Re: [Shorewall-users] Multiple ISP's on one Linux box

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

hello Jerry!
I am testing with two internet providers:

Machine=3D Fedora Core 4
Shorewall version=3D3.1.3

interfaces =3D eth0,eth1,eth2

zones =3D
net(eth0 , with ip =3D192.192.192.15)
Connects to the another machine (already masqueraded with
local address =3D 192.192.192.10). I am using it as my ISP1

loc(eth1,  with ip =3D 192.168.0.1)
I connected this ethernet to another pc (as my local zone with ip=3D 192.16=
8.0.2)
Target I want this machine to get routed (ONLY) threw ISP1.

inet(eth2, with ip =3D192.168.1.102)
I connected this ethernet to another machine with ip=3D192.168.1.2
(This is my monowall machine connected directly to another ISP and
configured it to allow all traffic from 192.168.1.102(My Shorewall
eth2, ip=3D192.168.1.102) to WAN (nameserver=3D172.16.6.49,
gw=3D172.16.6.49).
Note I am using it as my ISP2

NOW  i configured another test machine on the lan (in my net zone with
ip address =3D 192.192.192.221

I configured this test machines Default Gateway by editing my
/etc/sysconfig/network-scripts/ifcfg-eth0
I added one Line
GATEWAY=3D192.192.192.15

route -n gives me default gw=3D 192.192.192.15 (Machine running
shorewall) and I gave it's  /etc/resolv.conf
nameserver 172.16.6.49
nameserver 192.192.192.15
Target I want this machine to use ONLY ISP2  via my Shorewall machine
(192.192.192.15)

My local machine is getting routed via(On local zone machine with ip
192.168.0.2):
#traceroute tldp.org
traceroute to tldp.org (152.2.210.81), 30 hops max, 38 byte packets
 1  192.168.0.1 (192.168.0.1)  0.248 ms  0.192 ms  0.179 ms
 2  medmgmt-10.tajen.edu.tw (192.192.192.10)  0.265 ms  0.342 ms  0.276 ms
3. My ISP1 and so on

But the another test machine which residies in the net zone with ip
(192.192.192.221) gives me no route to host though I configured it to
use my shorewall machine(192.192.192.15) as it's default gw and gave
nameserver=3D172.16.6.49
 which is My ISP2 via monowall machine!

thanks and regards
Anuj

On 1/24/06, Jerry Vonau <jv...@sh...> wrote:
> anuj singh wrote:
> > Hello !
> > I am using shorewall version-3.1.2 on Fedora core 4
> >
> Your now running the testing branch.
>
> > Now it is running without any error!
> >  I need some more help ....
>
> You need to slow down and apply some of the examples.
>
> > I have 4 zones (including the default fw)
> > Zones
> > fw      firewall
> > loc     ipv4
> > net     ipv4
> > inet    ipv4
> >
> > interfaces
> >
> > #ZONE   INTERFACE       BROADCAST       OPTIONS
> > net     eth0             detect
> > loc     eth1             detect
> > inet    eth2             detect
>
> explanation below, change:
>
> inet    eth2    detect,routeback
>
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
> >
> >
> > providers
> > ISP1     1       1         main           eth2          192.168.1.2
> > track,balance    eth1
> > ISP2     2       2         main           eth0
> > 192.192.192.10 track,balance    eth1
> > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> >
> > masq
> > eth0                     eth1
> > eth2                     192.192.192.221
> >
> add:
> eth2:192.192.192.221    192.192.192.15
>
>
> > My Rules file
> > ACCEPT   fw              net
> > ACCEPT   fw              loc
> > ACCEPT   fw              inet
> > ACCEPT   loc             net
> > ACCEPT   loc             fw
> > REDIRECT  net             8080    tcp   80
> > REDIRECT  net:192.192.192.11             8080    tcp   80
> > REDIRECT  net:192.192.192.118             8080    tcp   80
> > ACCEPT   net:192.192.192.118             fw    tcp   443
> > ACCEPT   net:192.192.192.11             fw    tcp   443
> > ACCEPT   net:192.192.192.221   inet
>
> That should cover the eth0 -> eth2, you may need eth0 -> eth0
> ACCEPT   net:192.192.192.221   net
>
> > ACCEPT   loc             fw             icmp      8
> > DNAT:info net             loc:192.168.1.2   tcp    80
> > DNAT:info net             loc:192.168.1.2   tcp    22
> > DROP:info  all    all
> >
> >
> > My Policy File
> > fw              net             ACCEPT
> > fw              inet            ACCEPT
> > fw              loc            ACCEPT
> > loc             net             ACCEPT
> > loc             inet             ACCEPT
> > inet            fw              DROP
> > inet            loc             DROP
> > inet            net             DROP              info
> > all             all             REJECT            info
> >
> >
> > I connected my firewall to
> > 1: another system on the zone net (the network simulating my ISP1)
> > where 192.192.192.10 is ISP1 and this system (test system with ip
> > addres 192.192.192.221 + it's gate way is my firewall (192.192.192.15)
> > + nameserver =3D MY ISP2 (zone=3Dinet)
>
> hold it, "where 192.192.192.10 is ISP1" "MY ISP2" =3D ISP2 in the
> providers file? Don't flip the names around like that....
>
>
> > 2:I connected another PC (Zone loc , ip=3D 192.168.0.2 , eth1)
> > 3:My third nic is connected to eth2 =3D (ISP2, IP=3D172.16.x.x)
> >
> and eth2 is now what? that is not what is in the providers....
>
> >
> > from my firewall I can use both the ISP's (checked it after successful
> > shorewall startup and disabling eth0 (ISP1) + traceroute command > it
> > goes from ISP2 vice-versa.
> >
> > I set my default gw of fw to ISP2 =3D(172.16.x.x)
> > traceroute gives me the path of ISP2
> > while my local machine (on eth1) which I gave the ISP1's nameserver
> > goes as I wanted i.e. threw ISP1.
>
> What command are you using to change the gateway? That could really mess
> things up if you don't get that right, your not using "route" are you?
>
> >
> > On the other hand my Second machine  is on the zone net with a
> > different ip (192.192.192.221) + gateway =3D my fw(192.192.192.15) and
> > nameserver =3DISP2 givs me Unknown Host.
>
> At this point I have no clue in what ISP2 referring to..
> "nameserver=3DISP2" is available though eth0 or eth2?
>
> If the route to this server passes though 192.192.192.10, then you'll
> need what I posted above. As soon as you stop mixing up the files that
> you post and their examples the clearer it becomes to the rest of us.
> Please use the support guidelines for your version as found on
> http://www.shorewall.net/support.html
>
>
> Jerry
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Shorewall-users mailing list
> Sho...@li...
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Linux Rocks