shorewall-users April 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] How to rigidly lock down

Re: [Shorewall-users] How to rigidly lock down routing to specific interfaces

From: Ed W <lists_at_nospam>
Date: Sun Apr 22 2012 - 16:29:45 GMT
To: shorewall-users@lists.sourceforge.net

On 22/04/2012 00:15, Ed W wrote:
> I think I will need to achieve something like:
>
> 0: from all lookup local
> 10000: from all fwmark 0x10000/0xff0000 lookup peth0
> 10007: from all fwmark 0x80000/0xff0000 lookup pppp0
> 10011: from all fwmark 0xc0000/0xff0000 lookup pppp10
> 32000: from all fwmark 0x10000/0xff0000 lookup peth0_kill_it
> 32007: from all fwmark 0x80000/0xff0000 lookup pppp0_kill_it
> 32011: from all fwmark 0xc0000/0xff0000 lookup pppp10_kill_it
>

I'm struggling with this - would be grateful for input

I tried adding to init:

ip rule add blackhole from all fwmark 0x10000/0xff0000 priority 32000
ip rule add blackhole from all fwmark 0x20000/0xff0000 priority 32000
..etc...

These match my provider marks, so I had thought that the routing match
would try something like:

10000: from all fwmark 0x10000/0xff0000 lookup peth0
then
32000: from all fwmark 0x10000/0xff0000 blackhole

However, either I'm testing incorrectly, or that isn't how the routing
policy table actually works?

Additionally the shorewall enable/disable restore_routing script is
taking down this route, so I would need to investigate better
integration anyway.

Any offers on how to make it so that it's "route via provider X or drop
the packet"?

Thanks

Ed W

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users