On 7/25/2014 12:31 PM, Tom Eastep wrote: > On 7/25/2014 11:44 AM, sur...@emailengine.net wrote: >> I'm working on following & understanding the flow of packets across all of >> *this*. >> >> when I exec telnet from an external host, I see at CLIENT >> >> tcpdump -i tun1 >> 11:32:16.532625 IP E.E.E.E.54277 > 192.168.1.2.smtp: Flags [S], seq >> 1312623728, win 32768, options [mss 1308,nop,wscale >> 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0 >> (repeats) >> >> tcpdump -i eth1 >> (empty) >> >> and at SMTP >> >> tcpdump -i eth0 >> (empty) >> >> So the packets get as far as the CLIENT's VPN tunnel endpoint, but not out >> the CLIENT's eth1 and thus not to the SMTP server. >> > > From the dump: > > /proc/sys/net/ipv4/conf/all/rp_filter = 1 > > So *something* is setting that. Is there an entry for it in > /etc/sysctl.conf? > > Try "ech0 0 > /proc/sys/net/ipv4/conf/all/rp_filter" and see if it works. >
Hmmm -- that still isn't going to work. The default route out of the CLIENT machine is out of eth0, so replies from the SMTP server are going to be sent out of that interface with SOURCE IP 192.168.1.2. The best way to correct that is to configure Shorewall Multi-ISP support on the client. /etc/shorewall.conf: TRACK_PROVIDERS=Yes USE_DEFAULT_RT=Yes /etc/shorewall/interfaces: vpn tun+ optional,... /etc/shorewall/providers: isp 1 - eth0 detect balance vpn 2 - tun1 detect fallback /etc/shorewall/mangle: MARK(2):P eth1 - tcp 25 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
