Tom Eastep wrote:
> Jerry Vonau wrote:
>
>>
>> Ok, is been more that a couple of days. ;-) With 4.2, is the reason
>> behind the shorewall test layout, using main 999, is for backwards
>> compatibility?
>
> Yes.
>
>>
>> Getting the "squid in loc" to work with "loose" took a bit of effort
>> but that works now. Give me a bit, I'll have some config info that
>> worked for me if you want.
>
> Please -- I haven't tested that configuration.
>
Just a quick summary..
shorewall show routing
Shorewall 4.2.0-Beta3 Routing at shore.wp.shawcable.net - Sun Jul 13
09:45:40 CDT 2008
Routing Rules
0: from all lookup local
999: from all lookup main
hold-over from old config
9996: from all to 10.3.0.168 iif eth0 lookup ETH1
9997: from all to 10.5.0.0/24 lookup main
9998: from all to 10.10.0.2 lookup main
not needed route in main..
10000: from all fwmark 0x1 lookup ETH1
10001: from all fwmark 0x2 lookup ETH0
10004: from all fwmark 0x5 lookup bal
20000: from 24.78.192.197 lookup ETH1
note the lack of "from 10.3.0.75" from loose, must use fwmarks.
32767: from all lookup default
Table bal: ## just an old name ;)
10.3.0.11 dev eth0 scope link src 10.3.0.75
default via 10.3.0.11 dev eth0 src 10.3.0.75
Table default:
default
nexthop via 24.78.192.1 dev eth1 weight 10
nexthop via 10.3.0.1 dev eth0 weight 1
Table ETH0:
10.3.0.1 dev eth0 scope link src 10.3.0.75
default via 10.3.0.1 dev eth0 src 10.3.0.75
Table ETH1:
24.78.192.1 dev eth1 scope link src 24.78.192.197
default via 24.78.192.1 dev eth1 src 24.78.192.197
Table local:
local 10.10.0.1 dev tun0 proto kernel scope host src 10.10.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.3.0.0 dev eth0 proto kernel scope link src 10.3.0.75
broadcast 24.78.193.255 dev eth1 proto kernel scope link src
24.78.192.197
broadcast 24.78.192.0 dev eth1 proto kernel scope link src 24.78.192.197
local 24.78.192.197 dev eth1 proto kernel scope host src 24.78.192.197
local 10.3.0.75 dev eth0 proto kernel scope host src 10.3.0.75
broadcast 10.3.0.255 dev eth0 proto kernel scope link src 10.3.0.75
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
10.10.0.2 dev tun0 proto kernel scope link src 10.10.0.1
10.3.0.0/24 dev eth0 proto kernel scope link src 10.3.0.75
10.5.0.0/24 via 10.10.0.2 dev tun0
24.78.192.0/23 dev eth1 proto kernel scope link src 24.78.192.197
providers:
ETH1 1 1 - $EXTDEV 24.78.192.1 track,balance=10
ETH0 2 2 - $LOCDEV $LOCGW track,balance=1
bal 5 5 - $LOCDEV $SQUID loose
The squid box is a subject for another thread, two gateway on the same
lan using ip-aliases on one interface, hence the 10,11 addresses below.
.10 using the same .1 gateway, while .11 using .75(here) as a gateway.
tcrules:
... old test stuff
1:P 10.3.0.0/24 0.0.0.0/0 all - - -
1:P 10.3.0.10 0.0.0.0/0 all - - -
2:P 10.3.0.11 0.0.0.0/0 all - - -
5:P 10.3.0.10 0.0.0.0/0 tcp - 3128 -
5:P 10.3.0.11 0.0.0.0/0 tcp - 3128 -
5:P 10.3.0.11 0.0.0.0/0 tcp - 80 -
5:P 10.3.0.0/24 0.0.0.0/0 tcp 80 - -
And just to hedge my bet, start:
iptables -t mangle -A PREROUTING -i eth0 -d ! 10.3.0.75 -p tcp --dport
80 -j MARK --set-mark=5
Both the above dport 80 rules appear to be marking, so I'm not sure
which is working. I'll bet both, just on different chains.
shorewall show mangle
Shorewall 4.2.0-Beta3 Mangle Table at shore.wp.shawcable.net - Sun Jul
13 10:23:27 CDT 2008
Counters reset Sun Jul 13 00:53:30 CDT 2008
Chain PREROUTING (policy ACCEPT 79707 packets, 20M bytes)
pkts bytes target prot opt in out source
destination
59464 16M CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 connmark match !0x0/0xff CONNMARK restore mask 0xff
832 65741 routemark all -- eth1 * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff
19409 4053K routemark all -- eth0 * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff
27293 6072K tcpre all -- eth1 * 0.0.0.0/0
0.0.0.0/0
52412 14M tcpre all -- eth0 * 0.0.0.0/0
0.0.0.0/0
2 100 tcpre all -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff
10721 1860K MARK tcp -- eth0 * 0.0.0.0/0
!10.3.0.75 tcp dpt:80 MARK xset 0x5/0xffffffff
Chain INPUT (policy ACCEPT 8298 packets, 944K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 66784 packets, 17M bytes)
pkts bytes target prot opt in out source
destination
66784 17M tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 10180 packets, 1397K bytes)
pkts bytes target prot opt in out source
destination
10006 1385K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 connmark match !0x0/0xff CONNMARK restore mask 0xff
174 11495 tcout all -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff
Chain POSTROUTING (policy ACCEPT 76241 packets, 18M bytes)
pkts bytes target prot opt in out source
destination
76241 18M tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain routemark (2 references)
pkts bytes target prot opt in out source
destination
832 65741 MARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x1/0xffffffff
19409 4053K MARK all -- eth0 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x2/0xffffffff
20241 4119K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match !0x0/0xff CONNMARK save mask 0xff
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK icmp -- * * 0.0.0.0/0
!10.3.0.0/24 MARK xset 0x1/0xffffffff
0 0 MARK tcp -- * * 0.0.0.0/0
!10.3.0.0/24 tcp dpt:443 MARK xset 0x1/0xffffffff
1 60 MARK tcp -- * * 0.0.0.0/0
!10.3.0.0/24 tcp dpt:21 MARK xset 0x1/0xffffffff
50 3269 MARK udp -- * * 10.3.0.75
!10.3.0.0/24 udp dpt:53 MARK xset 0x1/0xffffffff
69 4602 MARK udp -- * * 24.78.192.197
!10.3.0.0/24 udp dpt:53 MARK xset 0x1/0xffffffff
0 0 MARK tcp -- * * 10.3.0.75
!10.3.0.0/24 multiport dports 80,53 MARK xset 0x1/0xffffffff
0 0 MARK tcp -- * * 10.3.0.75
!10.3.0.0/24 multiport dports 80,53 MARK xset 0x1/0xffffffff
7 404 MARK tcp -- * * 24.78.192.197
!10.3.0.0/24 multiport dports 80,53 MARK xset 0x1/0xffffffff
0 0 MARK tcp -- * * 24.78.192.197
!10.3.0.0/24 tcp dpt:25 MARK xset 0x1/0xffffffff
0 0 MARK tcp -- * * 10.3.0.75
!10.3.0.0/24 tcp dpt:25 MARK xset 0x1/0xffffffff
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpre (3 references)
pkts bytes target prot opt in out source
destination
1222 64826 MARK tcp -- * * 10.3.0.0/24
0.0.0.0/0 tcp dpt:23 MARK xset 0x2/0xffffffff
1222 64826 MARK tcp -- * * 10.3.0.0/24
0.0.0.0/0 tcp dpt:23 MARK xset 0x2/0xffffffff
27293 6072K MARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x1/0xffffffff
0 0 MARK tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 MARK xset 0x1/0xffffffff
52411 14M MARK all -- * * 10.3.0.0/24
0.0.0.0/0 MARK xset 0x1/0xffffffff
2979 185K MARK all -- * * 10.3.0.10
0.0.0.0/0 MARK xset 0x1/0xffffffff
3 252 MARK all -- * * 10.3.0.11
0.0.0.0/0 MARK xset 0x2/0xffffffff
0 0 MARK tcp -- * * 10.3.0.10
0.0.0.0/0 tcp spt:3128 MARK xset 0x5/0xffffffff
0 0 MARK tcp -- * * 10.3.0.11
0.0.0.0/0 tcp spt:3128 MARK xset 0x5/0xffffffff
0 0 MARK tcp -- * * 10.3.0.11
0.0.0.0/0 tcp spt:80 MARK xset 0x5/0xffffffff
10721 1860K MARK tcp -- * * 10.3.0.0/24
0.0.0.0/0 tcp dpt:80 MARK xset 0x5/0xffffffff
Byte count is the same, I'll strip out the start file and see what that
brings..
Got to go, off to work for now..
Jerry
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
