Hello!
With regards to the recommended settings in shorewall.conf
TC_BITS=8
PROVIDER_OFFSET=8
PROVIDER_BITS=4
is this a best-practice?
Because initially the parameters are not set.
Unfortunately I get an error when starting shorewall:
[...]
Mar 15 8:22:39 Finishing matrix...
Mar 15 8:22:39 Creating iptables-restore input...
Mar 15 8:22:39 Shorewall configuration compiled to
/var/lib/shorewall/.start
Mär 15 08:22:39 Starting Shorewall....
Mär 15 08:22:39 ERROR: Can't determine the IP address of eth2
Mär 15 08:22:39 ERROR:Shorewall start failed:Firewall state not changed
I assume this is related to the network configuration where eth2 is
bridged to vmbr2:
[...]
auto eth2
iface eth2 inet manual
auto vmbr2
iface vmbr2 inet static
address 192.168.1.14
netmask 255.255.255.0
bridge_ports eth2
bridge_stp off
bridge_fd 0
root@pc4-svp:~# ifconfig
eth0 Link encap:Ethernet Hardware Adresse 74:d4:35:1a:f6:0f
inet Adresse:217.xxx.xxx.xxx Bcast:255.255.255.255
Maske:255.255.255.192
inet6-Adresse: fe80::76d4:35ff:fe1a:f60f/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:20460 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:1684356 (1.6 MiB) TX bytes:8729 (8.5 KiB)
Interrupt:20 Speicher:f7d00000-f7d20000
eth1 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b8
UP BROADCAST MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16 Speicher:f7c60000-f7c80000
eth2 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b9
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:2306 errors:0 dropped:0 overruns:0 frame:0
TX packets:2293 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:335489 (327.6 KiB) TX bytes:1260503 (1.2 MiB)
Interrupt:17 Speicher:f7c20000-f7c40000
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:104 (104.0 B) TX bytes:104 (104.0 B)
tap121i0 Link encap:Ethernet Hardware Adresse 46:f6:a2:8f:8e:10
inet6-Adresse: fe80::44f6:a2ff:fe8f:8e10/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
RX packets:1810 errors:0 dropped:0 overruns:0 frame:0
TX packets:1740 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:500
RX bytes:991546 (968.3 KiB) TX bytes:270132 (263.8 KiB)
vmbr0 Link encap:Ethernet Hardware Adresse f2:b4:7f:3d:67:f9
inet Adresse:10.0.0.1 Bcast:10.0.0.255 Maske:255.255.255.0
inet6-Adresse: fe80::f0b4:7fff:fe3d:67f9/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 B) TX bytes:1548 (1.5 KiB)
vmbr1 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b8
inet Adresse:10.1.0.1 Bcast:10.1.0.255 Maske:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vmbr2 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b9
inet Adresse:192.168.178.10 Bcast:192.168.1.255
Maske:255.255.255.0
inet6-Adresse: fe80::215:17ff:fe91:9cb9/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:1389 errors:0 dropped:377 overruns:0 frame:0
TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:123341 (120.4 KiB) TX bytes:257435 (251.4 KiB)
Can you please advise?
THX
Am 26.02.2016 um 20:46 schrieb Tom Eastep:
On 02/24/2016 03:22 AM, c.mo...@web.de wrote:
Fair enough.
Defining /etc/shorewall/masq and /etc/shorewall/rules is not difficult.
But the problem starts
with /etc/shorewall/providers, /etc/shorewall/rtrules
and /etc/shorewall/interfaces.
And last but not least the setting of USE_DEFAULT_RT.
I see no reason why USE_DEFAULT_RT=Yes would not be appropriate.
You obviously have two providers -- one out of eth0 and one out of eth2.
Given that eth0 has a static IP address, I'm assuming that the gateway
is also static so just specify it in the providers entry.
I'll assume these settings in shorewall.conf.
TC_BITS=8
PROVIDER_OFFSET=8
PROVIDER_BITS=4
ISP1 1 0x100 eth0 <gateway1> primary
ISP2 2 0x200 eth2 192.168.178.1 fallback
Your rtrules file will depend on how you want traffic routed. I assume
that 10.1.0.0/24 want to route out of eth0, so you would have this entry:
10.1.0.0/24 - ISP1 1000
Similarly, 192.168.178.0/24 wants to route out of ISP2:
192.168.178.0/24 - ISP2 1000
The interfaces file will have the 'net' zone for both eth0 and eth2:
?FORMAT 2
net eth0 dhcp,...
net eth2 ...
-Tom
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users