Hello all, I am running shorewall-4.5.0.1 on CentOS 6.4 and having trouble getting certain internal IP addresses to NAT out via certain interfaces. This is complicated by the fact that I am using two different providers.
First, my providers file (boiletplate comment lines removed): pbb 1 4 main eth1 207.71.189.129 track,balance vbb 2 5 main eth2 217.240.176.1 track,balance Then my masq file: eth1 10.0.2.32/32 207.71.189.254 # mail server eth1 10.0.2.0/24 207.71.189.130 # everything else my tcrules: # Per the providers file, traffic marked 4 goes out PBB while traffic marked 5 goes out VBB. # Default everything out of PBB. Should eventually change this to VBB. 4 10.0.0.0/8 0.0.0.0/0 # All of this goes out VBB. 5 10.0.2.37 0.0.0.0/0 # post 5 10.0.2.8 0.0.0.0/0 # util1 5 10.0.2.48 0.0.0.0/0 # ftp 5 10.0.2.106 0.0.0.0/0 # rezaspider 5 10.0.2.111 0.0.0.0/0 # spider1-eth0:1 5 10.0.2.112 0.0.0.0/0 # spider1-eth0:2 5 10.0.2.113 0.0.0.0/0 # spider1-eth0:3 5 10.0.2.114 0.0.0.0/0 # spider1-eth0:4 And my rules file: # Let the many spider1 interfaces access the outside for spidering ACCEPT dmz:10.0.2.110 vbb tcp http ACCEPT dmz:10.0.2.110 vbb tcp https ACCEPT dmz:10.0.2.111 vbb tcp http ACCEPT dmz:10.0.2.111 vbb tcp https ACCEPT dmz:10.0.2.112 vbb tcp http ACCEPT dmz:10.0.2.112 vbb tcp https ACCEPT dmz:10.0.2.113 vbb tcp http ACCEPT dmz:10.0.2.113 vbb tcp https I'm ultimately trying to get any traffic from 10.0.2.111 to go out 217.240.176.67 and traffic from 10.0.2.112 to go out 217.240.176.68 etc. With this config I cannot source a connection from 10.0.2.111 to any outside IP address: [root@spider1 ~]# curl --interface eth0:1 http://ifconfig.me curl: (7) couldn't connect to host [root@spider1 ~]# /sbin/ifconfig eth0:1 eth0:1 Link encap:Ethernet HWaddr 00:16:3E:0D:15:21 inet addr:10.0.2.111 Bcast:10.0.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:23 What am I doing wrong here? I am somewhat confused on whether this sort of masq/NAT is to be done through the masq file or the tcrules file. The first throught is to try to do this through the masq file but the shorewall-masq manpage says: Warning If you have more than one ISP link, adding entries to this file will not force connections to go out through a particular link. You must use entries in shorewall-rtrules[1](5) or PREROUTING entries in shorewall-tcrules[2](5) to do that. So that is what I am trying to do. Does this mean that the masq file serves no purpose at all in a multi-ISP setup such as I have? Which is preferred, rtrules or tcrules? I'm going with tcrules for now since that is where I'm setting my traffic with mark 4 which sends it out the "pbb" provider. -- Tracy Reed
pgp_V9XOxFoaM.pgp
Description: PGP signature
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
