From 4b7d64be5523063217f5a8a7444d3d266f2626c0 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 22 May 2005 01:28:41 +0000 Subject: [PATCH] More Multi-ISP doc updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2157 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Shorewall_and_Routing.xml | 102 +++++++++++++++++++--- 1 file changed, 89 insertions(+), 13 deletions(-) diff --git a/Shorewall-docs2/Shorewall_and_Routing.xml b/Shorewall-docs2/Shorewall_and_Routing.xml index 2a84ee654..3073382c7 100644 --- a/Shorewall-docs2/Shorewall_and_Routing.xml +++ b/Shorewall-docs2/Shorewall_and_Routing.xml @@ -15,7 +15,7 @@ - 2005-05-20 + 2005-05-21 2005 @@ -184,12 +184,13 @@
Routing and Proxy ARP - There is one instance where Shorewall creates routing table entries. - When an entry in /etc/shorewall/proxyarp contains - "No" in the HAVEROUTE column then Shorewall will create a host route to - the IP address listed in the ADDRESS column through the interface named in - the INTERFACE column. This is the only case where - Shorewall directly manipulates the routing table. + There is one instance where Shorewall creates main routing table + entries. When an entry in /etc/shorewall/proxyarp + contains "No" in the HAVEROUTE column then Shorewall will create a host + route to the IP address listed in the ADDRESS column through the interface + named in the INTERFACE column. This is the only case + where Shorewall directly manipulates the main routing + table. Example: @@ -270,7 +271,7 @@ - You man not use connection marking. + You may not use connection marking. @@ -282,8 +283,9 @@ The current version of iptables (1.3.1) is broken with respect to CONNMARK and iptables-save/iptables-restore. This means that if you - configure multiple ISPs, shorewall restore will - fail. You must patch your iptables using the patch at shorewall restore may + fail. If it does, you may patch your iptables using the patch at + http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff. @@ -358,6 +360,13 @@ The IP address of the provider's Gateway router. + + Users with point-to-point dynamic connections such as + PPPoE, PPPoA or PPTP can enter detect here and Shorewall will + automatically determine the gateway IP address. You must of + course configure your ppp service to restart Shorewall when you + connect or when the gateway IP address changes. @@ -399,6 +408,73 @@
+
+ What an entry in the Providers File Does + + Adding another entry in the providers file simply creates an + alternate routing table for you. In addition: + + + + An ip rule is generated for each IP address on the INTERFACE + that routes traffic from that address through the associated routing + table. + + + + If you specify track, then + connections which have had at least one packet arrive on the + interface listed in the INTERFACE column have their connection mark + set to the value in the MARK column. In the PREROUTING chain, + packets with that connmark have their packet mark set to that value; + packets so marked then bypass any prerouting rules that you create + in /etc/shorewall/tcrules. This ensures that + packets associated with connections from outside are always routed + out of the correct interface. + + + + If you specify balance, then + Shorewall will replace the 'default' route in the 'main' routing + table with a load-balancing route among those gateways where + balance was specified. + + + + That's all that these entries do. + You still have to follow the principle stated at the top of this + article: + + + + Routing determines where packets are to be sent. + + + + Once routing determines where the packet is to go, the + firewall (Shorewall) determines if the packet is allowed to go + there. + + + + The bottom line is that if you want traffic to go out through a + particular provider then you must mark that traffic + with the provider's MARK value in + /etc/shorewall/tcrules and you must do that marking + in the PREROUTING chain. + + + Entries in /etc/shorewall/providers + permanently alter your firewall/gateway's routing; that is, the effect + of these changes is not reversed by shorewall stop + or shorewall clear. To restore routing to its + original state, you will have to restart your network. This can + usually be done by /etc/init.d/network restart or + /etc/init.d/networking restart. Check your + distribution's networking documentation. + +
+
Example @@ -432,15 +508,15 @@ net net DROP eth0 eth2 206.124.146.176 eth1 eth2 130.252.99.27 - Now suppose that you want to route all outgoing SMTP traffic - through ISP 2. You would make this entry in Now suppose that you want to route all outgoing SMTP traffic from + your local network through ISP 2. You would make this entry in /etc/shorewall/tcrules (and you would set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf). #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) -2 <local network> 0.0.0.0/0 tcp 25 +2:P <local network> 0.0.0.0/0 tcp 25