On 05/18/2011 01:22 PM, Chris Morley wrote: > Hi guys, i think the last dump was taken when tun1 was down, please find > attached dump with tun1 present.
In this configuration, you *must* turn of route filtering:
a) Remove the 'route_filter' option from ppp0 and tun1 in
/etc/shorewall/interfaces.
b) Set ROUTE_FILTER=No in shorewall.conf
c) Be sure that any mention of net.conf.*.rt_filter=0 in /etc/sysctl.conf
> # add iptables rules
> iptables -A FORWARD -o tun1 -j ACCEPT
Handle that via /etc/shorewall/policy
> iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
In /etc/shorewall/masq:
tun1 0.0.0.0/0
> ip rule add fwmark 1 table 1
> ip route add default dev tun1 table 1
Done for you by the providers file.
> iptables -t mangle -A PREROUTING -s 192.168.69.247 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:4C:24:84:1C
> -j MARK --set-mark 1
In /etc/shorewall/tcrules:
1:P 192.168.69.47,~00:40:4c:24:84:1c
And be sure that tun1 has the 'optional' option in
/etc/shorewall/interfaces.
Then, you can either replace the above commands with this:
/var/lib/shorewall/firewall restart
or you can install and configure shorewall-lite.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
