Gustavo Michels wrote: > Hi all, > I've been using shorewall 3 (3.4.8 now) for a while on a simple gateway > setup for my office. Routing is enabled only for a few hosts and all user > access the internet thru squid, which is running on the shorewall box. I > have a few other services on this box and some others on another server, but > they don't matter for what I need. > > Quick and dirty schematics to illustrate (and let's hope gmail don't screw > it up). Probably not needed, but it won't hurt: > > wan (eth1) -------- shorewall (eth0) -------- lan > (fixed ip) 10.0.0.1 10.0.0.0/24 > > I currently have a 600/600 kbps "corporate" internet connection (a fancy > name for a cable modem with fixed ip) and my bandwidth needs are becoming > bigger and bigger, so I signed up for another internet link (another cable > modem, now a "residential" one with dynamic ip, essentially the same as the > other) which is 2000/300 kbps, which I plan to use for the user's internet > usage (Squid) only. This 2nd internet link, however, won't be connected to > shorewall but to a simple wifi soho router (a linksys one running dd-wrt). > So, I need to route all traffic from squid to this linksys router. > > Another schematics try for the new scenario: > > wan -------- shorewall -------- lan > (fixed ip) 10.0.0.1 10.0.0.0/24 > \ squid only | > \----------\ | > \ | > wan2 ------------------------- linksys > (dyn ip) 10.0.0.2 > > I have googled for a while and found out that I need to use packet marking > to achieve what I need; basically mark each squid packet with an identifier > and route them accordingly. I found the following instructions with iptables > commands which happen to do the job: > > I would use another approach in 'marking' squid packets, it could be done > with a single rule: > > iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK --set-mark > 0x1 > >
You would need to have this run on the squid box to get the --uid-owner. > Now just add that two commands to define new routing table. > > /sbin/ip rule add fwmark 0x1 table 101 pref 101 > > /sbin/ip route add default via 10.0.0.2 dev eth0 table 101 > > > To make changes permanent (after everything is tested and working ok): > > iptables-save > /etc/sysconfig/iptables > > > edit /etc/iproute2/rt_tables and add a line: > > 101 squid > > > then create 2 files 'route-eth0' and 'rule-eth0' (that's a RedHat's approach > to handle complex routing, that should also work on CentOS): > > > /etc/sysconfig/network-scripts/rule-eth0: > > fwmark 0x1 table 101 pref 1000 > > > /etc/sysconfig/network-scripts/route-eth0: > > default via 10.0.0.2 dev eth0 table 101 > > > So, my problem is how do I translate those commands into shorewall > configuration? I tried looking the Multi ISP doc but it mentions about > having both ISPs on the same box, which is not my case, so I'm not sure if I > need to mess with /etc/shorewall/providers and such. Add the above commands to the squid box, it's the one that needs to deal with the second gateway, leaving the firewall box as is with no changes. Or is the squid box running shorewall also? > I hope I made myself clear enough but if anyone have doubts, please ask. All > replies are greatly appreaciated. You could plug the linksys directly into the squid box with a second nic. Either way, you would need to use something like the above on the squid box only. Another option as Tom stated, setup the full multi-isp on the firewall, using the linksys as the second gateway and then use packet-marking based on source address/port destination to direct the web traffic from the squid box to the linksys. You can do multi-isp with the second gateway in the loc zone, but I don't recommend that approach, it's a PITA to setup. Much easier just to add a third nic to the mix and go with Tom's suggestion. I'd be running the 4.0 series of shorewall if I were you. So the question becomes, which do you want to modify the squid box or the shorewall box? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
