I have used Shorewall for a good number of years, but I have run into
something I can't seem to crack. I have searched the docs, Google, etc., but
I was hoping someone here has already solved this one:
I have 2 RFC1918 networks - we'll call them A and B - attached to separate
interfaces behind the firewall. In addition, I have 2 providers delivered by
standard Ethernet to different interfaces. One only has one IP address that
is shared by both internal networks - we'll call it X, the other has 2 IPs -
one for each internal network - we'll call it Y. The tcrules configuration
is such that certain destination ports from A and B go out X and certain
ports go out Y. The masq file is used to handle sending the correct traffic
on Y with the correct source IPs. That seemed to be working well.
The user of network B decided that they needed their own router - not
something I have control over. It gets an IP in the B network via static
assignment through DHCP - which works fine. I set up a nat entry for them to
send their IP from Y to the statically assigned address on B. (All
interfaces and local are true.) This works fine so long as they are
configured in tcrules to ONLY use provider Y. Now the fun part: If I change
their tcrules settings to allow some of their bulk traffic to go out of
provider X, those ports don't work. No rejects in the logs, no errors in the
logs at all - they just dissolve into the ether. Switch tcrules to only use
provider Y for them, and it works fine.
I am using DNAT rules in the rules file to send a few ports on the other Y's
other IP to machines in A. No entry in the nat file for that, obviously. It
works just fine - tcrules does what I would expect, and I can control what
goes where.
Wow - I'm probably missing something simple somewhere, but I can't see it.
Thoughts?
Matthew Excell
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
