[Shorewall-users] Multiple ISP confusion

[Phil Cordier]

OK so I've read all the docs possible I can find, and I still can't get 
things working :-(

shorewall 3.4.1
CentOS Linux 2.6.20.3
iptables  1.3.7
Quick summary:
eth0 : internal interface for various 192.168 networks
firewall host IPs on the 192 nets (default gateways for client subnets)
eth1: admin interface,10.x traffic
eth2 : ISP1, with both a /25 and a /24 routed here (trying setup so far 
just with the single /25)
 firewall host IP of 204.13.166.253
eth3 : ISP2, with a /25
 firewall host IP of 69.90.133.125

The problem:
- as soon as I add entries in the providers and either route_rules or 
tcrules files, I get log messages like this:

Mar 25 22:19:02 fw kernel: SW:FORWARD:1:REJECT:IN=eth2 OUT=eth2 
SRC=204.13.165.37 DST=192.168.1.50 LEN=52 TOS=0x00 PREC=0x00
TTL=61 ID=44337 DF PROTO=TCP SPT=36649 DPT=22 WINDOW=49640 RES=0x00 SYN 
URGP=0

If I remove the 2nd ISP, and comment out the providers/etc entries, all 
works wonderfully. Quick check of iptables rules shows the rules are 
identical in both situations, so I assume there must be something wonky 
with the routing table entries, which look like this:

ip route :
192.168.1.48/28 dev eth1  proto kernel  scope link  src 192.168.1.49
192.168.1.64/28 dev eth1  proto kernel  scope link  src 192.168.1.65
69.90.133.0/25 dev eth3  proto kernel  scope link  src 69.90.133.125
204.13.166.128/25 dev eth2  proto kernel  scope link  src 204.13.166.253
192.168.168.0/24 dev eth1  scope link
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.7
default
       nexthop via 204.13.166.129  dev eth2 weight 1
       nexthop via 69.90.133.1  dev eth3 weight 1


ip rule :
0:      from all lookup local
1000:   from 204.13.166.128/25 iif eth2 lookup ISP1
1000:   from 69.90.133.0/24 iif eth3 lookup ISP2
10001:  from all fwmark 0x1 lookup ISP1
10003:  from all fwmark 0x3 lookup ISP2
20000:  from 204.13.166.253 lookup ISP1
20001:  from 204.13.166.251 lookup ISP1
20002:  from 204.13.166.252 lookup ISP1
20512:  from 69.90.133.125 lookup ISP2
20513:  from 69.90.133.120 lookup ISP2
32766:  from all lookup main
32767:  from all lookup default

Or more likely I am just totally lost and confused....!

capabilities :
Shorewall has detected the following iptables/netfilter capabilities:
  NAT: Available
  Packet Mangling: Available
  Multi-port Match: Not available
  Connection Tracking Match: Available
  Packet Type Match: Available
  Policy Match: Not available
  Physdev Match: Not available
  Packet length Match: Available
  IP range Match: Available
  Recent Match: Available
  Owner Match: Available
  Ipset Match: Not available
  CONNMARK Target: Available
  Extended CONNMARK Target: Available
  Connmark Match: Available
  Extended Connmark Match: Available
  Raw Table: Not available
  IPP2P Match: Not available
  CLASSIFY Target: Available
  Extended REJECT: Available
  Repeat match: Available
  MARK Target: Available
  Extended MARK Target: Available
  Mangle FORWARD Chain: Available
  Comments: Not available
  Address Type Match: Available


params:
ADMIN=eth0
INT=eth1
ISP1=eth2
ISP2=eth3

hosts:
#ZONE   HOST(S)                     OPTIONS
net     $ISP1:0.0.0.0/0                 tcpflags
net     $ISP2:0.0.0.0/0                 tcpflags
int     $INT:0.0.0.0/0
c148    $INT:192.168.1.48/28            tcpflags,routeback
c164    $INT:192.168.1.64/28            tcpflags,routeback
admin   $ADMIN:10.0.0.0/8                       tcpflags

interfaces :
#ZONE   INTERFACE       BROADCAST       OPTIONS
-       $ISP1        detect             
tcpflags,routefilter,nosmurfs,logmartians
-       $ISP2        detect             
tcpflags,routefilter,nosmurfs,logmartians
-       $INT         detect             tcpflags,detectnets,nosmurfs
-       $ADMIN       10.255.255.255

nat:
#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
#                                               INTERFACES
204.13.166.252  $ISP1           192.168.1.50    Yes             No
69.90.133.120   $ISP2           192.168.1.66    Yes             No

policy:
all             net             ACCEPT
int             admin           REJECT          info
int             $FW             REJECT          info
int             all             REJECT          info
# Policies for traffic originating from the firewall ($FW)
$FW             net             ACCEPT
$FW             admin           ACCEPT
$FW             int             ACCEPT
$FW             all             ACCEPT
# Policies for traffic originating from the admin Zone
admin           net             ACCEPT
admin           $FW             ACCEPT
admin           int             ACCEPT
admin           all             ACCEPT
# Policies for traffic originating from the Internet zone (net)
net             admin           DROP            info
net             $FW             DROP            info
net             int             DROP            info
net             all             DROP            info
all             all             REJECT          info



rules:
DNS/ACCEPT      $FW             net
DNS/ACCEPT      int             net
DNS/ACCEPT      admin           net
SSH/ACCEPT      net             $FW
SSH/ACCEPT      $FW             int
SSH/ACCEPT      admin           $FW
SSH/ACCEPT      admin           int
#       allow temporarily for testing purposes
ACCEPT          net             $FW             icmp    8       
-               -               1/sec
ACCEPT          net             int             icmp    8       
-               -               1/sec
ACCEPT          int             $FW             icmp    8       
-               -               1/sec
Ping/ACCEPT     int             net
#
ACCEPT          $FW             net             icmp
ACCEPT          $FW             int             icmp
ACCEPT          $FW             admin           icmp
#
ACCEPT          admin           int             icmp
ACCEPT          admin           net             icmp
ACCEPT          admin           $FW             icmp
#
#------------------------------------------------------------------------------
#   ISP1
DNAT    all+-   c148:192.168.1.50 tcp  80      -        204.13.166.252
DNAT    all+-   c148:192.168.1.50 tcp  22      -        204.13.166.252
DNAT    all+-   c148:192.168.1.50 icmp 8       -        204.13.166.252
#------------------------------------------------------------------------------
# ISP2
DNAT    all+-   c164:192.168.1.66 tcp  80      -        69.90.133.120
DNAT    all+-   c164:192.168.1.66 tcp  22      -        69.90.133.120
DNAT    all+-   c164:192.168.1.66 icmp 8       -        69.90.133.120
#------------------------------------------------------------------------------

providers:
ISP1    1       1       main    $ISP1      204.13.166.129       
track,balance   none
ISP2    3       3       main    $ISP2      69.90.133.1          
track,balance   none

route_rules:
$ISP1:204.13.166.128/25 -                       ISP1            1000
#$ISP1:216.18.236.0/24   -                       ISP1            1000
$ISP2:69.90.133.0/24    -                       ISP2            1000

tcrules (tried with both this and route_rules, no diff):
#1:P    $INT:192.168.1.48/28    0.0.0.0/0       all
#3:P    $INT:192.168.1.64/28    0.0.0.0/0       all

Pointers to the obvious most appreciated...!!


begin:vcard
fn:Phil Cordier
n:Cordier;Phil
org:GridZones
adr;dom:;;PO Box 55099;Seattle;WA;98155
email;internet:[EMAIL PROTECTED]
title:President / CEO
tel;work:206.441.7580
tel;fax:206.219.5307
tel;pager:[EMAIL PROTECTED]
tel;cell:206.529.7091
x-mozilla-html:TRUE
url:http://www.gridzones.com
version:2.1
end:vcard

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users