RE: multipath routing

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



<snip>
I have a private lan that is connected to the world via 3 dsl lines.  I put
up a linux box that handles all the dsl lines, lan gateway and all is
working well...until...one of the dsl lines goes down.  My routing table is:

x.x.x.x dev ppp0  proto kernel  scope link  src x.x.x.x
x.x.x.x dev ppp1  proto kernel  scope link  src x.x.x.x
x.x.x.x dev ppp2  proto kernel  scope link  src x.x.x.x
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
255.255.255.0/24 dev eth0  scope link
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default equalize
       nexthop via x.x.x.x  dev ppp0 weight 1
       nexthop via x.x.x.x  dev ppp1 weight 1
       nexthop via x.x.x.x  dev ppp2 weight 1

When one of the dsl lines has trouble (temporarily looses sync, etc), the
kernel takes the entire default route out until the line comes back up.
When the line comes up, it puts a single default route back in instead of
the multipath route.  If I can make it so the multipath route is maintained
even when one of the dsl lines goes down, that would be great.  Is there a
way to have just one of the hops removed from the default multipath while
the line is down and then reinserted back in as a hop in the multipath
route?  Thanks for any input.

-Chris
</snip>


Do you have the stateful firewall settings in your script?

According to nano.txt
http://www.ssi.bg/~ja/nano.txt

"At least for netfilter (not sure for ipfwadm/ipchains), the firewall
must be stateful. This can be done by:

                iptables -t filter -N keep_state
                iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED \
                                 -j ACCEPT
                iptables -t filter -A keep_state -j RETURN

                iptables -t nat -N keep_state
                iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED \
                                 -j ACCEPT
                iptables -t nat -A keep_state -j RETURN

and calling this at the beginning of the script:

                iptables -t nat -A PREROUTING -j keep_state
                iptables -t nat -A POSTROUTING -j keep_state
                iptables -t nat -A OUTPUT -j keep_state
                iptables -t filter -A INPUT -j keep_state
                iptables -t filter -A FORWARD -j keep_state
                iptables -t filter -A OUTPUT -j keep_state
" 
 
 
/sbin/iptables-save
 
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00 2004
*nat
:PREROUTING ACCEPT [9983:812849]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:174]
:keep_state - [0:0]
-A PREROUTING -j keep_state
-A POSTROUTING -o ppp+ -j MASQUERADE
-A POSTROUTING -j keep_state
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00 2004
*filter
:INPUT ACCEPT [1020:161876]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [425:33288]
:keep_state - [0:0]
-A INPUT -i lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -m state --state INVALID -j DROP
-A INPUT -i ppp+ -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -p tcp -j DROP
-A INPUT -i ppp+ -p udp -j DROP
-A INPUT -i ppp+ -p icmp -j DROP
-A INPUT -j keep_state
-A FORWARD -i ppp+ -o eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth+ -o ppp+ -j ACCEPT
-A FORWARD -j keep_state
-A OUTPUT -o lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
 
 
The link you reference (http://www.ssi.bg/~ja/nano.txt) suggests several patches to be applied to the kernel for the routing described to be possible.  I would like to do this, but it is a company box and they want a "standard" installation which basically means no patching for me.  The box is running the most up to date kernel for a RedHat 9.0 install.  Thanks for any input.
 
-Chris

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux