| Main Archive Page > Month Archives > shorewall-users archives |
Re: [Shorewall-users] How to rigidly lock down routing to specific interfaces
From: Ed W <lists_at_nospam>Date: Sun Apr 22 2012 - 16:29:45 GMT
To: shorewall-users@lists.sourceforge.net
On 22/04/2012 00:15, Ed W wrote:
> I think I will need to achieve something like:
>
> 0: from all lookup local
> 10000: from all fwmark 0x10000/0xff0000 lookup peth0
> 10007: from all fwmark 0x80000/0xff0000 lookup pppp0
> 10011: from all fwmark 0xc0000/0xff0000 lookup pppp10
> 32000: from all fwmark 0x10000/0xff0000 lookup peth0_kill_it
> 32007: from all fwmark 0x80000/0xff0000 lookup pppp0_kill_it
> 32011: from all fwmark 0xc0000/0xff0000 lookup pppp10_kill_it
>
I'm struggling with this - would be grateful for input
I tried adding to init:
ip rule add blackhole from all fwmark 0x10000/0xff0000 priority 32000
ip rule add blackhole from all fwmark 0x20000/0xff0000 priority 32000
..etc...
These match my provider marks, so I had thought that the routing match
would try something like:
10000: from all fwmark 0x10000/0xff0000 lookup peth0
then
32000: from all fwmark 0x10000/0xff0000 blackhole
However, either I'm testing incorrectly, or that isn't how the routing
policy table actually works?
Additionally the shorewall enable/disable restore_routing script is
taking down this route, so I would need to investigate better
integration anyway.
Any offers on how to make it so that it's "route via provider X or drop
the packet"?
Thanks
Ed W
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users