On 9/3/2013 11:49 AM, Tracy Reed wrote: > Hello all, > > I am running shorewall-4.5.0.1 on CentOS 6.4 and having trouble getting > certain > internal IP addresses to NAT out via certain interfaces. This is complicated > by > the fact that I am using two different providers. > > First, my providers file (boiletplate comment lines removed): > > pbb 1 4 main eth1 207.71.189.129 > track,balance > vbb 2 5 main eth2 217.240.176.1 > track,balance > > Then my masq file: > > eth1 10.0.2.32/32 207.71.189.254 # mail server > eth1 10.0.2.0/24 207.71.189.130 # everything else
You have no masq entry for eth2? > > my tcrules: > > # Per the providers file, traffic marked 4 goes out PBB while traffic marked > 5 goes out VBB. > # Default everything out of PBB. Should eventually change this to VBB. > 4 10.0.0.0/8 0.0.0.0/0 > # All of this goes out VBB. > 5 10.0.2.37 0.0.0.0/0 # post > 5 10.0.2.8 0.0.0.0/0 # util1 > 5 10.0.2.48 0.0.0.0/0 # ftp > 5 10.0.2.106 0.0.0.0/0 # rezaspider > 5 10.0.2.111 0.0.0.0/0 # spider1-eth0:1 > 5 10.0.2.112 0.0.0.0/0 # spider1-eth0:2 > 5 10.0.2.113 0.0.0.0/0 # spider1-eth0:3 > 5 10.0.2.114 0.0.0.0/0 # spider1-eth0:4 What is your setting of MARK_IN_FORWARD_CHAIN in shorewall.conf? If it is 'Yes', then you need to add ':P' to the mark values. > > And my rules file: > # Let the many spider1 interfaces access the outside for spidering > ACCEPT dmz:10.0.2.110 vbb tcp http > ACCEPT dmz:10.0.2.110 vbb tcp https > ACCEPT dmz:10.0.2.111 vbb tcp http > ACCEPT dmz:10.0.2.111 vbb tcp https > ACCEPT dmz:10.0.2.112 vbb tcp http > ACCEPT dmz:10.0.2.112 vbb tcp https > ACCEPT dmz:10.0.2.113 vbb tcp http > ACCEPT dmz:10.0.2.113 vbb tcp https > > I'm ultimately trying to get any traffic from 10.0.2.111 to go out > 217.240.176.67 and traffic from 10.0.2.112 to go out 217.240.176.68 etc. With > this config I cannot source a connection from 10.0.2.111 to any outside IP > address: > > [root@spider1 ~]# curl --interface eth0:1 http://ifconfig.me > curl: (7) couldn't connect to host > [root@spider1 ~]# /sbin/ifconfig eth0:1 > eth0:1 Link encap:Ethernet HWaddr 00:16:3E:0D:15:21 > inet addr:10.0.2.111 Bcast:10.0.2.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > Interrupt:23 > > What am I doing wrong here? Is the default gateway set correctly on spider? > I am somewhat confused on whether this sort of > masq/NAT is to be done through the masq file or the tcrules file. The first > throught is to try to do this through the masq file but the shorewall-masq > manpage says: > > Warning > If you have more than one ISP link, adding entries to this file will not > force connections to go out through a particular link. You must use > entries > in shorewall-rtrules[1](5) or PREROUTING entries in > shorewall-tcrules[2](5) > to do that. > > So that is what I am trying to do. Does this mean that the masq file serves no > purpose at all in a multi-ISP setup such as I have? No. If traffic with a private source IP address exits on an Internet interface, then the masq entry for that interface rewrites the source address so that return traffic can be routed correctly back to your Shorewall box. > > Which is preferred, rtrules or tcrules? I'm going with tcrules for now since > that is where I'm setting my traffic with mark 4 which sends it out the "pbb" > provider. I always use rtrules when they are sufficient. So if you are selecting your provider based solely on source IP address, then i like rtrules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
