Gustavo Michels wrote:
Hi all,I've been using shorewall 3 (3.4.8 now) for a while on a simple gateway setup for my office. Routing is enabled only for a few hosts and all user access the internet thru squid, which is running on the shorewall box. I have a few other services on this box and some others on another server, but they don't matter for what I need.Quick and dirty schematics to illustrate (and let's hope gmail don't screw it up). Probably not needed, but it won't hurt:wan (eth1) -------- shorewall (eth0) -------- lan(fixed ip) 10.0.0.1 <http://10.0.0.1> 10.0.0.0/24 <http://10.0.0.0/24>I currently have a 600/600 kbps "corporate" internet connection (a fancy name for a cable modem with fixed ip) and my bandwidth needs are becoming bigger and bigger, so I signed up for another internet link (another cable modem, now a "residential" one with dynamic ip, essentially the same as the other) which is 2000/300 kbps, which I plan to use for the user's internet usage (Squid) only. This 2nd internet link, however, won't be connected to shorewall but to a simple wifi soho router (a linksys one running dd-wrt). So, I need to route all traffic from squid to this linksys router.Another schematics try for the new scenario: wan -------- shorewall -------- lan(fixed ip) 10.0.0.1 <http://10.0.0.1> 10.0.0.0/24 <http://10.0.0.0/24>\ squid only | \----------\ | \ | wan2 ------------------------- linksys (dyn ip) 10.0.0.2 <http://10.0.0.2>I have googled for a while and found out that I need to use packet marking to achieve what I need; basically mark each squid packet with an identifier and route them accordingly. I found the following instructions with iptables commands which happen to do the job:I would use another approach in 'marking' squid packets, it could be done with a single rule: iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK --set-mark 0x1 Now just add that two commands to define new routing table. /sbin/ip rule add fwmark 0x1 table 101 pref 101 /sbin/ip route add default via 10.0.0.2 <http://10.0.0.2> dev eth0 table 101 To make changes permanent (after everything is tested and working ok): iptables-save > /etc/sysconfig/iptables edit /etc/iproute2/rt_tables and add a line: 101 squid then create 2 files 'route-eth0' and 'rule-eth0' (that's a RedHat's approach to handle complex routing, that should also work on CentOS): /etc/sysconfig/network-scripts/rule-eth0: fwmark 0x1 table 101 pref 1000 /etc/sysconfig/network-scripts/route-eth0: default via 10.0.0.2 <http://10.0.0.2> dev eth0 table 101So, my problem is how do I translate those commands into shorewall configuration? I tried looking the Multi ISP doc but it mentions about having both ISPs on the same box, which is not my case, so I'm not sure if I need to mess with /etc/shorewall/providers and such.I hope I made myself clear enough but if anyone have doubts, please ask. All replies are greatly appreaciated.
A couple if points:a) Why the Linksys router? Why don't you just add a third NIC to the Shorewall box and use Shorewall's multi-ISP capability? http://www.shorewall.net/MultiISP.html
b) Even with your proposed topology, you could use Shorewall's MultiISP capability but you would need to understand a lot more about how it works (no one is likely to write a HOWTO for anything like what you propose).
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
