Leandro wrote:> I have 2 isp and I can´t reach web server in dmz by "ISP1". > It seems to be routing problem because when I change the default gateway, > it works and then I can´t reach it by "ISP2" > How can I resolve the problem ? > (I think that shorewall 3.2.9 doesn´t need extra rule/route by iproute2) >Don''t use "route", you can''t view the multi-path gateways that might be present, use "ip route", to view the advanced routing tables. You need to have both gateways active, your missing something...> > /etc/shorewall/zones > fw firewall > lan ipv4 > dmz ipv4 > inet ipv4 > > > /etc/shorewall/interfaces > lan eth0 detect tcpflags > dmz eth1 detect tcpflags > inet eth2 detect tcpflags,blacklist,norfc1918,routefilter,nosmurfs > inet eth3 detect tcpflags,blacklist,norfc1918,routefilter,nosmurfs > > > /etc/shorewall/route_rules > eth2 - ISP1 1000 > eth3 - ISP2 1000 > >Here it is...> /etc/shorewall/providers > ISP1 1 1 main eth2 200.41.28.225 track eth0,eth1 > ISP2 2 2 main eth3 200.43.134.254 track eth0,eth1 >You need to use "balance" here, to setup the multi-path gateways. try "track,balance"> /etc/shorewall/params > INET1_IP=200.41.28.229 > INET2_IP=200.43.134.7 > DMZ_SERVER1_IP=192.168.0.2 > > > /etc/shorewall/rules > DNAT inet:eth2 dmz:$DMZ_SERVER1_IP:80 tcp http - $INET1_IP > DNAT inet:eth3 dmz:$DMZ_SERVER1_IP:80 tcp http - $INET2_IP > > > # uname -a > Linux fw 2.6.11-prep #1 Fri Jun 24 10:11:31 ART 2005 i686 athlon i386 GNU/Linux > # cat /etc/fedora-release > Fedora Core release 3 (Heidelberg) > # shorewall version > 3.2.9 (shorewall-3.2.9-4.noarch.rpm)You rolled your own kernel, hope you didn''t miss anything that may be needed. Jerry ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I don´t want to balance outgoing traffic, only incoming traffic go out by same interfase that they come. I´ve made my own kernel (based in default kernel) because I need compile specific raid support. Regards. ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Monday, March 19, 2007 9:16 PM Subject: Re: [Shorewall-users] 2 ISP problem Leandro wrote:> I have 2 isp and I can´t reach web server in dmz by "ISP1". > It seems to be routing problem because when I change the default gateway, > it works and then I can´t reach it by "ISP2" > How can I resolve the problem ? > (I think that shorewall 3.2.9 doesn´t need extra rule/route by iproute2) >Don''t use "route", you can''t view the multi-path gateways that might be present, use "ip route", to view the advanced routing tables. You need to have both gateways active, your missing something...> > /etc/shorewall/zones > fw firewall > lan ipv4 > dmz ipv4 > inet ipv4 > > > /etc/shorewall/interfaces > lan eth0 detect tcpflags > dmz eth1 detect tcpflags > inet eth2 detect tcpflags,blacklist,norfc1918,routefilter,nosmurfs > inet eth3 detect tcpflags,blacklist,norfc1918,routefilter,nosmurfs > > > /etc/shorewall/route_rules > eth2 - ISP1 1000 > eth3 - ISP2 1000 > >Here it is...> /etc/shorewall/providers > ISP1 1 1 main eth2 200.41.28.225 > track eth0,eth1 > ISP2 2 2 main eth3 200.43.134.254 > track eth0,eth1 >You need to use "balance" here, to setup the multi-path gateways. try "track,balance"> /etc/shorewall/params > INET1_IP=200.41.28.229 > INET2_IP=200.43.134.7 > DMZ_SERVER1_IP=192.168.0.2 > > > /etc/shorewall/rules > DNAT inet:eth2 dmz:$DMZ_SERVER1_IP:80 tcp http - > $INET1_IP > DNAT inet:eth3 dmz:$DMZ_SERVER1_IP:80 tcp http - > $INET2_IP > > > # uname -a > Linux fw 2.6.11-prep #1 Fri Jun 24 10:11:31 ART 2005 i686 athlon i386 > GNU/Linux > # cat /etc/fedora-release > Fedora Core release 3 (Heidelberg) > # shorewall version > 3.2.9 (shorewall-3.2.9-4.noarch.rpm)You rolled your own kernel, hope you didn''t miss anything that may be needed. Jerry ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users __________________________________________________ Preguntá. Respondé. Descubrí. Todo lo que querías saber, y lo que ni imaginabas, está en Yahoo! Respuestas (Beta). ¡Probalo ya! http://www.yahoo.com.ar/respuestas ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Sorry for the delay in responding, family issues.. Leandro wrote:> I don´t want to balance outgoing traffic, only incoming traffic go out by > same interfase that they come. >>From my experence, without "balance" nothing works right... Having saidthat, you could then give your preferred isp a higher priority on the outbound with the weight= option.> I´ve made my own kernel (based in default kernel) because I need compile > specific raid support. > > Regards. >Just an observation. Jerry ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jerry Vonau wrote:> ... > Leandro wrote: >> I don´t want to balance outgoing traffic, only incoming traffic go out by >> same interfase that they come. >> > >>From my experence, without "balance" nothing works right... Having said > that, you could then give your preferred isp a higher priority on the > outbound with the weight= option.And you can use tcrules to ensure that certain traffic goes out certain interfaces (e.g. SMTP out one interface, HTTP out the other). -- Paul <http://paulgear.webhop.net> -- Did you know? OpenOffice.org has built-in PDF creation. Better yet, it''s compatible with Microsoft Office, and free! Find out more at <http://www.openoffice.org>. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Why have you said that I need "balance" ? I only need "track" incoming connections to go out throught the same incoming interfase. With "balance" ... What´s happened if one isp are down ? I tried with Fedora Core 6 and default kernel compilation, and I´ve got the same problem. # uname -a Linux fw.jfsecco.com.ar 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 i686 athlon i386 GNU/Linux I think the problem is that I use 2 isp and I try to reach a server in dmz (DNAT) throguht both isp. ----- Original Message ----- From: "Leandro" <llattan2002@yahoo.com.ar> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Tuesday, March 20, 2007 8:32 AM Subject: Re: [Shorewall-users] 2 ISP problem>I don´t want to balance outgoing traffic, only incoming traffic go out by >same interfase that they come. > > I´ve made my own kernel (based in default kernel) because I need compile > specific raid support. > > Regards. > > > ----- Original Message ----- > From: "Jerry Vonau" <jvonau@shaw.ca> > To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> > Sent: Monday, March 19, 2007 9:16 PM > Subject: Re: [Shorewall-users] 2 ISP problem > > > Leandro wrote: >> I have 2 isp and I can´t reach web server in dmz by "ISP1". >> It seems to be routing problem because when I change the default gateway, >> it works and then I can´t reach it by "ISP2" >> How can I resolve the problem ? >> (I think that shorewall 3.2.9 doesn´t need extra rule/route by iproute2) >> > > Don''t use "route", you can''t view the multi-path gateways that might be > present, use "ip route", to view the advanced routing tables. > > You need to have both gateways active, your missing something... > >> >> /etc/shorewall/zones >> fw firewall >> lan ipv4 >> dmz ipv4 >> inet ipv4 >> >> >> /etc/shorewall/interfaces >> lan eth0 detect tcpflags >> dmz eth1 detect tcpflags >> inet eth2 detect tcpflags,blacklist,norfc1918,routefilter,nosmurfs >> inet eth3 detect tcpflags,blacklist,norfc1918,routefilter,nosmurfs >> >> >> /etc/shorewall/route_rules >> eth2 - ISP1 1000 >> eth3 - ISP2 1000 >> >> > > Here it is... > >> /etc/shorewall/providers >> ISP1 1 1 main eth2 200.41.28.225 track >> eth0,eth1 >> ISP2 2 2 main eth3 200.43.134.254 >> track eth0,eth1 >> > > You need to use "balance" here, to setup the multi-path gateways. > try "track,balance" > >> /etc/shorewall/params >> INET1_IP=200.41.28.229 >> INET2_IP=200.43.134.7 >> DMZ_SERVER1_IP=192.168.0.2 >> >> >> /etc/shorewall/rules >> DNAT inet:eth2 dmz:$DMZ_SERVER1_IP:80 tcp http - >> $INET1_IP >> DNAT inet:eth3 dmz:$DMZ_SERVER1_IP:80 tcp http - >> $INET2_IP >> >> >> # uname -a >> Linux fw 2.6.11-prep #1 Fri Jun 24 10:11:31 ART 2005 i686 athlon i386 >> GNU/Linux >> # cat /etc/fedora-release >> Fedora Core release 3 (Heidelberg) >> # shorewall version >> 3.2.9 (shorewall-3.2.9-4.noarch.rpm) > > You rolled your own kernel, hope you didn''t miss anything that may be > needed. > > Jerry > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >__________________________________________________ Preguntá. Respondé. Descubrí. Todo lo que querías saber, y lo que ni imaginabas, está en Yahoo! Respuestas (Beta). ¡Probalo ya! http://www.yahoo.com.ar/respuestas ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Leandro wrote:> I have 2 isp and I can´t reach web server in dmz by "ISP1". > It seems to be routing problem because when I change the default gateway, > it works and then I can´t reach it by "ISP2" > How can I resolve the problem ? >This is Shorewall FAQ #57. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV