On 5 Sep 2013, at 22:40, Tracy Reed <tr...@ultraviolet.org> wrote: > I've got a few bucks available for a really good Shorewall consultant since I > haven't yet been able to figure this one out myself... > > On Tue, Sep 03, 2013 at 11:49:22AM PDT, Tracy Reed spake thusly: >> Hello all, >> >> I am running shorewall-4.5.0.1 on CentOS 6.4 and having trouble getting >> certain >> internal IP addresses to NAT out via certain interfaces. This is complicated >> by >> the fact that I am using two different providers. >> >> First, my providers file (boiletplate comment lines removed): >> >> pbb 1 4 main eth1 207.71.189.129 >> track,balance >> vbb 2 5 main eth2 217.240.176.1 >> track,balance >> >> Then my masq file: >> >> eth1 10.0.2.32/32 207.71.189.254 # mail server >> eth1 10.0.2.0/24 207.71.189.130 # everything else >> >> my tcrules: >> >> # Per the providers file, traffic marked 4 goes out PBB while traffic marked >> 5 goes out VBB. >> # Default everything out of PBB. Should eventually change this to VBB. >> 4 10.0.0.0/8 0.0.0.0/0 >> # All of this goes out VBB. >> 5 10.0.2.37 0.0.0.0/0 # post >> 5 10.0.2.8 0.0.0.0/0 # util1 >> 5 10.0.2.48 0.0.0.0/0 # ftp >> 5 10.0.2.106 0.0.0.0/0 # rezaspider >> 5 10.0.2.111 0.0.0.0/0 # spider1-eth0:1 >> 5 10.0.2.112 0.0.0.0/0 # spider1-eth0:2 >> 5 10.0.2.113 0.0.0.0/0 # spider1-eth0:3 >> 5 10.0.2.114 0.0.0.0/0 # spider1-eth0:4 >> >> And my rules file: >> # Let the many spider1 interfaces access the outside for spidering >> ACCEPT dmz:10.0.2.110 vbb tcp http >> ACCEPT dmz:10.0.2.110 vbb tcp https >> ACCEPT dmz:10.0.2.111 vbb tcp http >> ACCEPT dmz:10.0.2.111 vbb tcp https >> ACCEPT dmz:10.0.2.112 vbb tcp http >> ACCEPT dmz:10.0.2.112 vbb tcp https >> ACCEPT dmz:10.0.2.113 vbb tcp http >> ACCEPT dmz:10.0.2.113 vbb tcp https >> >> I'm ultimately trying to get any traffic from 10.0.2.111 to go out >> 217.240.176.67 and traffic from 10.0.2.112 to go out 217.240.176.68 etc. With >> this config I cannot source a connection from 10.0.2.111 to any outside IP >> address: >> >> [root@spider1 ~]# curl --interface eth0:1 http://ifconfig.me >> curl: (7) couldn't connect to host >> [root@spider1 ~]# /sbin/ifconfig eth0:1 >> eth0:1 Link encap:Ethernet HWaddr 00:16:3E:0D:15:21 >> inet addr:10.0.2.111 Bcast:10.0.2.255 Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> Interrupt:23 >> >> What am I doing wrong here? I am somewhat confused on whether this sort of >> masq/NAT is to be done through the masq file or the tcrules file. The first >> throught is to try to do this through the masq file but the shorewall-masq >> manpage says: >> >> Warning >> If you have more than one ISP link, adding entries to this file will not >> force connections to go out through a particular link. You must use >> entries >> in shorewall-rtrules[1](5) or PREROUTING entries in >> shorewall-tcrules[2](5) >> to do that. >> >> So that is what I am trying to do. Does this mean that the masq file serves >> no >> purpose at all in a multi-ISP setup such as I have?
I believe that the point of this warning is that masq entries alone do not control choice of outgoing interface - what they do is configure source NAT *given* an output interface. So I think you need to add a masq entry for eth2 so that traffic exiting that interface gets snat-ted as required. >> >> Which is preferred, rtrules or tcrules? I'm going with tcrules for now since >> that is where I'm setting my traffic with mark 4 which sends it out the "pbb" >> provider. Pass. The implication is that your existing config here is working, though - otherwise it would either work from all source IPs or none. >> >> -- >> Tracy Reed > > Dominic ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
