On Wed, 2009-08-19 at 18:19 +0200, Gaetano Guerriero wrote: > On Wed, Aug 19, 2009 at 11:01:51AM -0500, Jerry Vonau wrote: > > On Wed, 2009-08-19 at 16:00 +0200, Gaetano Guerriero wrote: > > > Thanks, here's `shorewall dump`. > > > > > > On Wed, Aug 19, 2009 at 06:37:55AM -0700, Tom Eastep wrote: > > > > Gaetano Guerriero wrote: > > > > > Greetings, > > > > > I have a firewall with two internet connection: > > > > > /etc/shorewall/providers > > > > > #NAME NUMBER MARK DUPLICATE INTERFACE > > > > > GATEWAY OPTIONS COPY > > > > > TISCALI 1 256 main eth2 > > > > > 217.133.234.182 track eth0,eth1 > > > > > INFO1 2 512 main eth3 > > > > > 192.168.50.2 - eth0,eth1 > > > > > LAN_TRANSPARENT_PROXY 14 1024 - eth1 > > > > > 192.168.0.205 loose > > > > > > > > > > I use the ip on eth2 to do DNAT on some host in the LAN, but the > > > > > response > > > > > doesn't go through eth2, since the default provider is on eth3: > > > > > /etc/shorewall/route_rules: > > > > > eth1 - INFO1 > > > > > 26002 > > > > > > > > > >>From my understanding, using the option "track" on eth2 should make > > > > >>return on eth2 > > > > > the connections that arrive on eth2 and are DNATted on the hosts on > > > > > the lan. > > > > > Since that doesn't happen, my question is if this depends on a wrong > > > > > setup, or if > > > > > it shouldn't work anyway since I'm still using route_rules instead of > > > > > tcrules. > > > > > Besides, in the MultiSP howto is recommended to use shorewall 4.2, > > > > > while I'm still > > > > > shorewall 4.0. > > > > > > > > It should work. > > > > > The DNAted connections works now because I manually forced every publishing > host to exit on the internet via eth2, using route_rules and masq. I wanted > to let shorewall magically do the work and send the response through > the same provider. I think this is the sense of the "track" option. > You have read http://www.shorewall.net/FAQ.htm#faq57 right? You may want use balance here, then track might work. If you don't want to use balance I'd suggest using something like this in tcrules for each service that is dnat'ed
256:P 192.168.0.211 0.0.0.0/0 tcp - 80 which reads: mark packets with mark 256 in prerouting from $ip going anywhere with source port of 80 repeat with edits for each service... Do these dnat'ed public ip addresses need to be available though the vpn? If not, then the route_rules entries that point the dnat'ed boxes to the main table may go away. Jerry > > Well I get prompted for a password when I try the dnat'ed http port.... > > A username and password are being requested by http://217.133.234.177. > > The site says: "Space Trac" > > > > > > > > > > > > This setup worked in shorewall 3.2, now as I work-around I'm forcing > > > > > every host who > > > > > receive DNAT connection to exit always through eth2. > > > > > > Thanks for the tip. > The difference between MASQ end SNAT should be only in performance, right? > Should not make much of a difference... Jerry ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
