Re: [Shorewall-users] DNAT problem with MultiISP

Fri, 15 Jun 2007 16:00:02 -0700 

Mark wrote:
> Greetings,
> 
> I have a Shorewall configuration with 2 WAN subnets bound to eth0 and eth1
> and 2 LAN interfaces bound to eth2 and eth3. We have a web/e-mail server on
> eth3 in the 192.168.30.0/24 subnet at 192.168.30.10. I have 2 rules to DNAT
> TCP traffic on ports 80 and 110 arriving on specific IP's
> (eth0:70.143.10.135 and eth1:12.22.105.135) to be forwarded to
> eth3:192.168.30.10.
> 
> /etc/shorewall/providers
> ISP1  1   1   main  eth0  70.143.10.129   track,balance   eth2,eth3
> ISP2  2   2   main  eth1  12.22.105.129   track,balance   eth2,eth3

Think this might be an issue here, from your dump:

Chain tcpre (3 references)
 pkts bytes target     prot opt in     out     source
destination
  160 14771 MARK       all  --  eth2   *       0.0.0.0/0
0.0.0.0/0           MARK set 0x2
    0     0 MARK       tcp  --  eth2   *       0.0.0.0/0
0.0.0.0/0           multiport dports 25 MARK set 0x1
   31  2069 MARK       all  --  eth3   *       0.0.0.0/0  <<<<
0.0.0.0/0           MARK set 0x2                          <<<<
    0     0 MARK       tcp  --  eth3   *       0.0.0.0/0
0.0.0.0/0           multiport dports 25 MARK set 0x1

> /etc/shorewall/interfaces
> net   eth0    detect
> tcpflags,blacklist,routefilter,nosmurfs,logmartians
> net   eth1    detect
> tcpflags,blacklist,routefilter,nosmurfs,logmartians
> loc   eth2    10.15.3.255     detectnets,routeback
> dmz   eth3    192.168.30.255  detectnets
> 
> /etc/shorewall/rules
> DNAT  net   dmz:192.168.30.10  TCP   80    -  12.22.105.135,70.143.10.135
> DNAT  net   dmz:192.168.30.10  TCP   110   -  12.22.105.135,70.143.10.135
> 
> Only traffic arriving on eth1:12.22.105.135 works. Traffic arriving on
> eth0:70.143.10.135 is being forwarded to 192.168.30.10 as witnessed by
> 'tcpdump' but is not sent back out, the return packet stops at eth3 and does
> not appear at eth0. I have attached a 'shorewall dump' for your reference.
> Any assistance would be greatly appreciated. Please let me know if there is
> additional information or clarification I should provide.

Did you really want to mark all outbound traffic from the dmz (eth3) to
use only ISP2 (MARK set 0x2)?

Jerry

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to