Hi all,
I've been using shorewall 3 (3.4.8 now) for a while on a simple gateway
setup for my office. Routing is enabled only for a few hosts and all user
access the internet thru squid, which is running on the shorewall box. I
have a few other services on this box and some others on another server, but
they don't matter for what I need.
Quick and dirty schematics to illustrate (and let's hope gmail don't screw
it up). Probably not needed, but it won't hurt:
wan (eth1) -------- shorewall (eth0) -------- lan
(fixed ip) 10.0.0.1 10.0.0.0/24
I currently have a 600/600 kbps "corporate" internet connection (a fancy
name for a cable modem with fixed ip) and my bandwidth needs are becoming
bigger and bigger, so I signed up for another internet link (another cable
modem, now a "residential" one with dynamic ip, essentially the same as the
other) which is 2000/300 kbps, which I plan to use for the user's internet
usage (Squid) only. This 2nd internet link, however, won't be connected to
shorewall but to a simple wifi soho router (a linksys one running dd-wrt).
So, I need to route all traffic from squid to this linksys router.
Another schematics try for the new scenario:
wan -------- shorewall -------- lan
(fixed ip) 10.0.0.1 10.0.0.0/24
\ squid only |
\----------\ |
\ |
wan2 ------------------------- linksys
(dyn ip) 10.0.0.2
I have googled for a while and found out that I need to use packet marking
to achieve what I need; basically mark each squid packet with an identifier
and route them accordingly. I found the following instructions with iptables
commands which happen to do the job:
I would use another approach in 'marking' squid packets, it could be done
with a single rule:
iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK --set-mark
0x1
Now just add that two commands to define new routing table.
/sbin/ip rule add fwmark 0x1 table 101 pref 101
/sbin/ip route add default via 10.0.0.2 dev eth0 table 101
To make changes permanent (after everything is tested and working ok):
iptables-save > /etc/sysconfig/iptables
edit /etc/iproute2/rt_tables and add a line:
101 squid
then create 2 files 'route-eth0' and 'rule-eth0' (that's a RedHat's approach
to handle complex routing, that should also work on CentOS):
/etc/sysconfig/network-scripts/rule-eth0:
fwmark 0x1 table 101 pref 1000
/etc/sysconfig/network-scripts/route-eth0:
default via 10.0.0.2 dev eth0 table 101
So, my problem is how do I translate those commands into shorewall
configuration? I tried looking the Multi ISP doc but it mentions about
having both ISPs on the same box, which is not my case, so I'm not sure if I
need to mess with /etc/shorewall/providers and such.
I hope I made myself clear enough but if anyone have doubts, please ask. All
replies are greatly appreaciated.
Thanks!
Gustavo
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
