Hi all, I''ve set up an ubuntu box with shorewall, three NICs, one local (eth0) one to my first isp (eth1) and an other to my second isp (eth2). My goal is to control which type of connection goes out through which isp (ie: smtp through isp1 and http through isp2) So I''ve tried with tcrules, but I didn''t manage to, so I''ve put some routes in routes_rules to force all connection to isp1 except one from my smtp server that goes through isp2, that works. But i''d like to be more grained and apply rules on protocol or used port or what ever is possible if I want to :) So, I have to use tcrules and need help... Here are my settings: / root@fw:/etc/shorewall# cat providers Numericable 1 1 main eth2 x.x.x.x track,balance eth0 Free 2 2 main eth1 y.y.y.y track,balance eth0 root@fw:/etc/shorewall# cat interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect dhcp,routefilter,tcpflags,logmartians,nosmurfs net eth2 detect dhcp,routefilter,tcpflags,logmartians,nosmurfs loc eth0 detect routefilter,tcpflags,logmartians,nosmurfs root@fw:/etc/shorewall# cat route_rules #SOURCE DEST PROVIDER PRIORITY lo - 1 1000 10.0.0.2/32 - 2 1000 eth0 - 1 1000 root@fw:/etc/shorewall# cat tcrules 1:F 10.0.0.0/24 0.0.0.0/0 tcp 21 /Does I missed some thing ? You can find shorewall''s dump attached. Thanks all. David ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
Hey, guess what... I''ve removed my route_rules and reset my tcrules, and, it works ! :) /root@fw:/etc/shorewall# cat tcrules #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 1:P 10.0.0.0/24 - 2:P 10.0.0.2/32 - tcp 25 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE / Thanks ;) ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
Ho yes thanks for fw rule, forgot this one.... Le 21/02/2011 13:28, shorewall listmail a écrit :> This is what i have and is working good, also there is a rule for > connections from the firewall > #MARK SOURCE DEST PROTO DEST SOURCE > USER TEST LENGTH TOS CONNBYTES HELPER > # PORT(S) PORT(S) > 5:P 192.168.140.0/24 0.0.0.0/0 tcp > 465,995,443,3306,10019,10020 > 5 $FW 0.0.0.0/0 > tcp 465,995,443,3306,10019,10020 > > *From:* David Leroux <mailto:elhijo@0lim.net> > *Sent:* Monday, February 21, 2011 8:55 AM > *To:* shorewall-users@lists.sourceforge.net > <mailto:shorewall-users@lists.sourceforge.net> > *Subject:* Re: [Shorewall-users] multi ISP and tcrules > > Hey, guess what... > I''ve removed my route_rules and reset my tcrules, and, it works ! :) > > /root@fw:/etc/shorewall <mailto:root@fw:/etc/shorewall># cat tcrules > #MARK SOURCE DEST PROTO DEST SOURCE > USER TEST LENGTH TOS CONNBYTES HELPER > # PORT(S) PORT(S) > 1:P 10.0.0.0/24 - > 2:P 10.0.0.2/32 - tcp 25 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > / > > Thanks ;) > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > > ------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On 2/21/11 3:32 AM, David Leroux wrote:> > root@fw:/etc/shorewall# cat tcrules > 1:F 10.0.0.0/24 0.0.0.0/0 tcp 21This rule is in the FORWARD chain; to affect routing, the rule must be in the pre-routing chain. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb