Shorewall users - Feb 2012 - Forcing a source thru one provider

Dear list,
my box is a Debian Lenny (4.0) with the stock Shorewall (3.2.6-2). I cannot
upgrade right now so please don''t tell me "first upgrade!" :)

I managed to have Muliple-ISP working, and I''m driving web traffic
(HTTP
and HTTPS) thru one provider and mail traffic (GMail IMAPS/SMTPS) to the
other one. My LAN (eth1) is masquerade behind two NIC, eth0 (first
provider) and eth4 (second one).

I would like to force all traffic generating from my pc (one IP in the eth1
network) to go thru one ISP only. My tcrules looks like this:

2       eth1:<my_IP>
#
# GMAIL
2:P     eth1            0.0.0.0/0       tcp     993
2:P     eth1            0.0.0.0/0       tcp     465
# WEB
1:P     eth1            0.0.0.0/0       tcp     80
1:P     eth1            0.0.0.0/0       tcp     443
1       $FW             0.0.0.0/0       tcp     80
1       $FW             0.0.0.0/0       tcp     443

Despite of this, I cannot manage to get this to work. If I connect eg to
speedtest.net I always see the public IP associated to my first ISP (1) and
not the second one, as I would like.

Anybody could help me? Where am I wrong? maybe on my box this is not
achieavable?


TIA
Alessandro


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 02/16/2012 12:45 AM, Alessandro Faglia wrote:
> Dear list,
> my box is a Debian Lenny (4.0) with the stock Shorewall (3.2.6-2). I cannot
> upgrade right now so please don''t tell me "first
upgrade!" :)
> 
> I managed to have Muliple-ISP working, and I''m driving web traffic
(HTTP
> and HTTPS) thru one provider and mail traffic (GMail IMAPS/SMTPS) to the
> other one. My LAN (eth1) is masquerade behind two NIC, eth0 (first
> provider) and eth4 (second one).
> 
> I would like to force all traffic generating from my pc (one IP in the eth1
> network) to go thru one ISP only. My tcrules looks like this:
> 
> 2       eth1:<my_IP>
> #
> # GMAIL
> 2:P     eth1            0.0.0.0/0       tcp     993
> 2:P     eth1            0.0.0.0/0       tcp     465
> # WEB
> 1:P     eth1            0.0.0.0/0       tcp     80
> 1:P     eth1            0.0.0.0/0       tcp     443
> 1       $FW             0.0.0.0/0       tcp     80
> 1       $FW             0.0.0.0/0       tcp     443
> 
> Despite of this, I cannot manage to get this to work. If I connect eg to
> speedtest.net I always see the public IP associated to my first ISP (1) and
> not the second one, as I would like.
> 
> Anybody could help me? Where am I wrong? maybe on my box this is not
> achieavable?
Put the rule for your IP address *last*; the tcrules file is ''last
match
wins''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Thu, Feb 16, 2012 at 4:32 PM, Tom Eastep <teastep@shorewall.net> wrote:
>
> Put the rule for your IP address *last*; the tcrules file is ''last
match
> wins''.
>
I found this, and I had also to exclude the host from a REDIRECT for the
Squid transparent proxy which was preventing the web traffic to flow
directly thru this provider.

Many thanks, it''s working!


Bye.
Alessandro


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

El 17/02/2012 04:09, Alessandro Faglia escribió:
> On Thu, Feb 16, 2012 at 4:32 PM, Tom Eastep <teastep@shorewall.net 
> <mailto:teastep@shorewall.net>> wrote:
>
>
>     Put the rule for your IP address *last*; the tcrules file is
''last
>     match
>     wins''.
>
>
> I found this, and I had also to exclude the host from a REDIRECT for 
> the Squid transparent proxy which was preventing the web traffic to 
> flow directly thru this provider.
>
> Many thanks, it''s working!
>
You don''t need to exclude it from the redirect rule, just have to 
configure it also inside squid, using tcp_outgoing_address

http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

HTH
Pablo.


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Fri, Feb 17, 2012 at 11:51 AM, Pablo Sebastian Greco <
shorewall@fliagreco.com.ar> wrote:
>
> You don''t need to exclude it from the redirect rule, just have to
> configure it also inside squid, using tcp_outgoing_address [...]
>
I don''t know if it''d help, because I need this to work for one
device only,
and not for all users'' workstations sharing the same proxy (which is
running btw on the same box).

That''s why I think this is the only way.


Thanks.
Alessandro


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Fri, Feb 17, 2012 at 12:21 PM, Alessandro Faglia <
alessandro.faglia@serioplast.com> wrote:
> On Fri, Feb 17, 2012 at 11:51 AM, Pablo Sebastian Greco <
> shorewall@fliagreco.com.ar> wrote:
>>
>>  You don''t need to exclude it from the redirect rule, just
have to
>> configure it also inside squid, using tcp_outgoing_address [...]
>>
>
> I don''t know if it''d help, because I need this to work
for one device
> only, and not for all users'' workstations sharing the same proxy
(which is
> running btw on the same box).
>
Sorry I read just now the second half of your link.

Well, it should work. I''ll give a try.


Thanks again.
Alessandro


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/