Tom Eastep wrote:
> Jerry Vonau wrote:
>
>>
>> OK, for those of us that are playing along at home ;-), to condense the
>> thought, what we(?) would be looking at is a single "bal" table that has
>> the default routes. The routing rules needed would point to the "main"
>> routing table for the routes that would be "local" to the box (invert
>> the logic, ie: ip rule to 10.3.0.10/24 lookup table main), while the
>> routes via an isp that are "external" to the box would be directed to
>> the "bal" (default?) table, (ie: ip rule to 0.0.0.0/0 lookup table bal),
>> with the "ip rules" ordering winning the table race.
>
> Exactly.
>
Nice to know I might still have it. ;-)
>> I wonder if that
>> is what the stock blank "default" table is meant for? (vpn routes would
>> be considered local here).
>
> I suspect so.
>
That would be an easier sell upstream, since it's present but not used,
for changes to dhcp, pppd, etc.., that would need to have the table to
add the default route to "fixed".
>> I like this, it *should* work kind of like
>> the squid routing, point to a gateway(s) and the rest should just fall
>> into line(with the routing rules in place), with much less code perhaps.
>> Have you thought about what the routing rules might look like in this
>> setup?
>
> Attached is a copy of what I have running currently.
>
> -Tom
Routing Rules
0: from all lookup local
32766: from all lookup main
35000: from all to 206.124.146.179 lookup linksys
40000: from all fwmark 0x1 lookup linksys
40001: from all fwmark 0x2 lookup shorewall
50000: from 172.20.1.102 lookup linksys
50256: from 192.168.1.5 lookup shorewall
65535: from all lookup default
Wow, is that utterly simple, lookup the local rule based on ip/fwmark,
if a route is found in that table use it, if not, check the default
table for a gateway. I really like this layout.
Ok, is been more that a couple of days. ;-) With 4.2, is the reason
behind the shorewall test layout, using main 999, is for backwards
compatibility?
Getting the "squid in loc" to work with "loose" took a bit of effort but
that works now. Give me a bit, I'll have some config info that worked
for me if you want.
I've updated my patches from 2005(? boy, things that you thought were
important...) for this layout, for use with Fedora. I have some basic
patches, that may need a bit of work, for dhclient-script,
network-functions, and eth-up parsing the ifcfg files looking for
table/weight info working like the providers functions. While pppd would
need to use nodefaultgateway and an bit of ip-up magic to work, but I
can't play, no dsl and no time atm.
One a side note:
Running /sbin/iptables-restore...
iptables-restore v1.4.1.1: host/network `!' not found
Error occurred at line: 134
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Line 134:
-A loc2fw -p 6 --dport 8080 -m conntrack --ctorigdst ! 10.3.0.10 -j ACCEPT
editing out this line in rules allows a start:
REDIRECT loc 8080 tcp 80 - !10.3.0.10
Did I miss something along the journey?
A bit of retooling got things to work.
Off to Mom's, just my 2cents,
Jerry
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
