OK so I''ve read all the docs possible I can find, and I still
can''t get
things working :-(
shorewall 3.4.1
CentOS Linux 2.6.20.3
iptables 1.3.7
Quick summary:
eth0 : internal interface for various 192.168 networks
firewall host IPs on the 192 nets (default gateways for client subnets)
eth1: admin interface,10.x traffic
eth2 : ISP1, with both a /25 and a /24 routed here (trying setup so far
just with the single /25)
firewall host IP of 204.13.166.253
eth3 : ISP2, with a /25
firewall host IP of 69.90.133.125
The problem:
- as soon as I add entries in the providers and either route_rules or
tcrules files, I get log messages like this:
Mar 25 22:19:02 fw kernel: SW:FORWARD:1:REJECT:IN=eth2 OUT=eth2
SRC=204.13.165.37 DST=192.168.1.50 LEN=52 TOS=0x00 PREC=0x00
TTL=61 ID=44337 DF PROTO=TCP SPT=36649 DPT=22 WINDOW=49640 RES=0x00 SYN
URGP=0
If I remove the 2nd ISP, and comment out the providers/etc entries, all
works wonderfully. Quick check of iptables rules shows the rules are
identical in both situations, so I assume there must be something wonky
with the routing table entries, which look like this:
ip route :
192.168.1.48/28 dev eth1 proto kernel scope link src 192.168.1.49
192.168.1.64/28 dev eth1 proto kernel scope link src 192.168.1.65
69.90.133.0/25 dev eth3 proto kernel scope link src 69.90.133.125
204.13.166.128/25 dev eth2 proto kernel scope link src 204.13.166.253
192.168.168.0/24 dev eth1 scope link
10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.7
default
nexthop via 204.13.166.129 dev eth2 weight 1
nexthop via 69.90.133.1 dev eth3 weight 1
ip rule :
0: from all lookup local
1000: from 204.13.166.128/25 iif eth2 lookup ISP1
1000: from 69.90.133.0/24 iif eth3 lookup ISP2
10001: from all fwmark 0x1 lookup ISP1
10003: from all fwmark 0x3 lookup ISP2
20000: from 204.13.166.253 lookup ISP1
20001: from 204.13.166.251 lookup ISP1
20002: from 204.13.166.252 lookup ISP1
20512: from 69.90.133.125 lookup ISP2
20513: from 69.90.133.120 lookup ISP2
32766: from all lookup main
32767: from all lookup default
Or more likely I am just totally lost and confused....!
capabilities :
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Not available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Not available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Not available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Not available
Address Type Match: Available
params:
ADMIN=eth0
INT=eth1
ISP1=eth2
ISP2=eth3
hosts:
#ZONE HOST(S) OPTIONS
net $ISP1:0.0.0.0/0 tcpflags
net $ISP2:0.0.0.0/0 tcpflags
int $INT:0.0.0.0/0
c148 $INT:192.168.1.48/28 tcpflags,routeback
c164 $INT:192.168.1.64/28 tcpflags,routeback
admin $ADMIN:10.0.0.0/8 tcpflags
interfaces :
#ZONE INTERFACE BROADCAST OPTIONS
- $ISP1 detect
tcpflags,routefilter,nosmurfs,logmartians
- $ISP2 detect
tcpflags,routefilter,nosmurfs,logmartians
- $INT detect tcpflags,detectnets,nosmurfs
- $ADMIN 10.255.255.255
nat:
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
204.13.166.252 $ISP1 192.168.1.50 Yes No
69.90.133.120 $ISP2 192.168.1.66 Yes No
policy:
all net ACCEPT
int admin REJECT info
int $FW REJECT info
int all REJECT info
# Policies for traffic originating from the firewall ($FW)
$FW net ACCEPT
$FW admin ACCEPT
$FW int ACCEPT
$FW all ACCEPT
# Policies for traffic originating from the admin Zone
admin net ACCEPT
admin $FW ACCEPT
admin int ACCEPT
admin all ACCEPT
# Policies for traffic originating from the Internet zone (net)
net admin DROP info
net $FW DROP info
net int DROP info
net all DROP info
all all REJECT info
rules:
DNS/ACCEPT $FW net
DNS/ACCEPT int net
DNS/ACCEPT admin net
SSH/ACCEPT net $FW
SSH/ACCEPT $FW int
SSH/ACCEPT admin $FW
SSH/ACCEPT admin int
# allow temporarily for testing purposes
ACCEPT net $FW icmp 8
- - 1/sec
ACCEPT net int icmp 8
- - 1/sec
ACCEPT int $FW icmp 8
- - 1/sec
Ping/ACCEPT int net
#
ACCEPT $FW net icmp
ACCEPT $FW int icmp
ACCEPT $FW admin icmp
#
ACCEPT admin int icmp
ACCEPT admin net icmp
ACCEPT admin $FW icmp
#
#------------------------------------------------------------------------------
# ISP1
DNAT all+- c148:192.168.1.50 tcp 80 - 204.13.166.252
DNAT all+- c148:192.168.1.50 tcp 22 - 204.13.166.252
DNAT all+- c148:192.168.1.50 icmp 8 - 204.13.166.252
#------------------------------------------------------------------------------
# ISP2
DNAT all+- c164:192.168.1.66 tcp 80 - 69.90.133.120
DNAT all+- c164:192.168.1.66 tcp 22 - 69.90.133.120
DNAT all+- c164:192.168.1.66 icmp 8 - 69.90.133.120
#------------------------------------------------------------------------------
providers:
ISP1 1 1 main $ISP1 204.13.166.129
track,balance none
ISP2 3 3 main $ISP2 69.90.133.1
track,balance none
route_rules:
$ISP1:204.13.166.128/25 - ISP1 1000
#$ISP1:216.18.236.0/24 - ISP1 1000
$ISP2:69.90.133.0/24 - ISP2 1000
tcrules (tried with both this and route_rules, no diff):
#1:P $INT:192.168.1.48/28 0.0.0.0/0 all
#3:P $INT:192.168.1.64/28 0.0.0.0/0 all
Pointers to the obvious most appreciated...!!
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV