I have been using shorewall for a number of years, but I haven't really tried
to use packet marking or multiple isp before.
I have a project to build firewall system with 2 isp links. The target is to
set shorewall with 2 isp link, with vrrp for failover to another shorewall box.
However, I want to get the basic working (i.e. with 1 shorewall firewall).
Having followed the multiple isp doc, I believe there's something missing when
putting the pieces together. Here's my network lab using vmware:
I got 3 vyatta routers to simulate the internet:
R1 --- R2 --- R3
R1 pretends to be isp1 router
R3 pretends to be isp2 router
R2 is a router for testing the traffic (i.e. ping, etc)
All vyatta routers can see each other and no firewall enabled.
R1: 203.202.13.1/24 (link to shore eth1), 203.202.140.1/24 (link to R2)
R2: 203.202.140.2/24 (link to R1), 203.18.34.2/24 (link to R3)
R3: 203.18.34.3/24 (link to R2), 203.18.30.3/24 (link to shore eth0)
I build a shorewall system with eth0 links to R3, eth1 links to R1 for WAN.
I have dmz (eth2) and loc (eth3). So far I can make only loc traffic works.
The default gateway of shorewall points to R3 (via eth0); this is in
/etc/sysconfig/network.
My shorewall settings:
:shorewall.conf:
change: enable=yes
:zones:
fw firewall
net ipv4
loc ipv4
dmz ipv4
:interfaces:
net eth0 detect tcpflags,nosmurfs,routefilter,logmartians
net eth1 detect tcpflags,nosmurfs,routefilter,logmartians
dmz eth2 detect tcpflags,nosmurfs,routefilter,logmartians
loc eth3 detect tcpflags,nosmurfs,routefilter,logmartians
:tcrules:
1:P 192.168.77.224/27 0.0.0.0/0 icmp echo-reply
1 $FW 0.0.0.0/0 icmp echo-reply
:policies:
fw all ACCEPT
loc net ACCEPT
loc dmz ACCEPT
loc fw ACCEPT
loc all REJECT info
dmz net ACCEPT
dmz loc REJECT info
dmz fw REJECT info
dmz all REJECT info
net net REJECT info
net all REJECT info
all all REJECT info
:masq:
eth0 0.0.0.0/0 203.18.30.251
eth1 0.0.0.0/0 203.202.13.251
:providers:
I2N 1 1 main eth0 203.18.30.3 track,balance eth3
AC3 2 2 main eth1 203.202.13.1 track,balance eth3
With above setting, I can ping R2 from loc host and have no problem redirecting
the traffic with marking 1 or 2 to control the ping traffic using I2N or AC3
(verified with tcpdump)
The problem:
I tried to create another tcrules to allow dmz ping using AC3. So i add this in
tcrules:
1:P 10.10.10.0/24 0.0.0.0/0 icmp echo-reply
1 $FW 0.0.0.0/0 icmp echo-reply
Still, I can't ping anything from dmz to the net. Using tcpdump, I can see the
packets from dmz IS GOING to I2N (mark 1), but it's not masq (the source
address is still 10.10.10.20 (the dmz host). Tried many things, i still can't
get it masq.
Anyone knows how to fix this? Thank you.
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
