On Mon, Apr 29, 2013 at 2:29 PM, Ernesto Domato <[email protected]> wrote: > On the other hand, the test that I did today is to save the IPTABLES > rules created by Shorewall to a file with "iptables-save > > shorewall.rules". Then, I configured the machine to not start > Shorewall at startup and reboot. When the machine comes up, I did > "iptables-restore < shorewall.rules" and then configure the routing > table to route the packets to the proxy and just turned on the > ip_forward kernel flag and the transparent proxy worked as expected. > > So, I think that the problem that I'm having is maybe on some kernel > parameter that Shorewall change. > > What did you suggest? >
Ok, I'm still trying to solve my problem :-) The firewall machine has this interfaces: eth0 -> link to the internet eth1 -> link to the local network ovsbr0 -> OpenVSwitch connected to virtual machines (the Squid proxy server) Now, when I apply the full Shorewall rules (through "shorewall start") and do a tcpdump on eth1 and ovsbr0 I see syn packets going through ovsbr0 and syn reply packet coming back. But on the eth1 I just see the syn packet going in just one direction (the remote one that is routed by policy routing to the proxy machine) and not back to eth1 so it can reach the machine that made the request. When I apply the shorewall iptables rules only and configure ip forwarding and policy routing to the proxy by hand everything works fine. So, I still think that the problem is on some configuration on the firewall itself, even more on the kernel parameters. Any help?. Thanks. Ernesto ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
