From: Tom E. <te...@sh...> - 2010-02-04 15:28:20
|
Tom Eastep wrote: > Tom Eastep wrote: >> Trent O'Callaghan wrote: >>> MASQ/SNAT and ARP are interacting in a way that is causing outbound >>> connectivity issues in periods of low traffic (when ARP entries timeout). >>> Tcpdump of ARP packets shows who-has packets with the SNAT IP address when I >>> need them to have the Firewall's Interface IP address as their source. >>> >>> I have modified MASQ to SNAT to the Firewall's Interface IP address for the >>> Peering network (via 198.32.212.73), but outbound traffic is normally to >>> more distant networks and my default route is to the Paid Internet (via >>> 121.200.226.210). >>> >>> I have seen some have scripted ARP watchers that could assist but I believe >>> this is something Shorewall can cope with, but I am lacking in the >>> knowledge. >>> >>> root@per-r1:/etc/shorewall# ifconfig -a >>> eth0 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 >>> inet addr:121.200.226.210 Bcast:121.200.226.211 >>> Mask:255.255.255.252 >>> eth0:1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 >>> inet addr:198.32.212.73 Bcast:198.32.212.255 Mask:255.255.255.0 >>> eth0:2 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 >>> inet addr:180.233.131.7 Bcast:180.233.131.255 Mask:255.255.255.0 >>> eth1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:91 >>> inet addr:10.240.0.1 Bcast:10.240.0.255 Mask:255.255.255.0 >>> >>> root@per-r1:/etc/shorewall# ip route show table main | grep -v zebra >>> 121.200.226.208/30 dev eth0 proto kernel scope link src 121.200.226.210 >>> 198.32.212.0/24 dev eth0 proto kernel scope link src 198.32.212.73 >>> 180.233.131.0/24 dev eth0 proto kernel scope link src 180.233.131.7 >>> 10.240.1.0/24 dev eth1 proto kernel scope link src 10.240.1.1 >>> default via 121.200.226.209 dev eth0 metric 100 >>> >>> # >>> # Shorewall version 4 - Masq file >>> # >>> eth0:!198.32.212.0/24 eth1:!10.240.1.7 180.233.131.7 >> Ah! I took one more look at your report and I seriously doubt that the >> above rule does what you expect. Rewrite it as: >> >> eth0:!198.32.212.0/24 10.240.0.0/24!10.240.1.7 > > In fact, the current version of Shorewall (4.4.6) rejects that type of rule: > > gateway:/etc/shorewall# shorewall check > Compiling... > WARNING: Using an interface as the masq SOURCE requires the interface > to be up and configured when Shorewall starts/restarts : > /etc/shorewall/masq (line 7) > ERROR: SOURCE interface may not be specified with a source IP address > in the POSTROUTING chain : /etc/shorewall/masq (line 7) > gateway:/etc/shorewall# > > Are you still using Shorewall-shell? Duh -- just looked at the Subject again. I suggest that you look at http://www.shorewall.net/LennyToSqueeze.html. Also, note that the Debian Shorewall maintainer has Shorewall 4.4 packages available for Lenny; a link to his site can be found on the Shorewall download page. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |