On 7/30/12 5:39 PM, Bas van Schaik wrote: > Hi Tom, > > On 31/07/12 00:52, Tom Eastep wrote: >> Looks to me like your COPY column contents in /etc/shorewall/providers >> are wrong. The routes out of eth0 are copied into the VPN's routing >> table; see the entry marked <=== above. > Well spotted! Your observation was right and led to the solution (which > also caused a new problem - see below), but it was not the routes of > eth0 being copied into the 'prov_vpn' routing table, it was the 'main' > routing table being copied into the 'vpn_main' routing table. I removed > the values from the COPY column, and also removed the values from the > DUPLICATE column (which used to contain 'main', but is now '-'). > > If anyone else ever runs into the same trouble (track/routeback not > working), this setup of 'providers' might work for you: >> #NAME NUMBER MARK DUPLICATE INTERFACE >> GATEWAY OPTIONS COPY >> prov_main 1 1 - eth0 >> detect track,balance >> prov_vpn 2 2 - tun0 >> detect track,optional,loose > > However, the new problem is that direct traffic from > 129.67.194.0/255.255.252.0 to 129.67.194.105 is now routed through the > default gateway of 'provider_main', which is of course unnecessary and > causes new routing problems: >> Jul 31 01:21:08 guust kernel: [282101.945969] Redirect from >> 129.67.195.254 on eth0 about 129.67.194.110 ignored. > > I tried adding a specific route using the 'routes' file (which was > introduced in Shorewall 4.4.15): >> #PROVIDER DEST GATEWAY DEVICE >> prov_main 129.67.194.0/22 - eth0 > > Which will compile, but 'ip -4 route add ...' doesn't like it and > Shorewall doesn't start: > >> Jul 31 01:31:41 Adding Providers... >> RTNETLINK answers: Invalid argument >> ERROR: Command "ip -4 route add 129.67.194.0/22 dev eth0 table 1" >> Failed > > So, basically, I'd like to have a route in 'prov_main' on eth0 to > 129.67.194.0/255.255.252.0 which is only used if traffic actually > entered the system through eth0. Any suggestions on how I can accomplish > this?
Have you tried specifying 'none' in the COPY column as described in the shorewall-providers manpage? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
