Tom Eastep wrote: > Vieri Di Paola wrote: >> Hi, >> >> I am in the process of upgrading a multi-isp router >> (ISP1, 2, 3). Previously it was working as expected >> with Shorewall 3.0.8 and kernel 2.6.16. >> >> I'm now havig trouble with ISP2 and ISP3 only after >> moving to shorewall 3.4.2 and kernel 2.6.19. Incoming >> connections don't complete. >> An example: >> a DNAT rule redirects Internet port 443 to a lan >> server. (from 217.126.158.166 to 85.48.225.159:443 -> >> 10.215.144.16:443) >> >> Note that 85.48.225.159 (ISP3) is on the ADSL >> modem/router (PPPoA) and has local IP 192.168.101.1 >> and redirects all incoming traffic to 192.168.101.2 >> which is the multi-isp shorewall gateway. >> >> Please find the shorewall dump here: >> http://fhm.zapto.org/dump.gz > > This doesn't look good: > > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > > What route_rules entries do you have?
Those rules have the priority of the rules that Shorewall generates to match fwmarks to providers. So I'm guessing that your kernel isn't handling routing rules correction. Rule generation looks wrong because the rules don't have the 'fwmark' match included; Shorewall only generates these rules if you put something other than '-' in the MARK column of /etc/shorewall/providers. Because the wrong rule is being instantiated, the code which deletes these rules during 'restart' also doesn't work. This is leaving you with an additional rule per provider per 'shorewall restart'. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
