* Help with fwmark and shorewall
@ 2004-12-14 1:44 Paul
0 siblings, 0 replies; only message in thread
From: Paul @ 2004-12-14 1:44 UTC (permalink / raw)
To: Netfilter Users (List)
I'm using shorewall, 2 ISP connections, and I want to force udp 500
traffic out one particular interface
here's what I have so far
/etc/shorewall/tcrules:
4 0.0.0.0/0 202.37.230.93 udp 500
4 202.37.230.93 0.0.0.0/0 udp 500
shorewall show mangle | grep MARK
14 4203 MARK udp -- * * 0.0.0.0/0
202.37.230.93 udp dpt:500 MARK set 0x4
0 0 MARK udp -- * * 202.37.230.93
0.0.0.0/0 udp dpt:500 MARK set 0x4
routing:
/sbin/ip rule add prio 223 fwmark 4 table 223
/sbin/ip route add default via 202.37.230.65 dev eth2 \
src 202.37.230.93 proto static table 223
routing rules:
ip rule show
0: from all lookup local
50: from all lookup main
201: from 202.37.230.64/26 lookup 201
202: from 203.96.212.0/23 lookup 202
222: from all lookup 222
223: from all fwmark 0x4 lookup 223
32766: from all lookup main
32767: from all lookup default
ip route show table 223
default via 202.37.230.65 dev eth2 proto static src 202.37.230.93
the load balancing work flawlessly :)
however I have racoon (kernel 2.6.8.1) on the firewall, and only
sometimes it responds using 202.37.230.93 .. sometimes it uses my other
ISP connection .. which is no good :(
I've got to the point where I guess I need to use fwmark before routing,
but it doesn't seem to work :(
Any help
Thanks
Paul.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-12-14 1:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-14 1:44 Help with fwmark and shorewall Paul
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.