I''ve been using Shorewall on an older box for 3 years and it has worked fabulous. But we''ve expanded to having 2 ISPs so I''m building a new Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs. I''m having a problem with outgoing connections when I add the track option to my providers file. Here''s my providers file: # Shorewall version 3.4 - Providers File # #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth2 216.x.y.33 track,balance ETH0 ISP2 2 2 main eth3 136.x.y.1 balance ETH0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE My interfaces are configured like this: LAN = ETH0 (10.0.0.0/24 DMZ = ETH1 (not used yet) ISP1 = ETH2 (216.x.y.34/28) ISP2 = ETH3 (136.x.y.2/25) I have the following in my rules file ACCEPT:info all all icmp to allow all pings and log them. I have nothing in my tcrules file. The problem seems to be that if I use the track option in the providers file, I can''t make any outgoing connections using that ISP. If I try to ping an external address that I know exists and the ping goes out ISP2(ETH3), I get a reply back. If the ping goes out ISP1(ETH2), the reply is stopped on its way back in and looks like it has been redirected back out ETH2 where it came from. Here''s the entries from syslog showing this: May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040 May 22 17:05:59 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296 May 22 17:05:59 outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2 SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296 I suspect I have missed something in my configuration. I''ve studied http://www.shorewall.net/MultiISP.html pretty hard and have not found the answer. Any suggestions would be appreciated. Thanks, Grant Scheffert Pantheon Computer Systems 507-835-2212 If all the human potential that''s being directed towards creating and fighting spam went to science instead, we''d have a cure for cancer. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Grant Scheffert schrieb:> I''ve been using Shorewall on an older box for 3 years and it has worked > fabulous. But we''ve expanded to having 2 ISPs so I''m building a new > Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs. > > I''m having a problem with outgoing connections when I add the track > option to my providers file. Here''s my providers file: > > # Shorewall version 3.4 - Providers File > # > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 1 main eth2 216.x.y.33 track,balance > ETH0 > ISP2 2 2 main eth3 136.x.y.1 balance ETH0 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > My interfaces are configured like this: > LAN = ETH0 (10.0.0.0/24 > DMZ = ETH1 (not used yet) > ISP1 = ETH2 (216.x.y.34/28) > ISP2 = ETH3 (136.x.y.2/25) > > I have the following in my rules file > ACCEPT:info all all icmp > to allow all pings and log them. > > I have nothing in my tcrules file. > > The problem seems to be that if I use the track option in the providers > file, I can''t make any outgoing connections using that ISP. If I try to > ping an external address that I know exists and the ping goes out > ISP2(ETH3), I get a reply back. If the ping goes out ISP1(ETH2), the > reply is stopped on its way back in and looks like it has been > redirected back out ETH2 where it came from. > > Here''s the entries from syslog showing this: > May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040 > May 22 17:05:59 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296 > May 22 17:05:59 outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2 > SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952 > PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296 > > I suspect I have missed something in my configuration. I''ve studied > http://www.shorewall.net/MultiISP.html pretty hard and have not found > the answer. Any suggestions would be appreciated. > > > Thanks, > Grant Scheffert > Pantheon Computer Systems > 507-835-2212 > >Where is your gateway pointing to ? This is a routing problem, when testing with ICMP packets, I think. My tcrules has some entries to decide which line should get which traffic. -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Grant Scheffert wrote:> I''ve been using Shorewall on an older box for 3 years and it has worked > fabulous. But we''ve expanded to having 2 ISPs so I''m building a new > Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs. > > I''m having a problem with outgoing connections when I add the track > option to my providers file. Here''s my providers file: > > # Shorewall version 3.4 - Providers File > # > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 1 main eth2 216.x.y.33 track,balance > ETH0 > ISP2 2 2 main eth3 136.x.y.1 balance ETH0 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > My interfaces are configured like this: > LAN = ETH0 (10.0.0.0/24 > DMZ = ETH1 (not used yet) > ISP1 = ETH2 (216.x.y.34/28) > ISP2 = ETH3 (136.x.y.2/25) > > I have the following in my rules file > ACCEPT:info all all icmp > to allow all pings and log them. > > I have nothing in my tcrules file. > > The problem seems to be that if I use the track option in the providers > file, I can''t make any outgoing connections using that ISP. If I try to > ping an external address that I know exists and the ping goes out > ISP2(ETH3), I get a reply back. If the ping goes out ISP1(ETH2), the > reply is stopped on its way back in and looks like it has been > redirected back out ETH2 where it came from. > > Here''s the entries from syslog showing this: > May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040 > May 22 17:05:59 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296 > May 22 17:05:59 outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2 > SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952 > PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296 > > I suspect I have missed something in my configuration. I''ve studied > http://www.shorewall.net/MultiISP.html pretty hard and have not found > the answer. Any suggestions would be appreciated. >Please summit a shorewall dump. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Sorry, I should have done the dump the first time. You can see it here: http://www.pantheon1.com/grant/shorewalldump.txt Thanks, Grant -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Thursday, May 24, 2007 7:56 AM To: Shorewall Users Subject: Re: [Shorewall-users] MultiISP problems with the track option>Please summit a shorewall dump. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jerry Vonau wrote:> Grant Scheffert wrote:<snip>>> # Shorewall version 3.4 - Providers File >> # >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> ISP1 1 1 main eth2 216.x.y.33 track,balance >> ETH0 >> ISP2 2 2 main eth3 136.x.y.1 balance ETH0 >> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> >> My interfaces are configured like this: >> LAN = ETH0 (10.0.0.0/24 >> DMZ = ETH1 (not used yet) >> ISP1 = ETH2 (216.x.y.34/28) >> ISP2 = ETH3 (136.x.y.2/25) >><snip>>> I suspect I have missed something in my configuration. I''ve studied >> http://www.shorewall.net/MultiISP.html pretty hard and have not found >> the answer. Any suggestions would be appreciated. >> > > Please summit a shorewall dump.The only thing that jumps out from your from your dump other than eth3 differs from the above info: Chain eth2_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Chain eth3_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Past experence tells me you should be using snat here, have another look at the example on multiisp page, your masq file entries need to use the third column, to set a SNAT entry here. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I adjusted the masq file as Jerry suggested, but I''m still getting the same symptoms. The last thing I have tried was to restart shorewall, then immediately send a single ping that failed (as described in the original post below) through the firewall, and then ran the dump. This way I believe that the only packet counts are from the 1 failed packet. I tried to extract what''s gong on with the counters, but haven''t been able to draw any conclusions except that I think it''s in the MANGLE table. Does this help anyone more? Sorry, the addresses changed a bit on ETH2 and ETH3 because I removed the box from the live connections and have created a mock setup with slightly different addresses. Thanks, Grant -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Thursday, May 24, 2007 10:08 PM To: Shorewall Users Subject: Re: [Shorewall-users] MultiISP problems with the track option Jerry Vonau wrote:> Grant Scheffert wrote:<snip>>> # Shorewall version 3.4 - Providers File >> # >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> ISP1 1 1 main eth2 216.x.y.33 track,balance >> ETH0 >> ISP2 2 2 main eth3 136.x.y.1 balance ETH0 >> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> >> My interfaces are configured like this: >> LAN = ETH0 (10.0.0.0/24 >> DMZ = ETH1 (not used yet) >> ISP1 = ETH2 (216.x.y.34/28) >> ISP2 = ETH3 (136.x.y.2/25) >><snip>>> I suspect I have missed something in my configuration. I''ve studied >> http://www.shorewall.net/MultiISP.html pretty hard and have not found >> the answer. Any suggestions would be appreciated. >> > > Please summit a shorewall dump.The only thing that jumps out from your from your dump other than eth3 differs from the above info: Chain eth2_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Chain eth3_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Past experence tells me you should be using snat here, have another look at the example on multiisp page, your masq file entries need to use the third column, to set a SNAT entry here. Jerry ------------------------------------------------------------------------ - Original Post> I''ve been using Shorewall on an older box for 3 years and it has > worked fabulous. But we''ve expanded to having 2 ISPs so I''m building > a new Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs. > > I''m having a problem with outgoing connections when I add the track > option to my providers file. Here''s my providers file: > > # Shorewall version 3.4 - Providers File # > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 1 main eth2 216.x.y.33 track,balance > ETH0 > ISP2 2 2 main eth3 136.x.y.1 balance ETH0 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > My interfaces are configured like this: > LAN = ETH0 (10.0.0.0/24 > DMZ = ETH1 (not used yet) > ISP1 = ETH2 (216.x.y.34/28) > ISP2 = ETH3 (136.x.y.2/25) > > I have the following in my rules file > ACCEPT:info all all icmp > to allow all pings and log them. > > I have nothing in my tcrules file. > > The problem seems to be that if I use the track option in the > providers file, I can''t make any outgoing connections using that ISP.> If I try to ping an external address that I know exists and the ping > goes out ISP2(ETH3), I get a reply back. If the ping goes out > ISP1(ETH2), the reply is stopped on its way back in and looks like it > has been redirected back out ETH2 where it came from. > > Here''s the entries from syslog showing this: > May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 > TTL=127 > ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040 May 22 17:05:59 > outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 > TTL=127 > ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296 May 22 17:05:59 > outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2 > SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952> PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296 > > I suspect I have missed something in my configuration. I''ve studied > http://www.shorewall.net/MultiISP.html pretty hard and have not found > the answer. Any suggestions would be appreciated. >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Grant Scheffert wrote:> I adjusted the masq file as Jerry suggested, but I''m still getting the > same symptoms. > > The last thing I have tried was to restart shorewall, then immediately > send a single ping that failed (as described in the original post below) > through the firewall, and then ran the dump. This way I believe that > the only packet counts are from the 1 failed packet. I tried to extract > what''s gong on with the counters, but haven''t been able to draw any > conclusions except that I think it''s in the MANGLE table. Does this > help anyone more? > > Sorry, the addresses changed a bit on ETH2 and ETH3 because I removed > the box from the live connections and have created a mock setup with > slightly different addresses. > > Thanks, > Grant > > > -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of > Jerry Vonau > Sent: Thursday, May 24, 2007 10:08 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] MultiISP problems with the track option > > Jerry Vonau wrote: >> Grant Scheffert wrote: > <snip> >>> # Shorewall version 3.4 - Providers File >>> # >>> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >>> OPTIONS COPY >>> ISP1 1 1 main eth2 216.x.y.33 track,balance >>> ETH0 >>> ISP2 2 2 main eth3 136.x.y.1 balance ETH0 >>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEI overlooked this.... ETH0 needs to be in lower case here, the providers'' routing tables (Table ISP1 Table ISP2) don''t have a route to eth0!! Hope that is the fix..... Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
That solved it. Thanks a million, Jerry! Thanks, Grant -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Friday, May 25, 2007 7:08 PM To: Shorewall Users Subject: Re: [Shorewall-users] MultiISP problems with the track option Grant Scheffert wrote:> I adjusted the masq file as Jerry suggested, but I''m still getting the > same symptoms. > > The last thing I have tried was to restart shorewall, then immediately > send a single ping that failed (as described in the original postbelow)> through the firewall, and then ran the dump. This way I believe that > the only packet counts are from the 1 failed packet. I tried toextract> what''s gong on with the counters, but haven''t been able to draw any > conclusions except that I think it''s in the MANGLE table. Does this > help anyone more? > > Sorry, the addresses changed a bit on ETH2 and ETH3 because I removed > the box from the live connections and have created a mock setup with > slightly different addresses. > > Thanks, > Grant > > > -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of > Jerry Vonau > Sent: Thursday, May 24, 2007 10:08 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] MultiISP problems with the track option > > Jerry Vonau wrote: >> Grant Scheffert wrote: > <snip> >>> # Shorewall version 3.4 - Providers File >>> # >>> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >>> OPTIONS COPY >>> ISP1 1 1 main eth2 216.x.y.33track,balance>>> ETH0 >>> ISP2 2 2 main eth3 136.x.y.1 balanceETH0>>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEI overlooked this.... ETH0 needs to be in lower case here, the providers'' routing tables (Table ISP1 Table ISP2) don''t have a route to eth0!! Hope that is the fix..... Jerry ------------------------------------------------------------------------ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/