Grant Scheffert schrieb:
I've been using Shorewall on an older box for 3 years and it has worked
fabulous. But we've expanded to having 2 ISPs so I'm building a new
Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs.
I'm having a problem with outgoing connections when I add the track
option to my providers file. Here's my providers file:
# Shorewall version 3.4 - Providers File
#
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
ISP1 1 1 main eth2 216.x.y.33 track,balance
ETH0
ISP2 2 2 main eth3 136.x.y.1 balance ETH0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
My interfaces are configured like this:
LAN = ETH0 (10.0.0.0/24
DMZ = ETH1 (not used yet)
ISP1 = ETH2 (216.x.y.34/28)
ISP2 = ETH3 (136.x.y.2/25)
I have the following in my rules file
ACCEPT:info all all icmp
to allow all pings and log them.
I have nothing in my tcrules file.
The problem seems to be that if I use the track option in the providers
file, I can't make any outgoing connections using that ISP. If I try to
ping an external address that I know exists and the ping goes out
ISP2(ETH3), I get a reply back. If the ping goes out ISP1(ETH2), the
reply is stopped on its way back in and looks like it has been
redirected back out ETH2 where it came from.
Here's the entries from syslog showing this:
May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0
OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040
May 22 17:05:59 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0
OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296
May 22 17:05:59 outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2
SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952
PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296
I suspect I have missed something in my configuration. I've studied
http://www.shorewall.net/MultiISP.html pretty hard and have not found
the answer. Any suggestions would be appreciated.
Thanks,
Grant Scheffert
Pantheon Computer Systems
507-835-2212
Where is your gateway pointing to ? This is a routing problem, when
testing with ICMP
packets, I think.
My tcrules has some entries to decide which line should get which traffic.
--
Mit freundlichen Grüßen,
Philipp Rusch
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
