hello,
i noticed that the issue of multiple gateways has been a hot topic for the
last few months. i have some questions that hopefully someone can shed some
light on. i currently have two cable modems and they do not load balence.
a simple cron job checks for ISP gateway availability and issues route
replace commands accordingly (eg. "ip route replace default via 10.1.1.1 dev
eth1")
here is a picture:
------- -------
|cable| |cable|
|modem| |modem|
|ISP#1| |ISP#2|
------- -------
| |
|eth0 |eth0
---------- ----------
| linux | | linux |
|FIREWALL| |FIREWALL|
---------- ----------
|eth1 |eth1
|10.1.1.1 |10.2.2.1
\ /
\ /
\ /
\ eth1 / eth2
\10.1.1.2 /10.2.2.2
----------------------
| linux |
| ROUTER |
----------------------
/ | \
10.0.0.0/24 10.3.3.0/24 10.4.4.0/24
eth0 eth3 eth4
my questions are:
1) i use the SMTP of ISP#1. when ISP#1 link goes down, ISP#2 becomes def
gateway until it goes down. how can i mangle packets destined for
smtp.isp.com:25 at router to always use interface #1, or drop. (unless
anyone knows of a free, relaying smtp out there...)
2) since load balencing seems to be really difficult, what about mangling
so all outbound goes out ISP#2 and all inbound comes in ISP#1.... is this
feasable?
3) i know a lot of people are working on this.... any leads as to where
the latest developments are? or is this the best place to listen in?
4) if anyone wants to comment on the functionality of my tables, id be
happy to hear it (especially any security holes!).
here are my configs:
ROUTER:
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p tcp --dport 22 -i eth+ -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -i eth3 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -i eth4 -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A INPUT -i eth+ -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: Input: "
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -o eth1 -j ACCEPT
/sbin/iptables -A FORWARD -o eth2 -j ACCEPT
/sbin/iptables -A FORWARD -i eth3 -j ACCEPT
/sbin/iptables -A FORWARD -i eth4 -j ACCEPT
/sbin/iptables -A FORWARD -o eth+ -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -i eth+ -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -o eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: Forward-Out: "
/sbin/iptables -A FORWARD -i eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: Forward-In: "
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
FIREWALLS:
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p tcp --dport 22 -i eth+ -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix
"FIREWALL: Input: "
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -i eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: For-In: Spoof: "
/sbin/iptables -A FORWARD -o eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: For-Out: Spoof: "
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
thanks in advance,
fernando pando
unix administrator
