Johannes Graumann wrote: > Tom Eastep wrote: >> I'm sorry but I'm not going to try to visualize what your configuration >> now looks like after you've made all of these changes; I'll need to see >> another dump. > Attached. >
Your routing rules are now:
Routing Rules
0: from all lookup local
10001: from all fwmark 0x1 lookup LAN
10002: from all fwmark 0x2 lookup ICA
20000: from 10.31.0.96 lookup LAN
20256: from 141.61.79.153 lookup ICA
26000: from all to 192.168.0.0/16 iif lo lookup LAN
26000: from all iif lo lookup ICA
32766: from all lookup main
32767: from all lookup default
All of the 'iif lo' appearing in the rules are nonsense. Those rules will
never match since any traffic arriving on the 'lo' interface is addressed to
the firewall itself and handled already by the 'local' table.
So your routing rules are really this:
0: from all lookup local
10001: from all fwmark 0x1 lookup LAN
10002: from all fwmark 0x2 lookup ICA
20000: from 10.31.0.96 lookup LAN
20256: from 141.61.79.153 lookup ICA
32766: from all lookup main
32767: from all lookup default
So, if you attempt to ssh to 10.4.0.38, we end up at 32766 (lookup main).
Your 'main' table has:
172.16.35.0/24 dev vmnet8 proto kernel scope link src 172.16.35.1
192.168.149.0/24 dev vmnet1 proto kernel scope link src 192.168.149.1
141.61.79.0/24 dev eth1 proto kernel scope link src 141.61.79.153
10.31.0.0/16 dev eth0 proto kernel scope link src 10.31.0.96
default
nexthop via 10.31.0.1 dev eth0 weight 1
nexthop via 141.61.79.1 dev eth1 weight 1
default via 10.31.0.1 dev eth0
The first 'default' route is the one that matches this traffic so we can go
to either provider. So it may or may not do the right thing.
a) Remove your 'lo' entries from the route_rules file
b) Add entries in the 15000 range that direct traffic to 10.0.0.0/8 to the
LAN table.
c) I would also remove the route filtering from both eth0 and eth0 until you
get this working. Since you are not logging martians, you have no idea if
your kernel is silently dropping response packets.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
