Mike Lander wrote: > ----- Original Message ----- > From: "Mike Lander" <[EMAIL PROTECTED]> > To: "Shorewall Users" <[email protected]> > Sent: Thursday, August 30, 2007 6:37 PM > Subject: Re: [Shorewall-users] Multi-Isp Masqerade ? > > >> Mike Lander wrote: >> >>> Yes this accurately reflects the network topology? >>> However I been testing squid through this now and >>> the brower pauses an balks at times. So I tried >>> 10.194.79.181 in tcp outgoing in squid.conf >>> and browsing was fine. When I changed tcp >>> outgoing to 66.224.62.120, the trouble started >>> again. You would of thought I would have been >>> the lan gateway causing trouble. any ideas? >> Wireshark is your friend. >> >> >> Tom , >> Here is a tcpdump from eth1, I tryed >> one from eth0. Because I have tcpoutgoing >> in squid to 66.224.62.120. Squid should be >> trying to go out eth0. But I could see no >> evidence of traffice from 66.224.62.120 >> sniffing eth0. So this is a binary dump >> of eth1 lan with host 10.194.79.199 >> trying to browse web pages through >> squid. >> PS the dump is binary >> Mike > > > -------------------------------------------------------------------------------- > > I think I have this firewall really close. I have > > one trouble cant seem to trace down. With the following routes > > (posted below) > > if I comment out like this in shorewall rules. > > #REDIRECT loc 3128 tcp www - !10.194.79.181 > > The local machines can browse through port 80 > > Things seem ok. > > But if I fire up squid (running on the firewall) > > by uncommenting the redirect > > The system returned: > > (113) no route to host > > At times squid may return a page. >
I have my squid running a different box. You could (should?) configure squid to listen on only the internal interface, that should keep the routing straight. When things ping-pong between working and not working on connections involving the firewall itself, it is usually because the masq entries for the firewall are missing as shown in the multi-isp doc. In the masq file, you have: eth0 10.194.79.181 66.224.62.120 eth1 66.224.62.120 10.194.79.181 Right? (I can't tell from here). more below.. > The trouble seems to be routing for local > > Any ideas on how I could diagose? > > Or does this routing look ok? > > Thanks > > Mike > Looks like mine... ;-) <snip> If the masq file is fine, then I think you may need to use the tcrules file here. Something like might help: <loc_mark> $FW 10.194.79.0/24 tcp - 3128 replace the <loc_mark> with the mark your using on the local interface and don't use :F or :P Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
