Tom Eastep wrote: > Trent O'Callaghan wrote: >> MASQ/SNAT and ARP are interacting in a way that is causing outbound >> connectivity issues in periods of low traffic (when ARP entries timeout). >> Tcpdump of ARP packets shows who-has packets with the SNAT IP address when I >> need them to have the Firewall's Interface IP address as their source. >> >> I have modified MASQ to SNAT to the Firewall's Interface IP address for the >> Peering network (via 198.32.212.73), but outbound traffic is normally to >> more distant networks and my default route is to the Paid Internet (via >> 121.200.226.210). >> >> I have seen some have scripted ARP watchers that could assist but I believe >> this is something Shorewall can cope with, but I am lacking in the >> knowledge. >> >> r...@per-r1:/etc/shorewall# ifconfig -a >> eth0 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 >> inet addr:121.200.226.210 Bcast:121.200.226.211 >> Mask:255.255.255.252 >> eth0:1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 >> inet addr:198.32.212.73 Bcast:198.32.212.255 Mask:255.255.255.0 >> eth0:2 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 >> inet addr:180.233.131.7 Bcast:180.233.131.255 Mask:255.255.255.0 >> eth1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:91 >> inet addr:10.240.0.1 Bcast:10.240.0.255 Mask:255.255.255.0 >> >> r...@per-r1:/etc/shorewall# ip route show table main | grep -v zebra >> 121.200.226.208/30 dev eth0 proto kernel scope link src 121.200.226.210 >> 198.32.212.0/24 dev eth0 proto kernel scope link src 198.32.212.73 >> 180.233.131.0/24 dev eth0 proto kernel scope link src 180.233.131.7 >> 10.240.1.0/24 dev eth1 proto kernel scope link src 10.240.1.1 >> default via 121.200.226.209 dev eth0 metric 100 >> >> # >> # Shorewall version 4 - Masq file >> # >> eth0:!198.32.212.0/24 eth1:!10.240.1.7 180.233.131.7 > > Ah! I took one more look at your report and I seriously doubt that the > above rule does what you expect. Rewrite it as: > > eth0:!198.32.212.0/24 10.240.0.0/24!10.240.1.7
In fact, the current version of Shorewall (4.4.6) rejects that type of rule: gateway:/etc/shorewall# shorewall check Compiling... WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts : /etc/shorewall/masq (line 7) ERROR: SOURCE interface may not be specified with a source IP address in the POSTROUTING chain : /etc/shorewall/masq (line 7) gateway:/etc/shorewall# Are you still using Shorewall-shell? If so, I highly recommend migrating to Shorewall-perl at the first opportunity. It does a much better job of validating the configuration at compile-time (and it does it much faster as well). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
