mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
Update Multi-ISP doc for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
4640e4c51e
commit
477a5eb36a
@ -913,15 +913,13 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
|
|||||||
later, you would make this entry in <ulink
|
later, you would make this entry in <ulink
|
||||||
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
|
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
MARK(2):P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
MARK(2):P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
||||||
|
|
||||||
<para>Note that traffic from the firewall itself must be handled in a
|
<para>Note that traffic from the firewall itself must be handled in a
|
||||||
different rule:</para>
|
different rule:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||||
|
|
||||||
<para>If you are running a Shorewall version earlier than 4.6.0, the
|
<para>If you are running a Shorewall version earlier than 4.6.0, the
|
||||||
@ -929,14 +927,12 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
|||||||
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
|
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
|
||||||
would be:</para>
|
would be:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
2:P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
2:P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
||||||
|
|
||||||
<para>And for traffic from the firewall:</para>
|
<para>And for traffic from the firewall:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
2 $FW 0.0.0.0/0 tcp 25</programlisting>
|
2 $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -951,8 +947,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORTS(S) DEST
|
|
||||||
DNAT net loc:192.168.1.3 tcp 25</programlisting>
|
DNAT net loc:192.168.1.3 tcp 25</programlisting>
|
||||||
|
|
||||||
<para>Continuing the above example, to forward only connection requests
|
<para>Continuing the above example, to forward only connection requests
|
||||||
@ -962,19 +957,16 @@ DNAT net loc:192.168.1.3 tcp 25</programlisting
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Qualify the SOURCE by ISP 1's interface:</para>
|
<para>Qualify the SOURCE by ISP 1's interface:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORTS(S) DEST
|
|
||||||
DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting>
|
DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting>
|
||||||
|
|
||||||
<para>or</para>
|
<para>or</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the IP address of ISP 1 in the ORIGINAL DEST
|
<para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
|
||||||
column:</para>
|
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORTS(S) DEST
|
|
||||||
DNAT net loc:192.168.1.3 tcp 25 <emphasis
|
DNAT net loc:192.168.1.3 tcp 25 <emphasis
|
||||||
role="bold">- 206.124.146.176</emphasis></programlisting>
|
role="bold">- 206.124.146.176</emphasis></programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2573,8 +2565,7 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
|
|||||||
role="bold">avvanta</emphasis> provider.</para>
|
role="bold">avvanta</emphasis> provider.</para>
|
||||||
|
|
||||||
<para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
|
<para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
|
||||||
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp 21
|
MARK(2) $FW 0.0.0.0/0 tcp 21
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
|
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
|
||||||
@ -2583,8 +2574,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
|
|||||||
switching to using a mangle file (<command>shorewall update -t</command>
|
switching to using a mangle file (<command>shorewall update -t</command>
|
||||||
will do that for you). Here are the equivalent tcrules entries:</para>
|
will do that for you). Here are the equivalent tcrules entries:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
|
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||||
# PORT(S)
|
|
||||||
2 $FW 0.0.0.0/0 tcp 21
|
2 $FW 0.0.0.0/0 tcp 21
|
||||||
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||||
2 $FW 0.0.0.0/0 tcp 119</programlisting>
|
2 $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||||
@ -2603,8 +2593,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
|
|||||||
|
|
||||||
<para>The same rules converted to use the mangle file are:</para>
|
<para>The same rules converted to use the mangle file are:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
|
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||||
# PORT(S)
|
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp 21
|
MARK(2) $FW 0.0.0.0/0 tcp 21
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||||
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||||
@ -2612,8 +2601,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
|||||||
<para>The remaining files are for a rather standard two-interface config
|
<para>The remaining files are for a rather standard two-interface config
|
||||||
with a bridge as the local interface.</para>
|
with a bridge as the local interface.</para>
|
||||||
|
|
||||||
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# ONLY OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4
|
net ipv4
|
||||||
kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE
|
kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE
|
||||||
@ -2623,17 +2611,17 @@ kvm all ACCEPT
|
|||||||
net all DROP info
|
net all DROP info
|
||||||
all all REJECT info</programlisting></para>
|
all all REJECT info</programlisting></para>
|
||||||
|
|
||||||
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
<para>interfaces:<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
#
|
#
|
||||||
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||||
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||||
kvm br0 detect routeback #Virtual Machines</programlisting><note>
|
kvm br0 routeback #Virtual Machines</programlisting><note>
|
||||||
<para><filename class="devicefile">wlan0</filename> is the wireless
|
<para><filename class="devicefile">wlan0</filename> is the wireless
|
||||||
adapter in the notebook. Used when the laptop is in our home but not
|
adapter in the notebook. Used when the laptop is in our home but not
|
||||||
connected to the wired network.</para>
|
connected to the wired network.</para>
|
||||||
</note></para>
|
</note></para>
|
||||||
|
|
||||||
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
|
||||||
eth0 192.168.0.0/24
|
eth0 192.168.0.0/24
|
||||||
wlan0 192.168.0.0/24</programlisting><note>
|
wlan0 192.168.0.0/24</programlisting><note>
|
||||||
<para>Because the firewall has only a single external IP address, I
|
<para>Because the firewall has only a single external IP address, I
|
||||||
@ -2881,9 +2869,7 @@ root@gateway:~# </programlisting>
|
|||||||
<para><filename>/etc/shorewall/mangle</filename> is not used to support
|
<para><filename>/etc/shorewall/mangle</filename> is not used to support
|
||||||
Multi-ISP:</para>
|
Multi-ISP:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE
|
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||||
# PORT(S) PORT(S)
|
|
||||||
FORMAT 2
|
|
||||||
TTL(+1):P INT_IF -
|
TTL(+1):P INT_IF -
|
||||||
SAME:P INT_IF - tcp 80,443
|
SAME:P INT_IF - tcp 80,443
|
||||||
?if $PROXY && ! $SQUID2
|
?if $PROXY && ! $SQUID2
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user