mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add new example to the Multi-ISP doc including the output of 'shorewall show routing'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9245 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
88c2361323
commit
150ca2c2f6
@ -1255,4 +1255,172 @@ wlan0 192.168.0.0/24</programlisting><note>
|
||||
</note></para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>A Complete Working Example</title>
|
||||
|
||||
<para>This section describes the network at shorewall.net early in 2009.
|
||||
The configuration is as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Two providers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Avvanta -- A slow (1.5mb/384kb) DSL service with 5 static IP
|
||||
addresses.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Comcast -- A fast (20mb/10mb) Cable circuit with a single
|
||||
<emphasis>dynamic</emphasis> address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A local network consisting of wired and wireless client systems.
|
||||
A Linksys WRT300N wireless router is used as an access point for the
|
||||
wireless hosts; the WAN port on the router is unused as is the builtin
|
||||
DHCP server. The firewall runs a DHCP server.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A DMZ hosting a single server (lists.shorewall.net aka
|
||||
www1.shorewall.net, ftp1.shorewall.net,etc.)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The network is pictured in the following diagram:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009.png" />
|
||||
|
||||
<para>Because of the speed of the cable provider, all traffic uses that
|
||||
provider unless there is a specific need for the traffic to use the DSL
|
||||
line. As a consequence, I have disabled all route filtering on the
|
||||
firewall and do not use the <emphasis role="bold">balance</emphasis>
|
||||
option in <filename>/etc/shorewall/providers</filename>.</para>
|
||||
|
||||
<para><filename>/etc/sysctl.conf</filename>:</para>
|
||||
|
||||
<programlisting>net.ipv4.conf.all.rp_filter = 0</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||
Avvanta 1 0x100 main eth0 206.124.146.254 track,loose eth2,eth4,tun*
|
||||
Comcast 2 0x200 mai eth3 detect track eth2,eth4,tun*
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>The <emphasis role="bold">loose</emphasis> option on Avvanta results
|
||||
in fewer routing rules. The first two routing rules below insure that all
|
||||
traffic from Avvanta-assigned IP addresses is sent via the Avvanta
|
||||
provider. Note that because the Comcast line has a dynamic IP address, I
|
||||
am not able to use USE_DEFAULT_RT=Yes in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/route_rules</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
206.124.146.176/30 - Avvanta 26000
|
||||
206.124.146.180 - Avvanta 26000
|
||||
- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>The <filename>/etc/shorewall/route_rules </filename>entries provide
|
||||
all of the provider selection necessary so my
|
||||
<filename>/etc/shorewall/tcrules</filename> file is used exclusively for
|
||||
traffic shaping of the Avvanta line.</para>
|
||||
|
||||
<para>Here is the output of <command>shorewall show
|
||||
routing</command>:</para>
|
||||
|
||||
<programlisting>Routing Rules
|
||||
|
||||
0: from all lookup local
|
||||
10000: from all fwmark 0x100 lookup Avvanta
|
||||
10001: from all fwmark 0x200 lookup Comcast
|
||||
20256: from 71.227.156.229 lookup Comcast
|
||||
26000: from 206.124.146.176/30 lookup Avvanta
|
||||
26000: from 206.124.146.180 lookup Avvanta
|
||||
26000: from all to 216.168.3.44 lookup Avvanta
|
||||
32766: from all lookup main
|
||||
32767: from all lookup default
|
||||
|
||||
Table Avvanta:
|
||||
|
||||
206.124.146.254 dev eth0 scope link src 206.124.146.176
|
||||
206.124.146.177 dev eth4 scope link
|
||||
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
|
||||
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
|
||||
169.254.0.0/16 dev eth0 scope link
|
||||
default via 206.124.146.254 dev eth0 src 206.124.146.176
|
||||
|
||||
Table Comcast:
|
||||
|
||||
206.124.146.177 dev eth4 scope link
|
||||
71.227.156.1 dev eth3 scope link src 71.227.156.229
|
||||
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
|
||||
71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
|
||||
default via 71.227.156.1 dev eth3 src 71.227.156.229
|
||||
|
||||
Table default:
|
||||
|
||||
Table local:
|
||||
|
||||
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
|
||||
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.254
|
||||
broadcast 206.124.146.255 dev eth0 proto kernel scope link src 206.124.146.176
|
||||
local 206.124.146.179 dev eth0 proto kernel scope host src 206.124.146.176
|
||||
local 206.124.146.178 dev eth0 proto kernel scope host src 206.124.146.176
|
||||
local 206.124.146.176 dev eth0 proto kernel scope host src 206.124.146.176
|
||||
local 206.124.146.176 dev eth4 proto kernel scope host src 206.124.146.176
|
||||
broadcast 71.227.157.255 dev eth3 proto kernel scope link src 71.227.156.229
|
||||
broadcast 71.227.156.0 dev eth3 proto kernel scope link src 71.227.156.229
|
||||
local 172.20.1.254 dev eth2 proto kernel scope host src 172.20.1.254
|
||||
local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1
|
||||
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.254
|
||||
local 71.227.156.229 dev eth3 proto kernel scope host src 71.227.156.229
|
||||
broadcast 206.124.146.0 dev eth0 proto kernel scope link src 206.124.146.176
|
||||
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
|
||||
local 206.124.146.180 dev eth0 proto kernel scope host src 206.124.146.176
|
||||
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
|
||||
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
|
||||
|
||||
Table main:
|
||||
|
||||
206.124.146.177 dev eth4 scope link
|
||||
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
|
||||
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
|
||||
71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
|
||||
169.254.0.0/16 dev eth0 scope link
|
||||
127.0.0.0/8 dev lo scope link
|
||||
default via 71.227.156.1 dev eth3 </programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth2 detect dhcp,routeback
|
||||
dmz eth4 detect
|
||||
net eth0 detect dhcp,blacklist,tcpflags,optional
|
||||
net eth3 detect dhcp,blacklist,tcpflags,optional
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
|
||||
|
||||
COMMENT Masquerade Local Network
|
||||
eth3 0.0.0.0/0
|
||||
eth0 !206.124.146.0/24 206.124.146.179
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para>All traffic leaving eth3 must use the dynamic IP address assigned to
|
||||
that interface as the SOURCE address. All traffic leaving eth0 that does
|
||||
not have an address falling within the Avvanta subnet (206.124.146.0/24)
|
||||
must have its SOURCE address changed to 206.124.146.179.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
BIN
docs/images/Network2009.dia
Normal file
BIN
docs/images/Network2009.dia
Normal file
Binary file not shown.
BIN
docs/images/Network2009.png
Normal file
BIN
docs/images/Network2009.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 77 KiB |
Loading…
Reference in New Issue
Block a user