On Monday 26 December 2005 04:57, Charrua wrote:
> I have two Internet connections from two different ISPs. Connection "A" =
> ADSL, connection "B" is another kind of broadband connection (LMDS). In
> the ADSL link I have 1 public ip which changes dynamically, and in the "B"
> connection I have 28 fixed public IP's that I can use. Each of them come
> into my network through a standard Ethernet 10BaseT connection.
> I like:
> 1. A few users with public IPs.
> 2. The rest of the users with private IPs, and their traffic will go out
> using NAT
> 3. Route some traffic by the connection "B" and other traffic by conecti=
> I configured Shorewall(Leaf Bering uClibc 2.3 with Shorewall 2.4.2), but
> this configuration don`t work, I can't access Internet(http, msn, smtp,
> pop3, etc). I try acces from a public IP.
> Please, can you check the configuration?
Here's what I see in the "status" output (in no particular order):
a) I think that you will have continuous problems with the way that you ha=
configured your local network (public /27 and many private networks on the=
same LAN). You can already see hints of the problems in this log message:
Dec 23 07:25:40 FORWARD:REJECT: IN=3Deth2 OUT=3Deth2 SRC=3D126.96.36.199=20
DST=3D192.168.107.2 LEN=3D84 TOS=3D00 PREC=3D0x00 TTL=3D62 ID=3D0 DF PROTO=
CODE=3D0 ID=3D62326 SEQ=3D0
Check Shorewall FAQ 17 to understand what this message means.
I personally advocate using 1-1 NAT for those users that you want to give a=
public IP address. I think that you and your users will be happier in the=20
b) Your configuration files seem to have MANY duplicate entries in them.=20
Both /etc/shorewall/masq and /etc/shorewall/tcrules have 192.168.100.0/25 a=
c) I find the use of /25's rather than /24's curious -- any reason for tha=
d) You didn't say which "public IP address" you were using, but I would gu=
that it is 188.8.131.52. There are lots of entries in the conntrack table=
tcp 6 13 SYN_SENT src=3D184.108.40.206 dst=3D220.127.116.11 sport=3D29249=
dport=3D7922 [UNREPLIED] src=3D18.104.22.168 dst=3D22.214.171.124 sport=3D792=
dport=3D29249 use=3D1 mark=3D0
I can't look at the traffic with tcpdump (have you? If not, you should) but=
the firewall picked the route through ppp0 for this connection, you would s=
this type of behavior. You need a rule in /etc/shorewall/tcrules such as:
2:P 126.96.36.199/27 0.0.0.0/0
The traffic from the public IPs MUST BE SENT FROM eth1!!!!!!!!!!
If tcpdump shows that the traffic IS being sent from eth1 then the problem =
that your ISP is apparantly not routing 188.8.131.52/27 through 200.68.129.=
which is what your configuration assumes.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@...
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key