On 04/21/2012 04:15 PM, Ed W wrote: > Hi, Can I beg some help handling the some corner cases with the goal to > achieve very rigid routing via specific interfaces > > To recap the goal: > > - I have a router connected to several internet connections, lets call > them eth0, wlan1, ppp0. Some of the internet connections may have > substantial cost, eg satellite > - The use case will be end user, mobile, and we will assume that it's > fair game to add/remove interfaces while in use, eg wifi networks could > drop, 3g router could drop > - Desire that individual local IPs will be routed out through specific > internet connections. User will agree to use a specific interface in > advance and should not use another internet interface until they have > confirmed agreement (web interface) > - Currently using several ipsets RT1,RT2, etc to mark which provider an > IP should be using. This applies a packet mark in tcrules that matches > the provider number allocated in providers file. > - Local network is via either eth0 or wlan0, these are part of a bridge > br0 (no requirement to filter between eth0/wlan0) > > What has become clear in the last few hours, is that I don't appear to > understand linux routing as well as I thought... > > In particular, how should I setup shorewall if I want to *require* that > a connection marked in tcrules:prerouting with a specific packet mark > (say 0x10000 ie equiv of high_routemarks/wide_tc) will either exit > through a specific interface, say ppp0. Simply marking with the correct > provider number routes through that provider most of the time, but > appears vulnerable to external processes breaking the routing table?
Reject traffic going out of an interface if it doesn't have the correct mark. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
