Re: [Shorewall-users] Multi-ISP, USE_DEFAULT_RT=Yes, and I am an idiot - Part C

Sat, 17 Oct 2009 12:36:37 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith Mitchell wrote:

>>   
> Sorry.  That should read "Office A Firewall Host" and "Office B Firewall
> Host"
> 
> If I do a "ping -I eth1 10.254.0.x" (any address on that subnet) from
> the Office A Firewall Host (source IP 10.253.0.1), I get no return and
> nothing in the syslogs.  A ping -I eth1 10.253.0.254 gets a return.

You are marking all traffic originating on either firewall with mark
value 0x200.

- From your rules:

        10001:  from all fwmark 0x200 lookup SKY

And:

        Table SKY:

        66.146.173.97 dev eth2  scope link  src 66.146.173.98
        default via 66.146.173.97 dev eth2  src 66.146.173.98

Now:

        Chain OUTPUT (policy DROP 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source
destination
         198K   42M eth2_out   all  --  *      eth2    0.0.0.0/0
0.0.0.0/0

You have no SP for traffic from 10.253.0.1->10.254.0.* -- so:

        Chain eth2_out (1 references)
         pkts bytes target     prot opt in     out     source
destination
         196K   42M fw2net     all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir out pol none

Which accepts ping.

But now:

Nat Table:

Chain eth2_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
32532 2407K SNAT       all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir out pol none to:66.146.173.98

So these pings will be sent with source 66.146.173.98.

On the othr end:

        Chain FORWARD (policy DROP 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source
destination
        ...
         104K   23M eth2_fwd   all  --  eth2   *       0.0.0.0/0
0.0.0.0/0

        Chain eth2_fwd (1 references)
         pkts bytes target     prot opt in     out     source
destination
        ...
        26516 4848K net_frwd   all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir in pol none

        Chain net_frwd (1 references)
         pkts bytes target     prot opt in     out     source
destination
        ...
        26516 4848K net2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           policy match dir out pol none

net2loc doesn't accept ping.

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkraG1kACgkQO/MAbZfjDLKq4ACgsdhT7oH02TdQ+2Df2dUyOcQF
47kAoJnok+7fm391GAzkFBU/xy9F6K3d
=iGpn
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to