Hello all, I have a server with shorewall set up but even though I have the "track,balance" options set in /etc/shorewall/providers it seems that traffic that comes into one interface (eth3) goes out through another (eth0).
Here is my /etc/shorewall/providers content: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY TELEFONICA 1 1 main eth0 189.20.33.105 track,balance eth1,eth2,eth4 INTELIG 2 2 main eth3 201.12.64.145 track,balance eth1,eth2,eth4 If I do a tcpdump on eth3 I can only see inbound requests: root@fw3:/etc/shorewall# tcpdump -ni eth3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes 17:10:07.864922 IP 200.189.220.44.15486 > 201.12.64.154.80: . ack 1898288175 win 54 <nop,nop,timestamp 829268567 37413999> 17:10:07.865250 IP 200.189.220.44.15486 > 201.12.64.154.80: F 0:0(0) ack 2 win 54 <nop,nop,timestamp 829268567 37413999> 17:10:08.038494 IP 200.189.220.44.13186 > 201.12.64.154.80: S 3874904626:3874904626(0) win 5840 <mss 1460,sackOK,timestamp 829268610 0,nop,wscale 7> 17:10:08.040738 IP 200.189.220.44.32712 > 201.12.64.153.80: S 3876774490:3876774490(0) win 5840 <mss 1460,sackOK,timestamp 829268611 0,nop,wscale 7> 17:10:08.097260 IP 200.189.220.44.13186 > 201.12.64.154.80: . ack 26134815 win 46 <nop,nop,timestamp 829268624 0> 17:10:08.101706 IP 200.189.220.44.13186 > 201.12.64.154.80: P 0:832(832) ack 1 win 46 <nop,nop,timestamp 829268624 0> 17:10:08.102936 IP 200.189.220.44.32712 > 201.12.64.153.80: . ack 3656970449 win 46 <nop,nop,timestamp 829268626 0> And if I do a tcpdump on eth0 I can see replies from addresses that belong to eth3 there: root@fw3:/etc/shorewall# tcpdump -ni eth0 host 201.12.64.154 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:11:08.228951 IP 201.12.64.154.80 > 200.189.220.44.11901: S 3472979647:3472979647(0) ack 3956578285 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 17:11:08.415117 IP 201.12.64.154.80 > 200.189.220.44.11901: P 1:521(520) ack 832 win 64704 <nop,nop,timestamp 37414604 829283661> 17:11:08.415944 IP 201.12.64.154.80 > 200.189.220.44.11901: F 521:521(0) ack 832 win 64704 <nop,nop,timestamp 37414604 829283661> 17:11:08.615615 IP 201.12.64.154.80 > 200.189.220.44.11901: . ack 833 win 64704 <nop,nop,timestamp 37414606 829283754> Its a debian lenny server that supports CONNMARK: Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available New Connection Tracking Match Syntax: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available Also the output of shorewall dump can be seen at http://www.diegolima.org/arquivos/shdump.txt or http://www.heypasteit.com/clip/VYO -- Diego Lima http://www.diegolima.org ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
