On Thursday 22 July 2004 14:17, George Alexandru Dragoi wrote: > A good think would be to give a full description to your network > setup, interfaces and so on, maybe there should be stuff like -s > 192... -d ! 192../24 Ok .... I have two lines to the internet, each on their own interface on a debian based firewall box. Eth0 goes to my cable provider and is set up dynamically, eth1 goes to my adsl provider on a static ip 64.114.148.101. Also in the firewall box are two additional interface cards - one for a DMZ (eth3, 192.168.1.1) and one for all the regular users (eth2, 192.168.0.1). The DMZ loop only has a single machine on it with ip 192.168.1.2. The firewall is implemented via shorewall which sets up the various rules for ipchains. The DMZ box has a postfix mail server on it. All local users send to the server and it then relays out the mail via the firewall box to the outside world. Is this sufficient information or do you require additional info ? I've been messing around doing some more tests which have me more confused. As mentioned earlier, I mark all packets going to port 25 from the server box with a '1'. I then set up a rule that is inserted right before the 'main' rule to use table adsl whenever a fwmark of '1' is found. Table adsl just has a default gateway via eth1 in it. The 'main' table has a default gw via eth0. Leaving everything the same and just playing with the test for fwmark '1', if I telnet from the server box to a local ISP port 25 I get either a connection (no fwmark branch) or nothing (fwmark branch). If I switch the default gw in the 'main' table to point to my adsl provider and telnet from the server box to the ISP I can connect fine. This seems to indicate that the potential link generated with the adsl table 'should' work fine but of course it doesn't. Further, playing with the routing cache, it would appear that the fwmark test is actually performing as should and the port 25 connection is in fact routed via the adsl line (while having the cable line as default in the 'main' table). I am now wondering if there is some protocol happening that isn't allowed to proceed correctly ..... when I try to establish a telnet connection on port 25 to the local ISP from the server box, is there anything happening on any other port that has to be re-routed ? Could it be that some other part of the protocol goes thru a different port, doesn't get the fwmark and actually decides to go out the main default gateway (the cable connection) ? My mail DNS entry points to the cable connection BTW .... ... my brain hurts .... Jens _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
