[Firehol-support] Firehol on 3 interfaces

[Carlos Rodrigues]

On 11/2/06, Marcus Williams <marcus at quintic.co.uk> wrote:
> Ah! (slaps forehead)
>
> Ok, so I've now added some rules on the top of the firehol.conf:
>
> iptables -t mangle -A PREROUTING -p tcp --src 192.168.202.71 -j MARK
> --set-mark 0x1

I was thinking more about adding this also to the routing rules,
instead of marking packets, but that should also work.

BTW, you could do this with the firehol "mark" directive, instead of
using iptables directly, like so:

   mark 1 PREROUTING proto tcp inface eth0 src 192.168.202.71

> ip rule add fwmark 1 table 200
> ip route add default via 192.168.2.1 table 200 dev eth2

I think you should also add a rule to remove these routing rules
above, otherwise you will probably get some errors/warnings about
already existing rules when you restart firehol (or just put those
rules outside of the firehol configuration altogether).

> ... and it looks like it routes the requests to the correct gateway
> now, but replies appear to just disappear. Snooping with tcpdump and
> it looks like the requests come back but I get nothing in any of the
> logs or on the machine I'm forwarding through the second gateway.

So, the replies come back but are being dropped by this gateway (the
one with this firehol configuration)? Or are being dropped by the
clients themselves?

Check that your NAT rules are correct. If the addresses for your
external interfaces are static, I'd even suggest you to use "snat"
rules near the top of your firehol.conf instead of "masquerade" rules
inside the "router" blocks, like this:

   snat to ${eth1_address} outface eth1 src ${lan_network_address}
   snat to ${eth2_address} outface eth2 src ${lan_network_address}

or,

   snat to ${eth1_address} outface eth1 inface eth0
   snat to ${eth2_address} outface eth2 inface eth0

This is more efficient than masquerade (which checks the interface
address for evey packet, to accomodate sudden changes in the outside
address).

-- 
Carlos Rodrigues