On Tue, 2008-07-01 at 11:17 -0700, Tom Eastep wrote: > Jerry Vonau wrote: > > > > > OK, for those of us that are playing along at home ;-), to condense the > > thought, what we(?) would be looking at is a single "bal" table that has > > the default routes. The routing rules needed would point to the "main" > > routing table for the routes that would be "local" to the box (invert > > the logic, ie: ip rule to 10.3.0.10/24 lookup table main), while the > > routes via an isp that are "external" to the box would be directed to > > the "bal" (default?) table, (ie: ip rule to 0.0.0.0/0 lookup table bal), > > with the "ip rules" ordering winning the table race. > > Exactly. > > >I wonder if that > > is what the stock blank "default" table is meant for? (vpn routes would > > be considered local here). > > I suspect so. > > > I like this, it *should* work kind of like > > the squid routing, point to a gateway(s) and the rest should just fall > > into line(with the routing rules in place), with much less code perhaps. > > Have you thought about what the routing rules might look like in this > > setup? > > Attached is a copy of what I have running currently. > > -Tom
I moved my default gateway from the main table to the default table on an otherwise out of the box fedora9 box, I'm still on the net. :-) shorewall show routing Shorewall 4.0.12 Routing at S010600e029961c55 - Mon Jul 7 14:03:41 CDT 2008 Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table default: default via 24.76.252.1 dev eth0 Table local: broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 24.76.255.80 dev eth0 proto kernel scope host src 24.76.255.80 broadcast 24.76.255.255 dev eth0 proto kernel scope link src 24.76.255.80 broadcast 24.76.252.0 dev eth0 proto kernel scope link src 24.76.255.80 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 24.76.252.0/22 dev eth0 proto kernel scope link src 24.76.255.80 169.254.0.0/16 dev eth0 scope link The routing rules are in the same order, just with different values, I'm wondering if the "from <ip> lookup <table>" rules are even need/wanted. When a connection is from the fw to a host that is on the same lan as a gateway, I not sure with out testing, if that would mess up the the ip rule lookup for that target's ip, given that there is no route in the providers table, other that the host route to the gateway, or would an earlier ip rule cover it? (OK, I'm a bit rusty...) This looks promising, I'll try my dual-isp box tomorrow, with the beta. Jerry ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
