On 15.6.2013 0:38, Tom Eastep wrote:> On 06/13/2013 10:14 AM, Tero M wrote:
>> Hi,
>>
>> I was reading document http://shorewall.net/MultiISP.html#idp3634200.
>> Inspired by the document I was trying to establish the following
changes:
>> * one additional interface: COMA_IF
>> * COM[A,B,C]_IF interfaces request IP address via DHCP
>> * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF
>> * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by
default
>> * non-RFC 1918 destined trafic from GW is possible to route via COMA_IF
>> or COMC_IF if necessary
>>
>> Content of provider file:
>> ComcastA 1 0x10000 - COMA_IF detect
>> loose,fallback
>> ComcastB 2 0x20000 - COMB_IF detect
>> loose,fallback
>> ComcastC 3 0x30000 - COMC_IF detect
>> loose,fallback
>>
>> Content of tcrules file:
>> 1:P 0.0.0.0/0
>> 2 $FW
>>
>> At the moment all non-RFC 1918 destined trafic from GW is routed via
>> eth1.10 which is not what I want. How do I correct that?
> There isn''t enough information here to help you. Please send the
output
> of ''shorewall dump'' to start with.
>
> Thanks,
> -Tom
>
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
Well,
do you mind if I send you at first only content of the files that I have
changed?
params:
LOG=NFLOG
INT_IF=eth13
#TUN_IF=tun+
COMA_IF=eth10
COMB_IF=eth11
COMC_IF=eth12
INT_NET=x.x.x.x/x
STATISTICALPROXYFALLBACKPROXYDMZSQUID2
### shorewall.conf
STARTUP_ENABLED=Yes
VERBOSITY=2
BLACKLIST_LOGLEVEL
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEW
LOGFILE=/var/log/syslog
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT
MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
IPTABLES
IP
IPSET
MODULESDIR
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK
TC
ACCEPT_DEFAULT="none"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Reject"
RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}''
RSH_COMMAND=''ssh ${root}@${system} ${command}''
ACCOUNTING=Yes
ACCOUNTING_TABLE=mangle
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTO_COMMENT=Yes
AUTOMAKE=Yes
BLACKLISTNEWONLY=Yes
CLAMPMSS=Yes
CLEAR_TC=Yes
COMPLETE=No
DISABLE_IPV6=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DONT_LOAD
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=No
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK
IMPLICIT_CONTINUE=No
IP_FORWARDING=On
KEEP_RT_TABLES=Yes
LOAD_HELPERS_ONLY=Yes
LEGACY_FASTSTART=Yes
MACLIST_TABLE=filter
MACLIST_TTL
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=Yes
OPTIMIZE=31
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=No
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_IPSETS=No
TC_ENABLED=No
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
USE_DEFAULT_RT=Yes
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
TC_BITS=8
PROVIDER_BITS=2
PROVIDER_OFFSET=16
MASK_BITS=8
ZONE_BITS=0
IPSECFILE=zones
### zones:
loc ip #Local Zone
net ip #Internet
#smc:net ip #10.0.1.0/24
#vpn ip #OpenVPN clients
dmz ip #LXC Containers
### interfaces:
loc INT_IF detect
dhcp,physical=$INT_IF,required,wait=5,routefilter,nets=$INT_NET
net COMA_IF detect
required,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMA_IF,upnp,nosmurfs,tcpflags,dhcp
net COMB_IF detect
required,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags,dhcp
net COMC_IF detect
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
#vpn TUN_IF+ physical=tun+,ignore=1
#dmz br0 routeback,proxyarp=1
- lo - ignore
### masq:
COMA_IF $INT_NET
### policy:
loc net ACCEPT
loc fw ACCEPT
fw net ACCEPT
fw loc ACCEPT
loc all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
### rules:
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
Invalid(DROP) net all
DNS(ACCEPT) fw net
DNS(ACCEPT) loc fw
SSH(ACCEPT) loc fw
Ping(ACCEPT) loc fw
Ping(DROP) net fw
ACCEPT fw loc icmp
ACCEPT fw net icmp
DNS(ACCEPT) net fw
HTTP(ACCEPT) net fw
HTTPS(ACCEPT) net fw
HTTP(ACCEPT) loc net
HTTPS(ACCEPT) loc net
Webmin(ACCEPT) net fw
### tcrules:
1:P 0.0.0.0/0
2 $FW
FORMAT 2
TTL(+1):P INT_IF -
SAME:P INT_IF - tcp 80,443
#?if $PROXY && ! $SQUID2
# DIVERT COMB_IF - tcp
- 80
# DIVERT COMC_IF - tcp
- 80
# DIVERT br0 172.20.1.0/24 tcp
- 80
# TPROXY(3129,172.20.1.254) INT_IF - tcp 80
# ?if $PROXYDMZ
# TPROXY(3129,172.20.1.254) br0 - tcp 80
# ?endif
#?endof
### rtrules:
&COMA_IF - ComcastA 1000
&COMB_IF - ComcastB 1000
&COMC_IF - ComcastC 1000
### providers:
ComcastA 1 0x10000 - COMA_IF detect
loose,fallback
ComcastB 2 0x20000 - COMB_IF detect
loose,fallback
ComcastC 3 0x30000 - COMC_IF detect
loose,fallback
Tero M
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev