Tom Eastep wrote: > J M wrote: > >> However if I come in from the internet to the web site, I see nothing, >> and if I look in the log I see this: >> >> Shorewall:FORWARD:REJECT: IN=eth1 OUT=eth1 MAC=00 SRC=x.x.x.x >> DST=198.162.214.243 LEN=60 TOS=00 PREC=0x00 TTL=59 ID=44361 CE DF >> PROTO=TCP SPT=14259 DPT=80 SEQ=2177425409 >> >> If I ping I see a similar rejection. >> >> What surprises me here, is that IN and OUT are both eth1 and thats the >> obvious reason it is being REJECTed. >> >> >> Why do I get eth1 on both IN and OUT? > > Your routing is screwed up.
In particular, Proxy ARP is very hard to get right with multi-ISP (remember all of the warnings at the top of the multi-ISP article indicating that the reader really needs to understand this stuff in order to use it?). You have two options: a) Rather than specifying 'No' in the HAVEROUTE column of /etc/shorewall/proxyarp, you should add the host routes to the DMZ servers as part of your distribution's configuration of eth0.120. That way, it will be copied to the routing table corresponding to eth1 as a result of 'eth0.120' (or eth0.*) appearing in the COPY column of the providers file. That's the approach that I take when I'm testing Multi-ISP. or) b) Add a route rule that directs all traffic to the DMZ servers to use the main routing table. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
