Tom Eastep | 20 Aug 01:02 2004
Picon

Re: Two Links and DNAT


Jerry Vonau wrote:
|>|>>>>ip rule add from $IP1 table slow
|>|>>>>ip rule add from $IP2 table fast
|>
|>Haven't had your coffee yet this morning Jerry? :-)
|>
|>- -Tom
|
|
| No, I was a bit rushed... :(
| My doctor said I should cut down, and I was tring...
|
| That was based on the post listing the output of 'ip rule'
| ---snip--
| [root <at> magyar root]# ip rule
| 0:      from all lookup local
| 0:      from all fwmark 0x5 lookup slow
| 1:      from 0.0.0.0 fwmark 0xca lookup www.out
| --------
| Where is the rule? or is some missing?

I was confused about that too -- what was posted looked a whole lot like
a Squid transparent proxy setup rather than a two internet interface
config. But the commands that the OP says he was running to set up the
routing were posted and contained the commands you mentioned.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
(Continue reading)

Jerry Vonau | 20 Aug 01:39 2004
Picon

Re: Two Links and DNAT


> Jerry Vonau wrote:
> |>|>>>>ip rule add from $IP1 table slow
> |>|>>>>ip rule add from $IP2 table fast
> |>
> |>Haven't had your coffee yet this morning Jerry? :-)
> |>
> |>- -Tom
> |
> |
> | No, I was a bit rushed... :(
> | My doctor said I should cut down, and I was tring...
> |
> | That was based on the post listing the output of 'ip rule'
> | ---snip--
> | [root <at> magyar root]# ip rule
> | 0:      from all lookup local
> | 0:      from all fwmark 0x5 lookup slow
> | 1:      from 0.0.0.0 fwmark 0xca lookup www.out
> | --------
> | Where is the rule? or is some missing?
>
> I was confused about that too -- what was posted looked a whole lot like
> a Squid transparent proxy setup rather than a two internet interface
> config. But the commands that the OP says he was running to set up the
> routing were posted and contained the commands you mentioned.
>
> - -Tom
> - --

(Continue reading)

Tom Eastep | 20 Aug 03:25 2004
Picon

Re: Two Links and DNAT


Jerry Vonau wrote:

|
| Just a quick question on posting, what do you prefer top or bottom? I
want to
| be a good post

I read from left to right, top to bottom -- hence I prefer bottom posting.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net

Marcelo Mercio Dandrea | 20 Aug 05:12 2004
Picon

Re: Two Links and DNAT

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo Mercio Dandrea wrote:
>>     Btw, by "shorewall show nat" I just noticed that I was doing
>> snat only for packets comming from eth1 (intranet). So now I added
>> the following
> line
>> to /etc/shorewall/start
>>
>> iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT
> - --to-source
>> 192.168.200.1
>>
>>     Im not sure if this is the correct/best solution... but it
>> worked. Now locally generated smtp packets go out only through eth0
>> (slowlink).
>>
>>
>
> You can have Shorewall generate that rule by using this
> /etc/shorewall/masq entry:
>
> eth0 0.0.0.0/0 192.168.200.1 tcp 25
>
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
(Continue reading)

Tom Eastep | 20 Aug 05:17 2004
Picon

Re: Two Links and DNAT


Marcelo Mercio Dandrea wrote:

| You can have Shorewall generate that rule by using this
| /etc/shorewall/masq entry:
|
| eth0 0.0.0.0/0 192.168.200.1 tcp 25
|
|     Thanks for the tip Tom! Still, should it work on 1.4.10e ? I tried and
| got, on shorewall restart:

|    Masqueraded Subnets and Hosts:
|    To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 192.168.200.1
|    Error: Invalid comma-separated list "192.168.200.1 tcp 25"

|     My /etc/shorewall/masq

| #INTERFACE              SUBNET          ADDRESS

No -- you have to be running Shorewall 2.0.2 or later.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net

RexHsu | 20 Aug 07:45 2004

some websites cant be reached

I have an internet router powered by gentoo+shorewall2.0.7+adsl(pppoe)

but my clients(and gateway)  cant access some websites----these sites
must be okay,other sites are okay. The I believe it is caused by MTU or
MSS, but I have no idea yet. Btw, the unaccessable sites are dynamic, it
says: today I cant access www.oracle.com nextday I redail--to get
another ip,I can access www.oracle.com.

Help!

gateway root # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:B0:D0:69:C0:9F
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13290045 errors:0 dropped:0 overruns:1 frame:0
          TX packets:15112526 errors:0 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000
          RX bytes:1058662806 (1009.6 Mb)  TX bytes:969620897 (924.7 Mb)
          Interrupt:5 Base address:0xe880

eth1      Link encap:Ethernet  HWaddr 00:E0:4C:53:01:B2
          inet addr:192.168.168.1  Bcast:192.168.168.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14454729 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13063604 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:661069189 (630.4 Mb)  TX bytes:1027129661 (979.5 Mb)
          Interrupt:10 Base address:0xec00

lo        Link encap:Local Loopback
(Continue reading)

layahsee | 20 Aug 09:32 2004

Site-to-site VPN with dynamic IPs

Hi,

How should I configure my shorewall in order to have site-to-site VPN 
 tunnel.
Both sites using dynamic IPs assigned by ISP, that means both sites
have ppp0 interface with dynamic IPs and  gateways.

Thanks whoever can help

regards
Aslay

###################################################
# This message has been scanned for viruses and   #
# dangerous content by Pensteel Digital Solutions #
# Open Source Security Server, and is             #
# believed to be clean.                           #
# Pls download www.pds-malaysia.com/doc/Linux.zip #
# for Linux Open Source Solutions                 # 
###################################################

JBanks | 20 Aug 10:39 2004
Picon
Picon

Re: some websites cant be reached


> I have an internet router powered by gentoo+shorewall2.0.7+adsl(pppoe)
>
> but my clients(and gateway)  cant access some websites----these sites
> must be okay,other sites are okay. The I believe it is caused by MTU or
> MSS, but I have no idea yet.

This is covered in the Shorewall FAQ's. Please look there first as a 
courtesy before posting. No worries though. Your link is specifically here:
http://www.shorewall.net/FAQ.htm#faq33
You will then need to restart Shorewall for the changes to take effect. In 
the /etc/shorewall dir, type "shorewall", without the quotes ofcourse, and 
you will see some nice shorewall usage commands that you can utilize. If 
your unsure of anything, look here first:
http://www.shorewall.net/Documentation_Index.html but more specifically 
here:
http://www.shorewall.net/starting_and_stopping_shorewall.htm

As a suggestion, you may just want to set everyone up to use an MTU of 1492 
to include the ETH interfaces on your Gentoo/Shoreall box and on the clients 
as well. For Gentoo/Linux its as simple as:

root <at> toejam trollskin # ifconfig eth0 mtu 1492
root <at> toejam trollskin # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:10:4Z:92:H8:7Q
          inet addr:192.168.30.66  Bcast:192.168.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:5870 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4522 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
(Continue reading)

JBanks | 20 Aug 12:24 2004
Picon
Picon

Re: Site-to-site VPN with dynamic IPs


On 8/20/2004 12:32:47 AM, Mailing List for Shorewall Users 
(shorewall-users <at> lists.shorewall.net) wrote:
> Hi,
>
> How should I configure my shorewall in order to have site-to-site VPN
> tunnel.
> Both sites using dynamic IPs assigned by ISP, that means both sites
> have ppp0 interface with dynamic IPs and  gateways.

Have a look here if you haven't already:
http://www.shorewall.net/Documentation_Index.html
But more specifically here:
http://www.shorewall.net/IPSEC.htm
http://www.freeswan.org/
and here:
http://www.shorewall.net/OPENVPN.html
http://openvpn.sourceforge.net/

The fact that both sites ip's are dynamic is something I've never tried. 
Good luck with this. 

layahsee | 20 Aug 12:54 2004

Re: Site-to-site VPN with dynamic IPs

hi,

I don't find information regarding the above topic from your suggested 
weblink, pls advise..
I need info on Dynamic IP site-to-site VPN , not road warrior

JBanks wrote:

>
> On 8/20/2004 12:32:47 AM, Mailing List for Shorewall Users 
> (shorewall-users <at> lists.shorewall.net) wrote:
>
>> Hi,
>>
>> How should I configure my shorewall in order to have site-to-site VPN
>> tunnel.
>> Both sites using dynamic IPs assigned by ISP, that means both sites
>> have ppp0 interface with dynamic IPs and  gateways.
>
>
> Have a look here if you haven't already:
> http://www.shorewall.net/Documentation_Index.html
> But more specifically here:
> http://www.shorewall.net/IPSEC.htm
> http://www.freeswan.org/
> and here:
> http://www.shorewall.net/OPENVPN.html
> http://openvpn.sourceforge.net/
>
> The fact that both sites ip's are dynamic is something I've never 
(Continue reading)


Gmane