Multiple ISP Loadbalancing..

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is following previous mail..


my routing script:

# Create three routing tables, in addition to the
default,
# which route packets depending on the source IP
addresses:

# table 10 is for the private network behind the
gateway
# IP  all on one LAN. We put this first to get
# it out of the way.
ip rule pref 10 to 192.168.12/28 table 10
ip route add 192.168.12.0/28 table 10 dev eth0

# table 20 is for ISP Hathway, IP 202.88.172.84,
gateway 202.88.172.1
ip rule pref 20 from 202.88.172.84 table 20
ip route add default table 20 via 202.88.172.84

# table 30 is for ISP ADSL PPPoE, IP 192.168.13.1,
gateway 192.168.13.2
ip rule pref 20 from 192.168.13.2 table 30
ip route add default table 30 via 192.168.13.1

# The default routing table is used if none of the
above tables apply.
# If your ISP's have servers that authenticate by
originating IP address,
ip route add 192.168.13.0/24 dev eth1
ip route add 202.88.172.0/24 dev eth2

# The default route in the default routing table
# uses ECMP to choose upstream routers
ip route add default nexthop via 202.88.172.84 nexthop
via 192.168.13.1

# Make it all happen. IMPORTANT! The above commands do
NOT
# flush the route cache!
ip route flush cache


My Iptable script..
==================
#!/bin/sh
# iptables script generator: V0.1-2002
echo 0 > /proc/sys/net/ipv4/ip_forward
LAN_IP_NET='192.168.1.1/255.255.255.0'
LAN_NIC='eth0'
WAN_IP='203.1.1.xx'
WAN_NIC='eth1'
# load some modules (if needed)
#LAN_NIC
#
LoadModuls()
{
#insmod
#insmod ip_conntrack
#insmod ip_tables
insmod iptable_nat
insmod ipt_MASQUERADE
insmod ipt_REJECT
insmod ipt_limit
insmod ipt_state
insmod ipt_unclean
insmod iptable_filter
insmod iptable_nat
#
}

##
#
FlushTable()
{
    
# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
}
##
#
IpRuleSet()
{
    
# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $LAN_IP_NET  -j
MASQUERADE
iptables -A FORWARD -o eth+ -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s
$LAN_IP_NET
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
#
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -o eth2 -j ACCEPT
# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p udp --dport 53 
iptables -A INPUT -j ACCEPT -p udp --sport 53
iptables -A INPUT -j ACCEPT -p tcp --dport 2525
iptables -A INPUT -j ACCEPT -p tcp --dport 24
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j
DROP 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j
DROP 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport
6000:6009 -j DROP 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j
DROP 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j
DROP 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j
DROP 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j
DROP 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j
DROP 
# Output 
iptables -A OUTPUT -j ACCEPT -p tcp --dport 53
iptables -A OUTPUT -j ACCEPT -p udp --dport 53
# STATE RELATED for router
iptables -A INPUT -i eth+ -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o ! eth1 -m state --state NEW -j
ACCEPT
iptables -A INPUT -p udp --sport 137 --dport 137 -j
DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#
iptables -A OUTPUT -o eth1 -p tcp --dport 31337 -j
DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 31335 -j
DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 20034 -j
DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j
DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 1433 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 5432 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 5999 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 6063 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 5900:5910 -j
DROP
iptables -A OUTPUT -o eth1 -p tcp --dport  5010 -j
DROP
iptables -A OUTPUT -o eth1 -p tcp --dport  5000:5001
-j DROP
iptables -A OUTPUT -o eth1 -p udp --dport  5000:5010
-j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport  5100 -j
DROP
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j
DROP      
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j
DROP      
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport
6000:6009 -j DROP 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j
DROP      
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j
DROP       
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j
DROP       
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j
DROP       
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j
DROP   
#
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
# Drop icmp, but only after letting certain types
through.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit
--limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
#
iptables -A INPUT -i eth1 -s 66.14.136.144/32 -j DROP
iptables -A INPUT -i eth1 -s 66.14.136.145/32 -j DROP
iptables -A INPUT -i eth1 -s 66.14.136.146/32 -j DROP
iptables -A INPUT -i eth1 -s 66.14.136.147/32 -j DROP
iptables -A INPUT -i eth1 -s 66.14.136.148/32 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP
#
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH
-j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL
SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST
-j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN
-j DROP
iptables -A INPUT -j DROP
}

case "$1" in 
"")
LoadModuls
FlushTable
IpRuleSet
;;
-F)
FlushTable
;;

esac




__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux