Jeremy Lowery
2014-Mar-11 20:46 UTC
Restoring previous multiple ISP functionality in 4.4.26
Hello. I've never posted to this ml before, so just wanted to say thanks for Shorewall. It's been great been using it for years. This server has two ISP's on different NIC's. I only really care about responding to traffic out the same address that it originates from. I accomplish this using two ip route tables and some ip rules. (The same way as described here: http://lartc.org/howto/lartc.rpdb.multiple-links.html). This has worked great for a long time, but I recently ugraded from shorewall 4.4.6 to 4.4.26 (by means of Ubuntu LTS upgrade). Now none of the firewall rules match the secondary interface in shorewall so I cannot serve any services on it. Is there any easy fix here, or am I going to have to change a bit of Shorewall configuration to keep using it? I've scoured this link here: http://shorewall.net/MultiISP.html Looks like a new "provider" file is to be given. If I have rto econfigure the server as specified, will this do away with my old ip route script? A very strange behavior of the system now is that the secondary public ip address cannot be pinged from anywhere besides the local public network when shorewall is turned on. So it's like disabling traffic out the secondary gateway perhaps? interfaces net eth0 detect tcpflags,nosmurfs,routefilter,blacklist net eth1 detect tcpflags,nosmurfs,routefilter,blacklist loc eth2 detect tcpflags zones fw firewall net ipv4 vpn:net ipv4 loc ipv4 policy #loc net ACCEPT #net all DROP info $FW net REJECT info vpn $FW ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech