Re: [Shorewall-users] Shorewall and LVS-NAT (via fwmark) nat'd machines can't access the outside world directly

Tue, 08 Jan 2008 15:15:40 -0800 

Hi guys,

Ok I went to masq the LVS interface and realised I "think" I have an issue..

This machine IS my router AS well as my firewall and my load balancer...

Internet -- eth0 - router/firewall - eth1 --- internal lan
                                |
                        eth2 LVS-NAT setup

Hence eth0 is connected to my upstream,
eth1 isn't masq'd it's routed and eth2 is my LVS NIC (which is handled by
LVS) (which I want to masq)

I'm sure I've missed something simple.

/etc/shorewall/masq
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth1                    eth2

*snipped* setup files..
/etc/shorewall/zones
fw      firewall
net     ipv4
loc     ipv4
lvs     ipv4

/etc/shorewall/interfaces
net     eth0            detect
loc     eth1            detect
lvs     eth2            detect          routeback

/etc/shorewall/policy
lvs             net             ACCEPT
fw              lvs             ACCEPT
lvs             fw              ACCEPT

LVS has access to net via the policy file, but after restarting shorewall,
my machines still can't get "out" to the internet.

Cheers
Ad


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan
Gibbs
Sent: Wednesday, 9 January 2008 9:37 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] Shorewall and LVS-NAT (via fwmark) nat'd
machines can't access the outside world directly

* Tom Eastep wrote:
> Adam Niedzwiedzki wrote:
> 
>>
>> This is the issue, how can I setup shorewall to allow the "realservers"
>> access to the internet, if it is shorewall that I should be trying to 
>> make
>> this happen with.
>>
>> Should I MASQ eth2 in shorewall?
> 
> Yes. That or run a proxy on the Shorewall box.
Yep
> 
>> Will this then break LVS-NAT doing the masq on the incoming stuff?
> 
> I shouldn't think so.
> 
No, thats what we do.

Shorewall masqing all other interfaces / internal nets through our
internet interface.
LVS masqing incoming traffic from the internet to our realservers.

The only trouble we had was forgetting to put an ACCEPT rule in net to
fw for the ports handled by LVS. :-)

Other than that, it has worked solid for over two years.
We haven't even had to mess with fwmark.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to