On Sun, 2011-04-10 at 15:55 -0300, UsuÃrio do Sistema wrote: > Hello everyone, I'm new in this maillist and I would like receive help > about my problem...... > Welcome. > > I have a Firewall ( with fwbuider - Red-Hat 5.6 ) in my branch office > connected to my head office by openvpn. I'm with a problem when flow > data is to destination port 80 from my branch office to my head > office. > > in my branch office firewall has 3 device Ethernet: > > eth0 - inside network 192.100.100.0/24 > eth1 - wan 1 VPN > eth2 - wan 2 only for Internet Traffic > > I'm marking all traffic for port 80 go out upon wan 2 - eth2. Why are you doing this? The default route should do this for you. > but, > it's a problem because when an user tries access an service at the > port 80 in my head office it isen't work! > > the firewall toward to eth2 insted to VPN the traffic from inside > network to my head office when destinatio is port 80. I've try solve > this with rule below but it isen't work.occur the same problem. > > my head office inside network is 128.2.0.0/16 where I have my web > servers at the port 80. > > rules created in firewall branch office > > /sbin/iptables -t mangle -A PREROUTING -s 0/0 -d ! 128.2.0.0/16 -p tcp > --dport 80 -j MARK --set-mark 1 > ip rule del fwmark 1 > ip route flush table internet > ip rule add fwmark 1 table internet prio 20 > ip route add default via 200.108.139.1 table internet ( it's eth2 ) > ip route flush cache You shouldn't need to do any of the above. If you had your routing tables correct, then any traffic for your head office network should go out on the VPN (eth1) and all other traffic (default) should go out on eth2. > part from my route main table > > 128.2.0.0 192.168.200.101 255.255.0.0 UG 0 0 0 tun0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3 > 0.0.0.0 190.128.173.97 0.0.0.0 UG 0 0 > 0 eth1 > where is my VPN > If think it would help if you could post a diagram of your setup (with IP addresses) and your full routing table. I don't fully understand that table above. For example, what is 192.168.200.101, what is eth3, and what is 190.128.173.97? I assume that 200.108.139.1 is your public IP address? > > any Tip ?? I wish that packages from inside networ 192.100.100.0/24 to > 128.2.0.0/16 port 80 go out for tun0 insted by eth2 Surely you want *any* traffic to 128.2.0.0/16 to go to tun0? Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
