Hi all, I''ve been using shorewall 3 (3.4.8 now) for a while on a simple gateway setup for my office. Routing is enabled only for a few hosts and all user access the internet thru squid, which is running on the shorewall box. I have a few other services on this box and some others on another server, but they don''t matter for what I need. Quick and dirty schematics to illustrate (and let''s hope gmail don''t screw it up). Probably not needed, but it won''t hurt: wan (eth1) -------- shorewall (eth0) -------- lan (fixed ip) 10.0.0.1 10.0.0.0/24 I currently have a 600/600 kbps "corporate" internet connection (a fancy name for a cable modem with fixed ip) and my bandwidth needs are becoming bigger and bigger, so I signed up for another internet link (another cable modem, now a "residential" one with dynamic ip, essentially the same as the other) which is 2000/300 kbps, which I plan to use for the user''s internet usage (Squid) only. This 2nd internet link, however, won''t be connected to shorewall but to a simple wifi soho router (a linksys one running dd-wrt). So, I need to route all traffic from squid to this linksys router. Another schematics try for the new scenario: wan -------- shorewall -------- lan (fixed ip) 10.0.0.1 10.0.0.0/24 \ squid only | \----------\ | \ | wan2 ------------------------- linksys (dyn ip) 10.0.0.2 I have googled for a while and found out that I need to use packet marking to achieve what I need; basically mark each squid packet with an identifier and route them accordingly. I found the following instructions with iptables commands which happen to do the job: I would use another approach in ''marking'' squid packets, it could be done with a single rule: iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK --set-mark 0x1 Now just add that two commands to define new routing table. /sbin/ip rule add fwmark 0x1 table 101 pref 101 /sbin/ip route add default via 10.0.0.2 dev eth0 table 101 To make changes permanent (after everything is tested and working ok): iptables-save > /etc/sysconfig/iptables edit /etc/iproute2/rt_tables and add a line: 101 squid then create 2 files ''route-eth0'' and ''rule-eth0'' (that''s a RedHat''s approach to handle complex routing, that should also work on CentOS): /etc/sysconfig/network-scripts/rule-eth0: fwmark 0x1 table 101 pref 1000 /etc/sysconfig/network-scripts/route-eth0: default via 10.0.0.2 dev eth0 table 101 So, my problem is how do I translate those commands into shorewall configuration? I tried looking the Multi ISP doc but it mentions about having both ISPs on the same box, which is not my case, so I''m not sure if I need to mess with /etc/shorewall/providers and such. I hope I made myself clear enough but if anyone have doubts, please ask. All replies are greatly appreaciated. Thanks! Gustavo ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Gustavo Michels wrote:> Hi all, > > I''ve been using shorewall 3 (3.4.8 now) for a while on a simple gateway > setup for my office. Routing is enabled only for a few hosts and all > user access the internet thru squid, which is running on the shorewall > box. I have a few other services on this box and some others on another > server, but they don''t matter for what I need. > > Quick and dirty schematics to illustrate (and let''s hope gmail don''t > screw it up). Probably not needed, but it won''t hurt: > > wan (eth1) -------- shorewall (eth0) -------- lan > (fixed ip) 10.0.0.1 <http://10.0.0.1> > 10.0.0.0/24 <http://10.0.0.0/24> > > I currently have a 600/600 kbps "corporate" internet connection (a fancy > name for a cable modem with fixed ip) and my bandwidth needs are > becoming bigger and bigger, so I signed up for another internet link > (another cable modem, now a "residential" one with dynamic ip, > essentially the same as the other) which is 2000/300 kbps, which I plan > to use for the user''s internet usage (Squid) only. This 2nd internet > link, however, won''t be connected to shorewall but to a simple wifi soho > router (a linksys one running dd-wrt). So, I need to route all traffic > from squid to this linksys router. > > Another schematics try for the new scenario: > > wan -------- shorewall -------- lan > (fixed ip) 10.0.0.1 <http://10.0.0.1> 10.0.0.0/24 > <http://10.0.0.0/24> > \ squid only | > \----------\ | > \ | > wan2 ------------------------- linksys > (dyn ip) 10.0.0.2 <http://10.0.0.2> > > I have googled for a while and found out that I need to use packet > marking to achieve what I need; basically mark each squid packet with an > identifier and route them accordingly. I found the following > instructions with iptables commands which happen to do the job: > > I would use another approach in ''marking'' squid packets, it could be > done with a single rule: > > iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK > --set-mark 0x1 > > > Now just add that two commands to define new routing table. > > /sbin/ip rule add fwmark 0x1 table 101 pref 101 > > /sbin/ip route add default via 10.0.0.2 <http://10.0.0.2> dev eth0 > table 101 > > > To make changes permanent (after everything is tested and working ok): > > iptables-save > /etc/sysconfig/iptables > > > edit /etc/iproute2/rt_tables and add a line: > > 101 squid > > > then create 2 files ''route-eth0'' and ''rule-eth0'' (that''s a RedHat''s > approach to handle complex routing, that should also work on CentOS): > > > /etc/sysconfig/network-scripts/rule-eth0: > > fwmark 0x1 table 101 pref 1000 > > > /etc/sysconfig/network-scripts/route-eth0: > > default via 10.0.0.2 <http://10.0.0.2> dev eth0 table 101 > > > So, my problem is how do I translate those commands into shorewall > configuration? I tried looking the Multi ISP doc but it mentions about > having both ISPs on the same box, which is not my case, so I''m not sure > if I need to mess with /etc/shorewall/providers and such. > > I hope I made myself clear enough but if anyone have doubts, please > ask. All replies are greatly appreaciated.A couple if points: a) Why the Linksys router? Why don''t you just add a third NIC to the Shorewall box and use Shorewall''s multi-ISP capability? http://www.shorewall.net/MultiISP.html b) Even with your proposed topology, you could use Shorewall''s MultiISP capability but you would need to understand a lot more about how it works (no one is likely to write a HOWTO for anything like what you propose). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> A couple if points: > > a) Why the Linksys router? Why don''t you just add a third NIC to the > Shorewall box and use Shorewall''s multi-ISP capability? > http://www.shorewall.net/MultiISP.html > > b) Even with your proposed topology, you could use Shorewall''s MultiISP > capability but you would need to understand a lot more about how it > works (no one is likely to write a HOWTO for anything like what you > propose). >And if you feel like you must use the Linksys, I would _still_ add a third NIC to the Shorewall box and connect that box to the Linksys with a crossover cable. And use Shorewall''s MultiISP feature. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Fri, May 30, 2008 at 5:22 PM, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > A couple if points: >> >> a) Why the Linksys router? Why don''t you just add a third NIC to the >> Shorewall box and use Shorewall''s multi-ISP capability? >> http://www.shorewall.net/MultiISP.html >> >Mainly because I could use the router''s wireless functions. I already have a wireless network however it''s only a wireless nic connected to an external antenna on the same shorewall router, bridged to eth0, running hostapd, which is not very used. This is changing though, as a few users are switching to notebooks, and using the linksys router I would have a boost on signal, range and throughput for these new clients. Of course I could still add the 3rd nic to the shorewall box and use the router as a plain access point, however it would be "cleaner" for me to get things working as I planned.> b) Even with your proposed topology, you could use Shorewall''s MultiISP >> capability but you would need to understand a lot more about how it works >> (no one is likely to write a HOWTO for anything like what you propose). >> > >> And if you feel like you must use the Linksys, I would _still_ add a third > NIC to the Shorewall box and connect that box to the Linksys with a > crossover cable. And use Shorewall''s MultiISP feature. >Well, it _is_ possible then. I haven''t digged thru the documentation enough, so I''m going to try my topology first, and if I don''t succeed, I''ll go your way. Just another thing, do you think shorewall 4 have any advantages over 3.x on this particular matter? Thanks for your reply. Gustavo ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Gustavo Michels wrote:> Hi all, > I''ve been using shorewall 3 (3.4.8 now) for a while on a simple gateway > setup for my office. Routing is enabled only for a few hosts and all user > access the internet thru squid, which is running on the shorewall box. I > have a few other services on this box and some others on another server, but > they don''t matter for what I need. > > Quick and dirty schematics to illustrate (and let''s hope gmail don''t screw > it up). Probably not needed, but it won''t hurt: > > wan (eth1) -------- shorewall (eth0) -------- lan > (fixed ip) 10.0.0.1 10.0.0.0/24 > > I currently have a 600/600 kbps "corporate" internet connection (a fancy > name for a cable modem with fixed ip) and my bandwidth needs are becoming > bigger and bigger, so I signed up for another internet link (another cable > modem, now a "residential" one with dynamic ip, essentially the same as the > other) which is 2000/300 kbps, which I plan to use for the user''s internet > usage (Squid) only. This 2nd internet link, however, won''t be connected to > shorewall but to a simple wifi soho router (a linksys one running dd-wrt). > So, I need to route all traffic from squid to this linksys router. > > Another schematics try for the new scenario: > > wan -------- shorewall -------- lan > (fixed ip) 10.0.0.1 10.0.0.0/24 > \ squid only | > \----------\ | > \ | > wan2 ------------------------- linksys > (dyn ip) 10.0.0.2 > > I have googled for a while and found out that I need to use packet marking > to achieve what I need; basically mark each squid packet with an identifier > and route them accordingly. I found the following instructions with iptables > commands which happen to do the job: > > I would use another approach in ''marking'' squid packets, it could be done > with a single rule: > > iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK --set-mark > 0x1 > >You would need to have this run on the squid box to get the --uid-owner.> Now just add that two commands to define new routing table. > > /sbin/ip rule add fwmark 0x1 table 101 pref 101 > > /sbin/ip route add default via 10.0.0.2 dev eth0 table 101 > > > To make changes permanent (after everything is tested and working ok): > > iptables-save > /etc/sysconfig/iptables > > > edit /etc/iproute2/rt_tables and add a line: > > 101 squid > > > then create 2 files ''route-eth0'' and ''rule-eth0'' (that''s a RedHat''s approach > to handle complex routing, that should also work on CentOS): > > > /etc/sysconfig/network-scripts/rule-eth0: > > fwmark 0x1 table 101 pref 1000 > > > /etc/sysconfig/network-scripts/route-eth0: > > default via 10.0.0.2 dev eth0 table 101 > > > So, my problem is how do I translate those commands into shorewall > configuration? I tried looking the Multi ISP doc but it mentions about > having both ISPs on the same box, which is not my case, so I''m not sure if I > need to mess with /etc/shorewall/providers and such.Add the above commands to the squid box, it''s the one that needs to deal with the second gateway, leaving the firewall box as is with no changes. Or is the squid box running shorewall also?> I hope I made myself clear enough but if anyone have doubts, please ask. All > replies are greatly appreaciated.You could plug the linksys directly into the squid box with a second nic. Either way, you would need to use something like the above on the squid box only. Another option as Tom stated, setup the full multi-isp on the firewall, using the linksys as the second gateway and then use packet-marking based on source address/port destination to direct the web traffic from the squid box to the linksys. You can do multi-isp with the second gateway in the loc zone, but I don''t recommend that approach, it''s a PITA to setup. Much easier just to add a third nic to the mix and go with Tom''s suggestion. I''d be running the 4.0 series of shorewall if I were you. So the question becomes, which do you want to modify the squid box or the shorewall box? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Gustavo Michels wrote:> > Just another thing, do you think shorewall 4 have any advantages over > 3.x on this particular matter? >There is nothing specific to Multi-ISP that is new in 4.0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Fri, May 30, 2008 at 5:52 PM, Jerry Vonau <jvonau@shaw.ca> wrote:> You would need to have this run on the squid box to get the --uid-owner. > > Add the above commands to the squid box, it''s the one that needs to deal > with the second gateway, leaving the firewall box as is with no changes. > Or is the squid box running shorewall also?> So the question becomes, which do you want to modify the squid box or > the shorewall box? >They''re both on the same box. I could, however, move squid to another server... that would be the easiest solution of all, since I use WPAD and a canonical name for my proxy, the change would be completely transparent for all users. Thanks for showing another option. Gustavo ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/