Shorewall users - Jun 2013 - "Multiple Internet Connections" with four interfaces

Hi,

I was reading document http://shorewall.net/MultiISP.html#idp3634200.
Inspired by the document I was trying to establish the following changes:
* one additional interface: COMA_IF
* COM[A,B,C]_IF interfaces request IP address via DHCP
* all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF
* all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default
* non-RFC 1918 destined trafic from GW is possible to route via COMA_IF
or COMC_IF if necessary

Content of provider file:
ComcastA          1        0x10000 -          COMA_IF     detect       
loose,fallback
ComcastB          2        0x20000 -          COMB_IF     detect       
loose,fallback
ComcastC          3        0x30000 -          COMC_IF     detect       
loose,fallback

Content of tcrules file:
1:P           0.0.0.0/0
2             $FW

At the moment all non-RFC 1918 destined trafic from GW is routed via
eth1.10 which is not what I want. How do I correct that?


Tero M

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

On 06/13/2013 10:14 AM, Tero M wrote:
> Hi,
> 
> I was reading document http://shorewall.net/MultiISP.html#idp3634200.
> Inspired by the document I was trying to establish the following changes:
> * one additional interface: COMA_IF
> * COM[A,B,C]_IF interfaces request IP address via DHCP
> * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF
> * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default
> * non-RFC 1918 destined trafic from GW is possible to route via COMA_IF
> or COMC_IF if necessary
> 
> Content of provider file:
> ComcastA          1        0x10000 -          COMA_IF     detect       
> loose,fallback
> ComcastB          2        0x20000 -          COMB_IF     detect       
> loose,fallback
> ComcastC          3        0x30000 -          COMC_IF     detect       
> loose,fallback
> 
> Content of tcrules file:
> 1:P           0.0.0.0/0
> 2             $FW
> 
> At the moment all non-RFC 1918 destined trafic from GW is routed via
> eth1.10 which is not what I want. How do I correct that?
There isn''t enough information here to help you. Please send the output
of ''shorewall dump'' to start with.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

On 15.6.2013 0:38, Tom Eastep wrote:
> On 06/13/2013 10:14 AM, Tero M wrote:
>> Hi,
>>
>> I was reading document http://shorewall.net/MultiISP.html#idp3634200.
>> Inspired by the document I was trying to establish the following
changes:
>> * one additional interface: COMA_IF
>> * COM[A,B,C]_IF interfaces request IP address via DHCP
>> * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF
>> * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by
default
>> * non-RFC 1918 destined trafic from GW is possible to route via COMA_IF
>> or COMC_IF if necessary
>>
>> Content of provider file:
>> ComcastA          1        0x10000 -          COMA_IF     detect       
>> loose,fallback
>> ComcastB          2        0x20000 -          COMB_IF     detect       
>> loose,fallback
>> ComcastC          3        0x30000 -          COMC_IF     detect       
>> loose,fallback
>>
>> Content of tcrules file:
>> 1:P           0.0.0.0/0
>> 2             $FW
>>
>> At the moment all non-RFC 1918 destined trafic from GW is routed via
>> eth1.10 which is not what I want. How do I correct that?
> There isn''t enough information here to help you. Please send the
output
> of ''shorewall dump'' to start with.
>
> Thanks,
> -Tom
>
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
Well,

do you mind if I send you at first only content of the files that I have
changed?

params:
LOG=NFLOG

INT_IF=eth13
#TUN_IF=tun+
COMA_IF=eth10
COMB_IF=eth11
COMC_IF=eth12
INT_NET=x.x.x.x/x

STATISTICALPROXYFALLBACKPROXYDMZSQUID2
### shorewall.conf
STARTUP_ENABLED=Yes

VERBOSITY=2

BLACKLIST_LOGLEVEL
LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW
LOGFILE=/var/log/syslog

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT
MACLIST_LOG_LEVEL=info

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

IPTABLES
IP
IPSET
MODULESDIR
PERL=/usr/bin/perl

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK
TC
ACCEPT_DEFAULT="none"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Reject"

RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}''
RSH_COMMAND=''ssh ${root}@${system} ${command}''

ACCOUNTING=Yes

ACCOUNTING_TABLE=mangle

ADD_IP_ALIASES=No

ADD_SNAT_ALIASES=No

ADMINISABSENTMINDED=Yes

AUTO_COMMENT=Yes

AUTOMAKE=Yes

BLACKLISTNEWONLY=Yes

CLAMPMSS=Yes

CLEAR_TC=Yes

COMPLETE=No

DISABLE_IPV6=No

DELETE_THEN_ADD=Yes

DETECT_DNAT_IPADDRS=No

DONT_LOAD
DYNAMIC_BLACKLIST=Yes

EXPAND_POLICIES=No

EXPORTMODULES=Yes

FASTACCEPT=No

FORWARD_CLEAR_MARK
IMPLICIT_CONTINUE=No

IP_FORWARDING=On

KEEP_RT_TABLES=Yes

LOAD_HELPERS_ONLY=Yes

LEGACY_FASTSTART=Yes

MACLIST_TABLE=filter

MACLIST_TTL
MANGLE_ENABLED=Yes

MAPOLDACTIONS=No

MARK_IN_FORWARD_CHAIN=No

MODULE_SUFFIX=ko

MULTICAST=No

MUTEX_TIMEOUT=60

NULL_ROUTE_RFC1918=Yes

OPTIMIZE=31

OPTIMIZE_ACCOUNTING=No

REQUIRE_INTERFACE=No

RESTORE_DEFAULT_ROUTE=No

RETAIN_ALIASES=No

ROUTE_FILTER=No

SAVE_IPSETS=No

TC_ENABLED=No

TC_EXPERT=No

TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

TRACK_PROVIDERS=Yes

USE_DEFAULT_RT=Yes

ZONE2ZONE=-

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

SMURF_DISPOSITION=DROP

SFILTER_DISPOSITION=DROP

TCP_FLAGS_DISPOSITION=DROP

TC_BITS=8

PROVIDER_BITS=2

PROVIDER_OFFSET=16

MASK_BITS=8

ZONE_BITS=0

IPSECFILE=zones

### zones:
loc             ip           #Local Zone
net             ip           #Internet
#smc:net         ip           #10.0.1.0/24
#vpn             ip           #OpenVPN clients
dmz             ip           #LXC Containers

### interfaces:
loc    INT_IF      detect              
dhcp,physical=$INT_IF,required,wait=5,routefilter,nets=$INT_NET
net    COMA_IF     detect              
required,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMA_IF,upnp,nosmurfs,tcpflags,dhcp
net    COMB_IF     detect              
required,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags,dhcp
net    COMC_IF     detect              
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
#vpn    TUN_IF+     physical=tun+,ignore=1
#dmz    br0         routeback,proxyarp=1
-      lo          -         ignore

### masq:
COMA_IF                 $INT_NET

### policy:
loc             net             ACCEPT
loc             fw              ACCEPT

fw              net             ACCEPT
fw              loc             ACCEPT

loc             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST
all        all        REJECT        info

### rules:
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

Invalid(DROP)    net        all

DNS(ACCEPT)    fw            net
DNS(ACCEPT) loc         fw

SSH(ACCEPT)    loc        fw

Ping(ACCEPT)    loc        fw

Ping(DROP)    net        fw

ACCEPT        fw        loc        icmp
ACCEPT        fw        net        icmp

DNS(ACCEPT)     net             fw

HTTP(ACCEPT)    net             fw
HTTPS(ACCEPT)   net             fw

HTTP(ACCEPT)    loc             net
HTTPS(ACCEPT)   loc             net

Webmin(ACCEPT)   net             fw

### tcrules:
1:P           0.0.0.0/0
2             $FW
FORMAT 2
TTL(+1):P                       INT_IF        -
SAME:P                          INT_IF        -             tcp    80,443
#?if $PROXY && ! $SQUID2
#   DIVERT                       COMB_IF       -             tcp   
-       80
#   DIVERT                       COMC_IF       -             tcp   
-       80
#   DIVERT                       br0           172.20.1.0/24 tcp   
-       80
#   TPROXY(3129,172.20.1.254)    INT_IF        -             tcp    80
#   ?if $PROXYDMZ
#      TPROXY(3129,172.20.1.254) br0           -             tcp    80
#   ?endif
#?endof

### rtrules:
&COMA_IF            -                ComcastA  1000
&COMB_IF            -                ComcastB  1000
&COMC_IF            -                ComcastC  1000

### providers:
ComcastA          1        0x10000 -          COMA_IF     detect       
loose,fallback
ComcastB          2        0x20000 -          COMB_IF     detect       
loose,fallback
ComcastC          3        0x30000 -          COMC_IF     detect       
loose,fallback


Tero M

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

On Jun 15, 2013, at 12:28 AM, Tero M <termant@gmail.com> wrote:
> On 15.6.2013 0:38, Tom Eastep wrote:
>> On 06/13/2013 10:14 AM, Tero M wrote:
>>> Hi,
>>> 
>>> I was reading document
http://shorewall.net/MultiISP.html#idp3634200.
>>> Inspired by the document I was trying to establish the following
changes:
>>> * one additional interface: COMA_IF
>>> * COM[A,B,C]_IF interfaces request IP address via DHCP
>>> * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF
>>> * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by
default
>>> * non-RFC 1918 destined trafic from GW is possible to route via
COMA_IF
>>> or COMC_IF if necessary
>>> 
>>> Content of provider file:
>>> ComcastA          1        0x10000 -          COMA_IF     detect
>>> loose,fallback
>>> ComcastB          2        0x20000 -          COMB_IF     detect
>>> loose,fallback
>>> ComcastC          3        0x30000 -          COMC_IF     detect
>>> loose,fallback
>>> 
>>> Content of tcrules file:
>>> 1:P           0.0.0.0/0
>>> 2             $FW
>>> 
>>> At the moment all non-RFC 1918 destined trafic from GW is routed
via
>>> eth1.10 which is not what I want. How do I correct that?
>> There isn''t enough information here to help you. Please send
the output
>> of ''shorewall dump'' to start with.
>> 
>> Thanks,
>> -Tom
>> 
>> 
>>
------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>> 
>> Build for Windows Store.
>> 
>> http://p.sf.net/sfu/windows-dev2dev
>> 
>> 
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> Well,
> 
> do you mind if I send you at first only content of the files that I have
> changed?
> 
Pretty useless -- you are complaining that traffic is routed out of eth1.10 and
that interface isn''t even mentioned in your configuration. So
I''ll spend no time looking at your obfuscated config files.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev