----- Original Message -----
From: "Jerry Vonau" <[EMAIL PROTECTED]>
To: "Shorewall Users" <[email protected]>
Sent: Tuesday, September 04, 2007 2:49 PM
Subject: Re: [Shorewall-users] Multi-Isp Masqerade ?
>>> Mike Lander wrote:
>>>
>>>> Yes this accurately reflects the network topology?
>>>> However I been testing squid through this now and
>>>> the brower pauses an balks at times. So I tried
>>>> 10.194.79.181 in tcp outgoing in squid.conf
>>>> and browsing was fine. When I changed tcp
>>>> outgoing to 66.224.62.120, the trouble started
>>>> again. You would of thought I would have been
>>>> the lan gateway causing trouble. any ideas?
>>> Wireshark is your friend.
>>>
>>>
>>> Tom ,
>>> Here is a tcpdump from eth1, I tryed
>>> one from eth0. Because I have tcpoutgoing
>>> in squid to 66.224.62.120. Squid should be
>>> trying to go out eth0. But I could see no
>>> evidence of traffice from 66.224.62.120
>>> sniffing eth0. So this is a binary dump
>>> of eth1 lan with host 10.194.79.199
>>> trying to browse web pages through
>>> squid.
>>> PS the dump is binary
>>> Mike
>>
>>
>> --------------------------------------------------------------------------------
>>
>> I think I have this firewall really close. I have
>>
>> one trouble cant seem to trace down. With the following routes
>>
>> (posted below)
>>
>> if I comment out like this in shorewall rules.
>>
>> #REDIRECT loc 3128 tcp www -
>> !10.194.79.181
>>
>> The local machines can browse through port 80
>>
>> Things seem ok.
>>
>> But if I fire up squid (running on the firewall)
>>
>> by uncommenting the redirect
>>
>> The system returned:
>>
>> (113) no route to host
>>
>> At times squid may return a page.
>>
>
> I have my squid running a different box. You could (should?) configure
> squid to listen on only the internal interface, that should keep the
> routing straight.
>
> When things ping-pong between working and not working on connections
> involving the firewall itself, it is usually because the masq entries
> for the firewall are missing as shown in the multi-isp doc.
>
> In the masq file, you have:
>
> eth0 10.194.79.181 66.224.62.120
> eth1 66.224.62.120 10.194.79.181
>
> Right? (I can't tell from here). more below..
>
>> The trouble seems to be routing for local
>>
>> Any ideas on how I could diagose?
>>
>> Or does this routing look ok?
>>
>> Thanks
>>
>> Mike
>>
>
> Looks like mine... ;-)
>
> <snip>
> If the masq file is fine, then I think you may need to use the tcrules
> file here. Something like might help:
>
> <loc_mark> $FW 10.194.79.0/24 tcp - 3128
>
> replace the <loc_mark> with the mark your using on the local interface
> and don't use :F or :P
>
> Jerry
>
Hi Jerry,
I think my whole trouble was masq file the only entry I had
was the first entry below which Tom helped me with that!
I cannot seem to grasp the entries in the masq even though if
I read an existing masq entry I can follow the meaning of it.
The best way to describe this is, the firewall seemed to
be gasping for a breath until I entered the eth1 rewrite.
Not sure if its perfect time will tell but now browsing
seemed to spring to life. I belive ack's were coming back
fand they where trying to goto local machines
instead of answering squid syn's.
Thank you.
Mike
eth0 10.194.79.0/24 66.224.62.120 ----1st entry
eth1 66.224.62.120 10.194.79.181
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
