I adjusted the masq file as Jerry suggested, but I'm still getting the same symptoms.
The last thing I have tried was to restart shorewall, then immediately send a single ping that failed (as described in the original post below) through the firewall, and then ran the dump. This way I believe that the only packet counts are from the 1 failed packet. I tried to extract what's gong on with the counters, but haven't been able to draw any conclusions except that I think it's in the MANGLE table. Does this help anyone more? Sorry, the addresses changed a bit on ETH2 and ETH3 because I removed the box from the live connections and have created a mock setup with slightly different addresses. Thanks, Grant -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Vonau Sent: Thursday, May 24, 2007 10:08 PM To: Shorewall Users Subject: Re: [Shorewall-users] MultiISP problems with the track option Jerry Vonau wrote: > Grant Scheffert wrote: <snip> >> # Shorewall version 3.4 - Providers File >> # >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> ISP1 1 1 main eth2 216.x.y.33 track,balance >> ETH0 >> ISP2 2 2 main eth3 136.x.y.1 balance ETH0 >> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> >> My interfaces are configured like this: >> LAN = ETH0 (10.0.0.0/24 >> DMZ = ETH1 (not used yet) >> ISP1 = ETH2 (216.x.y.34/28) >> ISP2 = ETH3 (136.x.y.2/25) >> <snip> >> I suspect I have missed something in my configuration. I've studied >> http://www.shorewall.net/MultiISP.html pretty hard and have not found >> the answer. Any suggestions would be appreciated. >> > > Please summit a shorewall dump. The only thing that jumps out from your from your dump other than eth3 differs from the above info: Chain eth2_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Chain eth3_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Past experence tells me you should be using snat here, have another look at the example on multiisp page, your masq file entries need to use the third column, to set a SNAT entry here. Jerry ------------------------------------------------------------------------ - Original Post > I've been using Shorewall on an older box for 3 years and it has > worked fabulous. But we've expanded to having 2 ISPs so I'm building > a new Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs. > > I'm having a problem with outgoing connections when I add the track > option to my providers file. Here's my providers file: > > # Shorewall version 3.4 - Providers File # > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 1 main eth2 216.x.y.33 track,balance > ETH0 > ISP2 2 2 main eth3 136.x.y.1 balance ETH0 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > My interfaces are configured like this: > LAN = ETH0 (10.0.0.0/24 > DMZ = ETH1 (not used yet) > ISP1 = ETH2 (216.x.y.34/28) > ISP2 = ETH3 (136.x.y.2/25) > > I have the following in my rules file > ACCEPT:info all all icmp > to allow all pings and log them. > > I have nothing in my tcrules file. > > The problem seems to be that if I use the track option in the > providers file, I can't make any outgoing connections using that ISP. > If I try to ping an external address that I know exists and the ping > goes out ISP2(ETH3), I get a reply back. If the ping goes out > ISP1(ETH2), the reply is stopped on its way back in and looks like it > has been redirected back out ETH2 where it came from. > > Here's the entries from syslog showing this: > May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 > TTL=127 > ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040 May 22 17:05:59 > outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 > OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 > TTL=127 > ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296 May 22 17:05:59 > outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2 > SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952 > PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296 > > I suspect I have missed something in my configuration. I've studied > http://www.shorewall.net/MultiISP.html pretty hard and have not found > the answer. Any suggestions would be appreciated. > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
