From ba8a0976f1c9d3c4ef476891968cc2d31ddd2ad2 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 7 Jan 2009 16:25:14 +0000 Subject: [PATCH] More document tweaks git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9255 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/MultiISP.xml | 60 +++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 23 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index f7c901674..6db74365c 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -306,8 +306,8 @@ You want to specify 'track' if Internet hosts will be connecting to local servers through this provider. Any time - that you specify 'track', you will also want to specify - 'balance' (see below). + that you specify 'track', you will normally want to also + specify 'balance' (see below). Use of this feature requires that your kernel and iptables include CONNMARK target and connmark match support @@ -371,9 +371,10 @@ specify 'balance' even if you don't need it. You can still use entries in /etc/shorewall/tcrules to force all traffic to one provider or another. - If you don't heed this advice then be prepared - to read FAQ 57 and - FAQ 58. + If you don't heed this advice then please read + and follow the advice in FAQ 57 and FAQ 58. @@ -469,11 +470,15 @@ (Added in Shorewall-perl 4.2.5) - Indicates that a balanced default route through the - provider should be added to the default routing table (table - 253). The route is added with a weight equal to the - specified weight (default 1). The - option is ignored with a warning message if + Indicates that a default route through the provider + should be added to the default routing table (table 253). If + a weight is given, a balanced + route is added with the weight of this provider equal to the + specified weight. If the option + is given without a weight, an + separate default route is added through the provider's + gateway; the route has a metric equal to the provider's + NUMBER. The option is ignored with a warning message if USE_DEFAULT_RT=Yes in shorewall.conf. @@ -1324,7 +1329,7 @@ wlan0 192.168.0.0/24 - Connections initiated by the server and connection requested by + Connections initiated by the server and connections requested by clients on the firewall that have bound their local socket to one of the DSL IP addresses. Two entries in /etc/shorewall/route_rules take care of that @@ -1335,18 +1340,22 @@ wlan0 192.168.0.0/24 As a consequence, I have disabled all route filtering on the firewall and do not use the balance option in /etc/shorewall/providers. The default route - in the main table is established by DHCP. By specifying the - default_rt option on Avvanta, I ensure that there is - a default route when Comcast is down. + in the main table is established by DHCP. By specifying the fallback option on Avvanta, I ensure that there is + still a default route if Comcast is down. /etc/sysctl.conf: net.ipv4.conf.all.rp_filter = 0 + /etc/shorewall/shorewall.conf: + + ROUTE_FILTER=No + /etc/shorewall/providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,default_rt eth2,eth4,tun* +Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,fallback eth2,eth4,tun* Comcast 2 0x200 main eth3 detect track eth2,eth4,tun* #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE @@ -1355,14 +1364,17 @@ Comcast 2 0x200 main eth3 detect track traffic from Avvanta-assigned IP addresses is sent via the Avvanta provider. Note that because the Comcast line has a dynamic IP address, I am not able to use USE_DEFAULT_RT=Yes in - /etc/shorewall/shorewall.conf. + /etc/shorewall/shorewall.conf. The 'tun*' included in + the COPY column is there because I run a routed OpenVPN server on the + firewall. /etc/shorewall/route_rules: - #SOURCE DEST PROVIDER PRIORITY -206.124.146.176/30 - Avvanta 26000 -206.124.146.180 - Avvanta 26000 -- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address + #SOURCE DEST PROVIDER PRIORITY +- 162.20.0.0.24 main 1000 # Addresses assigned by routed OpenVPN server +206.124.146.176/30 - Avvanta 26000 +206.124.146.180 - Avvanta 26000 +- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The /etc/shorewall/route_rules entries provide @@ -1378,7 +1390,8 @@ Comcast 2 0x200 main eth3 detect track Routing Rules -0: from all lookup local +0: from all lookup local +1000: from all to 172.20.0.0/24 lookup main 10000: from all fwmark 0x100 lookup Avvanta 10001: from all fwmark 0x200 lookup Comcast 20256: from 71.227.156.229 lookup Comcast @@ -1462,7 +1475,8 @@ eth0 !206.124.146.0/24 206.124.146.179 All traffic leaving eth3 must use the dynamic IP address assigned to that interface as the SOURCE address. All traffic leaving eth0 that does - not have an address falling within the Avvanta subnet (206.124.146.0/24) - must have its SOURCE address changed to 206.124.146.179. + not have a SOURCE address falling within the Avvanta subnet + (206.124.146.0/24) must have its SOURCE address changed to + 206.124.146.179.