Hi, I want to start with a words of gratitude to Tom for work he has put in Shorewall - which makes life easier for us.
I'm having some problems with multi-ISP (it's really one ISP, but two different
IPs from the same ISP).
So my shorewall-providers looks like this (ips are masked):
net_GEN 1 256 default ppp0 GW.GW.GW.GW
track
net_PUB 2 512 default ppp1 GW.GW.GW.GW
track
shorewall-policy:
ethDOWN.v4001 - net_PUB 26000
lan.DOZYNKOWA - net_PUB 26000
shorewall-masq:
ppp1 172.21.0.0/24
On VM connected to lan.DOZYNKOWA:
# ping 8.8.8.8
Shorewall reports:
Nov 09 12:57:37 [kernel] [ 1851.993368] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19584
PROTO=ICMP TYPE=0 CODE=0 ID=23140 SEQ=1796
Nov 09 12:57:38 [kernel] [ 1852.993622] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19585
PROTO=ICMP TYPE=0 CODE=0 ID=23140 SEQ=1797
Nov 09 12:57:39 [kernel] [ 1853.992969] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19586
PROTO=ICMP TYPE=0 CODE=0 ID=23140 SEQ=1798
Nov 09 12:57:40 [kernel] [ 1854.999723] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19587
PROTO=ICMP TYPE=0 CODE=0 ID=23140 SEQ=1799
Nov 09 12:57:41 [kernel] [ 1855.993072] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19588
PROTO=ICMP TYPE=0 CODE=0 ID=23140 SEQ=1800
I tried mixed settings, but:
1.
USE_DEFAULT_RT=No
&&
shorewall-providers
net_GEN 1 256 main ppp0 GW.GW.GW.GW
track
net_PUB 2 512 main ppp1 GW.GW.GW.GW
track
/etc/init.d/shorewall start
* Starting firewall ...
RTNETLINK answers: File exists
ERROR: Command "ip -4 route add table 1 GW.GW.GWGW dev ppp1 proto kernel
scope link src PPP1.PPP1.PPP1.PPP1" Failed
/usr/share/shorewall/lib.common: line 68: 6500 Terminated
$SHOREWALL_SHELL $script $options $@
2.
USE_DEFAULT_RT=Yes
&&
shorewall-providers
net_GEN 1 256 - ppp0 GW.GW.GW.GW
track
net_PUB 2 512 - ppp1 GW.GW.GW.GW
track
/etc/init.d/shorewall start
* Starting firewall ...
RTNETLINK answers: No such process
ERROR: Command "ip -4 route replace default scope global table 250 nexthop
via GW.GW.GW.GW dev ppp0 weight 1 nexthop via GW.GW.GW.GW dev ppp1 weight 1"
Failed
/usr/share/shorewall/lib.common: line 68: 6502 Terminated
$SHOREWALL_SHELL $script $options $@
but i fixed it by editing /usr/share/shorewall/Shorewall/Providers.pm
sub finish_providers() {
....
if ( $family == F_IPV4 ) {
# (line 981) emit ( " run_ip route replace default scope global
table $table \$DEFAULT_ROU$
After rebooting the route table looks like:
# ip route
127.0.0.0/8 via 127.0.0.1 dev lo
172.20.0.0/29 dev ethUP.v4000 proto kernel scope link src 172.20.0.1
172.20.0.16/29 dev ethDOWN.v4001 proto kernel scope link src 172.20.0.17
172.20.1.0/29 dev ethDOWN.v500 proto kernel scope link src 172.20.1.1
172.20.255.0/25 via 172.20.0.19 dev ethDOWN.v4001
172.21.0.0/24 dev lan.DOZYNKOWA proto kernel scope link src 172.21.0.1
GW.GW.GW.GW dev ppp1 scope link src PPP1.PPP1.PPP1.PPP1
GW.GW.GW.GW dev ppp1 proto kernel scope link src PPP1.PPP1.PPP1.PPP1
# ip route list table 1
default via GW.GW.GW.GW dev ppp0 src PPP0.PPP0.PPP0.PPP0
GW.GW.GW.GW dev ppp0 scope link src PPP0.PPP0.PPP0.PPP0
# ip route list table 2
default via GW.GW.GW.GW dev ppp1 src PPP1.PPP1.PPP1.PPP1
GW.GW.GW.GW dev ppp1 scope link src PPP1.PPP1.PPP1.PPP1
With this route table i can ping both ppp interfaces, but i can only use DNAT
on PPP1.
So i executed commands:
route del GW.GW.GW.GW
route del GW.GW.GW.GW
route add default dev ppp0
And it works, but only for ppp0. Adding route add default dev ppp1. Worked for
ppp1, but not for ppp0
Regards
tom
shorewall-dump.tar.bz2
Description: Binary data
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
