Re: [Shorewall-users] NAT/masq out of specific IP with multi-ISP

Tracy Reed Thu, 05 Sep 2013 16:19:52 -0700

I've got a few bucks available for a really good Shorewall consultant since I
haven't yet been able to figure this one out myself...


On Tue, Sep 03, 2013 at 11:49:22AM PDT, Tracy Reed spake thusly:
> Hello all,
> 
> I am running shorewall-4.5.0.1 on CentOS 6.4 and having trouble getting 
> certain
> internal IP addresses to NAT out via certain interfaces. This is complicated 
> by
> the fact that I am using two different providers.
> 
> First, my providers file (boiletplate comment lines removed):
> 
> pbb     1       4       main            eth1            207.71.189.129  
> track,balance
> vbb     2       5       main            eth2            217.240.176.1   
> track,balance
> 
> Then my masq file:
> 
> eth1                    10.0.2.32/32    207.71.189.254  # mail server
> eth1                    10.0.2.0/24     207.71.189.130  # everything else
> 
> my tcrules:
> 
> # Per the providers file, traffic marked 4 goes out PBB while traffic marked 
> 5 goes out VBB.
> # Default everything out of PBB. Should eventually change this to VBB.
> 4       10.0.0.0/8              0.0.0.0/0
> # All of this goes out VBB.
> 5       10.0.2.37       0.0.0.0/0 # post
> 5       10.0.2.8        0.0.0.0/0 # util1
> 5       10.0.2.48       0.0.0.0/0 # ftp
> 5       10.0.2.106      0.0.0.0/0 # rezaspider
> 5       10.0.2.111      0.0.0.0/0 # spider1-eth0:1
> 5       10.0.2.112      0.0.0.0/0 # spider1-eth0:2
> 5       10.0.2.113      0.0.0.0/0 # spider1-eth0:3
> 5       10.0.2.114      0.0.0.0/0 # spider1-eth0:4
> 
> And my rules file:
> # Let the many spider1 interfaces access the outside for spidering
> ACCEPT  dmz:10.0.2.110          vbb                     tcp     http
> ACCEPT  dmz:10.0.2.110          vbb                     tcp     https
> ACCEPT  dmz:10.0.2.111          vbb                     tcp     http
> ACCEPT  dmz:10.0.2.111          vbb                     tcp     https
> ACCEPT  dmz:10.0.2.112          vbb                     tcp     http
> ACCEPT  dmz:10.0.2.112          vbb                     tcp     https
> ACCEPT  dmz:10.0.2.113          vbb                     tcp     http
> ACCEPT  dmz:10.0.2.113          vbb                     tcp     https
> 
> I'm ultimately trying to get any traffic from 10.0.2.111 to go out
> 217.240.176.67 and traffic from 10.0.2.112 to go out 217.240.176.68 etc. With
> this config I cannot source a connection from 10.0.2.111 to any outside IP
> address:
> 
> [root@spider1 ~]# curl --interface eth0:1 http://ifconfig.me
> curl: (7) couldn't connect to host
> [root@spider1 ~]# /sbin/ifconfig eth0:1
> eth0:1    Link encap:Ethernet  HWaddr 00:16:3E:0D:15:21  
>           inet addr:10.0.2.111  Bcast:10.0.2.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           Interrupt:23 
> 
> What am I doing wrong here? I am somewhat confused on whether this sort of
> masq/NAT is to be done through the masq file or the tcrules file. The first
> throught is to try to do this through the masq file but the shorewall-masq
> manpage says:
> 
>     Warning
>     If you have more than one ISP link, adding entries to this file will not
>     force connections to go out through a particular link. You must use 
> entries
>     in shorewall-rtrules[1](5) or PREROUTING entries in 
> shorewall-tcrules[2](5)
>     to do that.
> 
> So that is what I am trying to do. Does this mean that the masq file serves no
> purpose at all in a multi-ISP setup such as I have? 
> 
> Which is preferred, rtrules or tcrules? I'm going with tcrules for now since
> that is where I'm setting my traffic with mark 4 which sends it out the "pbb"
> provider.
> 
> -- 
> Tracy Reed



> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


-- 
Tracy Reed, RHCE     Digital signature attached for your safety.
Copilotco            PCI/HIPAA/SOX Compliant Secure Hosting
866-MY-COPILOT x101  http://copilotco.com

pgpqMvEeaPqGO.pgp
Description: PGP signature

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] NAT/masq out of specific IP with multi-ISP

Reply via email to