Hi, my firewall have 2 providers (eth0 and eth5) with private IP. Providers file: ISP1 1 1 main eth0 192.168.2.1 track ISP2 2 2 main eth5 192.168.0.1 track I using tcrules for marking packet in forwarding and all right. But I want to mark the packets starting from the firewall in this mode: if user is dansguardian mark with 2, otherwise use uses the default gateway (via eth0) I tried adding this rule to tcrules: 2 $FW - - - - dansguardian but don''t working, users dansguardian is not passed by any of the 2 providers. I solved by deleting the rule just entered and inserting in the file start: /sbin/iptables -t mangle -I OUTPUT -m owner --uid-owner 107 -j MARK --set-mark 2 /sbin/iptables -t nat -I POSTROUTING -m owner --uid-owner 107 -j SNAT --to-source 192.168.0.254 echo 0 >/proc/sys/net/ipv4/conf/eth5/rp_filter How can I do to get the same result directly without using the rules of iptables? Thank you ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
skz@quipo.it wrote:> > How can I do to get the same result directly without using the rules > of iptables? >Which Shorewall version? Shorewall-shell or Shorewall-perl? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Tom Eastep wrote:> skz@quipo.it wrote: > >> How can I do to get the same result directly without using the rules >> of iptables? >> > > Which Shorewall version? > Shorewall-shell or Shorewall-perl?It would also be good to include the output of ''shorewall show mangle'' (as an attachment) when the non-working entry in /etc/shorewall/tcrules is present. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Def. Quota Tom Eastep <teastep@shorewall.net>:>> >> Which Shorewall version? >> Shorewall-shell or Shorewall-perl? > > It would also be good to include the output of ''shorewall show mangle'' > (as an attachment) when the non-working entry in /etc/shorewall/tcrules > is present. >Shorewall is shorewall-perl 4.2.9 Attachment 2 file: with_tcrules.gz when use /etc/shorewall/tcrules and without_tcrules.gz when use 2 line iptables in /etc/shorewall start. Thank''s Alessio ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
skz@quipo.it wrote:> Def. Quota Tom Eastep <teastep@shorewall.net>: > >>> >>> Which Shorewall version? >>> Shorewall-shell or Shorewall-perl? >> >> It would also be good to include the output of ''shorewall show mangle'' >> (as an attachment) when the non-working entry in /etc/shorewall/tcrules >> is present. >> > > Shorewall is shorewall-perl 4.2.9 > > Attachment 2 file: > with_tcrules.gz when use /etc/shorewall/tcrules > and > without_tcrules.gz when use 2 line iptables in /etc/shorewall start.I see no reason why the entry in tcrules should not work just like your manually-added rule. They are exactly the same rule at the iptables level -- in the case of the tcrules entry, the rule is only traversed on the first output packet in a connection while your rule is traversed by every packet originating from the firewall. Given that there is no USER/GROUP column in the masq file, there is currently no way to replace the second iptables rule exactly using standard Shorewall file entries. Is the purpose of the rule to give proxy traffic a different SOURCE IP address? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Def. Quota Tom Eastep <teastep@shorewall.net>:> I see no reason why the entry in tcrules should not work just like your > manually-added rule. They are exactly the same rule at the iptables > level -- in the case of the tcrules entry, the rule is only traversed on > the first output packet in a connection while your rule is traversed by > every packet originating from the firewall.Exact, this is true. The two rules have the same behavior... With the tcrules and only the second line (nat) it works ok> > Given that there is no USER/GROUP column in the masq file, there is > currently no way to replace the second iptables rule exactly using > standard Shorewall file entries. Is the purpose of the rule to give > proxy traffic a different SOURCE IP address?Yes, this is the really question. Just a proposal: you have no USER/GROUP column in the masq file but it can be a good solution to have the possiblity to write in the SOURCE column the USER/GROUP name. In this manner the functionality of the masq file is the same but if the SOURCE column is not an address or an eth/tun* it were a good solution to analyze the SOURCE like so: tcrules as seen before normal masq eth0 eth1 89.44.55.21 eth2 192.168.10.0/24 with user/group eth0 USER:dansguardian,squid 89.44.55.22 eth0 GROUP:www-data 89.44.55.23 eth0 eth1 89.44.55.21 eth2 192.168.10.0/24 What do you think about this???? Thank''s for the answer. Alessio ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Another additional information: the tcrules insertion does not work out of the box with the normal masq.... if you will use the masq avoiding the use of the additional iptables line as shown in another mail you can even insert into the masq file a line like this tcrules: 2 $FW - - - - dansguardian and masq: eth0 eth1 eth5 - 99.33.46.25 - - - 2 eth5 eth2 99.33.46.24 but this involves the problem that all the marked packets (with 2) are masqueraded with the first address. Thank''s Alessio ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
skz@quipo.it wrote:> Another additional information: > > the tcrules insertion does not work out of the box > with the normal masq.... > > if you will use the masq avoiding the use of the additional > iptables line as shown in another mail you can even insert > into the masq file a line like this > > tcrules: > > 2 $FW - - - - dansguardian > > and masq: > > eth0 eth1 > eth5 - 99.33.46.25 - - - 2 > eth5 eth2 99.33.46.24 > > but this involves the problem that all the marked packets (with 2) > are masqueraded with the first address.I thought of that solution when I posted my original reply. But, as you say, the masq rule is too general if you only want to rewrite the source IP of traffic generated by a particular user. Is it Dansguardian or Squid that is making the outgoing connections? Because Squid has the tcp_outgoing_address option which allows you to specify the IP address that squid uses for outgoing connections. If it is Dansguardian that is making the connections, does it support a similar option? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
skz@quipo.it wrote:> Def. Quota Tom Eastep <teastep@shorewall.net>: > >> I see no reason why the entry in tcrules should not work just like your >> manually-added rule. They are exactly the same rule at the iptables >> level -- in the case of the tcrules entry, the rule is only traversed on >> the first output packet in a connection while your rule is traversed by >> every packet originating from the firewall. > > Exact, this is true. > The two rules have the same behavior... > > With the tcrules and only the second line (nat) it works okYou mentioned that it doesn''t work at all without that rule. That suggests to me that you are missing the masq rules described at http://www.shorewall.net/MultiISP.html#id541360 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Def. Quota Tom Eastep <teastep@shorewall.net>:> > Is it Dansguardian or Squid that is making the outgoing connections? > Because Squid has the tcp_outgoing_address option which allows you to > specify the IP address that squid uses for outgoing connections. If it > is Dansguardian that is making the connections, does it support a > similar option?No, sorry, this solution is too restrictive! I prefer to use my nat line into start instead of searching for strange configurations of squid or whatsoever. The iptables solution is defined at a level that is better than the application level for my thoughts. Anyway thanks, resolved with the tcrules (native) nat (iptables insertion into start file) Alessio ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects