ppp1 `
I guess this should be enough, if you need more infos just ask.
Manuel
> The second problem relates to CONNMARK (or something) and the 2.6.8
> kernel that ships with Sarge... The firewall config checked OK, but
> failed to build because of a problem with CONNMARK support (I think).
> Appologies for a vague description... the shorewall start log is
> overwritten, and the firewall machine is being used right now so I
> can''t experiment with it anymore.
I just posted a HOWTO on updated the kernel to accomodate Multi-ISP,
repeated below.
I promised to post my summary of setting up a Centos 4.2 server kernel
to be able to use the Multi ISP features. I never got the IPSEC patches
in place so it is not complete but I don''t need IPSEC anyway so I
don''t
care.
I installed Centos 4.2 Single Server disk. I don''t see any reason to
bother with the multi disk setup since yum will add groups as needed.
Then I ran yum update and brought the server up to date.
I downloaded Shorewall 3.05 rpm and installed.
Since the object is to be able to use the Multi-ISP features, the stock
kernel is not adequate as it does not include the routing policy patch.
We download the 2.6.12 kernel to get the features we need.
# wget
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/kernel-2.6.12-1.1381_FC3.src.rpm
rpm -i kernel-2.6.12-1.1381_FC3.src.rpm
cd /usr/src/redhat/SPECS/
vi kernel.spec
%define release %(R="$Revision: 1.1381 $"; RR="${R##: }";
echo
${RR%%?})_FC3%{rhbsys}
And change to
%define release %(R="$Revision: 1.1381 $"; RR="${R##: }";
echo
${RR%%?})_FC3CM%{rhbsys}
So the kernel version is marked as yours.
# rpmbuild -bp --target=i686 kernel-2.6.spec
Copy the correct config file to .config
# cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12
# cp configs/kernel-2.6.12-i686-smp.config .config
Get iptables rpm
wget
ftp://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/iptables-1.3.5-1.2.src.rpm
Get patch-o-matic
browse ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ , find and
download the tarball
tar -C /var/tmp -jxvf patch-o-matic-ng-20060224.tar.bz2
cd /var/tmp/patch-o-matic-ng-20060224/
Setup the patch-o-matic-ng environment
# KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 \
IPTABLES_DIR=/usr/src/redhat/BUILD/iptables-1.3.5 \
./runme extra
Apply patch policy
This should have the necessary patches to the kernel source.
Copy the correct config file to .config
# cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12
# cp configs/kernel-2.6.12-i686-smp.config .config # or the right file
for your config
# make oldconfig
(answer "m" to any changes)
build the kernel and modules
make all
install the modules into place /lib/modules
# make modules_install
install kernel
# make install
ll
Edit /boot/grub/grub.conf, you''ll find that the kernel has already been
added, but the default=1 points to your previous kernel. Set default=0.
After the reboot, providing it does reboot, you should see the required
option:
# shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Connmark Match: Available
Raw Table: Available
CLASSIFY Target: Available
Note that you won''t have ipsec without some additional patches.
After that, follow the Multi ISP tutorial at
http://www.shorewall.net/MultiISP.html
I find it wonderful for controlling which service uses which interface,
i.e, sending web browsing traffic out the cheaper ADSL connection and
saving dedicated links for voice.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.