We use shorewall TProxy to do some transparent proxying (of clients coming
in via haproxy, so that the back-end servers can see the client IP address
rather than the haproxy IP address). Part of the problem I've encountered
is that either Shorewall does the whole thing or we do the policy routing
and transparency outside of Shorewall or we stop shorewall managing the
/etc/iproute2/rt_tables file (This is in Debian 8) and do them separately,
its getting ugly.
xxx.xxx.xxx.121 and/or xxx.xxx.xxx.122 are local addresses assigned to
eth2, however its under keepalived and .122 is the floating IP.
The routing table looks like this:
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.8
xxx.xxx.xxx.112/28 dev eth1 proto kernel scope link src xxx.xxx.xxx.118
xxx.xxx.xxx.112/28 dev eth2 proto kernel scope link src xxx.xxx.xxx.121
224.0.0.0/4 dev eth1 scope link
I have to say that the reason we have two external interfaces (eth1 and
eth2) is to get around some failover issues and use vmacs with keepalived.
Otherwise we'd have one external interface and alias it (eth1:0 eth1:1)
though I'm not sure this will help resolve the issues I'm coming to.
The purpose of the rules I've outlined above is so that we can do this
failover. I'm using the technique described
http://unix.stackexchange.com/questions/22770/two-interfaces-two-addresses-two-gateways
https://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/
and this has been working (until I run Shorewall which was overwriting the
rt_tables and making me scratch my head for a while!)
However this is further complicated by a need to have two external IP
addresses for two front-ends serving two classes of back-end servers. Its
the two classes of back-end servers which are giving me some problems in
arriving at a Shorewall configuration. We want them to be
masqueraded/snatted such that outgoing traffic from one class comes from
one IP and the outgoing traffic from the other comes from the other IP.
So we are headed into a fairly complex policy routing setup and I've been
wondering what the best approach to managing this will be. On the face of
it a shell script which sets it all up would work but we use Puppet and I
already have a good working Shorewall module for managing that so it seemed
natural to get this going in Shorewall.
On 16 February 2016 at 15:59, Tom Eastep <[email protected]> wrote:
> On 02/16/2016 02:23 PM, Steve Wray wrote:
> > Hi,
> > I have an existing, working example of policy routing and I'd like to
> > see if its possible to implement this in Shorewall.
> >
> > ip rule ls shows:
> >
> > 0: from all lookup local
> > 0: from xxx.xxx.xxx.121 lookup eth2
> > 0: from all to xxx.xxx.xxx.121 lookup eth2
> > 0: from xxx.xxx.xxx.122 lookup eth2
> > 0: from all to xxx.xxx.xxx.122 lookup eth2
> > 1: from all fwmark 0x200/0x200 lookup TProxy
> > 999: from all lookup main
> > 32765: from all lookup balance
> > 32767: from all lookup default
> >
> > I've been reading the Shorewall documentation on providers, rtrules etc
> > and can't see how this fits together.
> >
>
> Not enough information to be able to tell you with any certainty.
>
> 1. Are xxx.xxx.xxx.121 and/or xxx.xxx.xxx.122 local addresses assigned
> to eth2? If not, what are they?
>
> 2. What are the contents of the eth2 routing table?
>
> 3. I assume that your current providers file only has the TPROXY provider?
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
