On 06/25/2012 02:34 PM, Jan van der Vyver wrote: >>> Or you have ROUTE_FILTER=Yes in shorewall.conf. > > The was yes, I deactivated it. See new dump. > > I now get the following > > Jun 25 23:22:47 trio kernel: [1833703.280826] > Shorewall:itrn2net:REJECT:IN=eth2 OUT=eth0 > MAC=fe:e8:d7:56:44:b5:00:25:90:63:37:63:08:00 SRC=192.168.253.1 DST=10.0.4.2 > LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=21988 DF PROTO=TCP SPT=41146 DPT=9191 > WINDOW=14600 RES=0x00 SYN URGP=0 > > TCRULE: > 2:P 192.168.253.1 10.0.4.2 - > > RULE: > ACCEPT:info itrn:192.168.253.1 apn:10.0.4.2 all - > > When I connect from server B(192.168.253.1) via Server A eth2(192.168.253.2) > to the routers on Server A eth1(192.168.254.5) which has 10.0.0.0/20 behind > 192.168.254.1 and 192.168.254.3 I get the reject above. > > I want an tcrule which should mark the connection above 0x2 and then it goes > into the sg routing table and to 192.168.254.3 (with the SNAT to > 192.168.254.5). Then the packet must come back to 192.168.253.1 > > Why do I get itrn2net chain? I would have expected itrn2apn chain? > > Must route_filter be on or off on this case?
Turn route_filter off -- it never helps and can only hurt when you are trying to debug. > Is my tcrules wrong? > Is my rule wrong? > is there routes missing? > Why is this not working? It's not working because there is still a default route in the main routing table and your routing rules are checking the packet marks *after* the main table is traversed. Let's back up a bit -- what exactly are you trying to accomplish here? When I see the long list of tcrules targeting individual pairs of IP addresses, I'm certain that there has to be a better way. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
