Sorry, appears that lists manager cut off the attached file. Here is the comands: ===BEGIN=== /sbin/ip rule del prio 50 table main /sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150 /sbin/ip rule del prio 150 from a1.b1.c1.d1/26 table 150 /sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151 /sbin/ip rule del prio 151 from a2.b2.c2.d2/24 table 151 /sbin/ip rule del prio 200 table 200 /sbin/ip route flush table 150 /sbin/ip route flush table 151 /sbin/ip route flush table 200 /sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE /sbin/iptables -t mangle -F MARCAR_IFACE /sbin/iptables -t mangle -X MARCAR_IFACE /sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT /sbin/iptables -t mangle -F MARCAR_IFACE_OUT /sbin/iptables -t mangle -X MARCAR_IFACE_OUT /sbin/iptables -t mangle -N MARCAR_IFACE /sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark /sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j RETURN /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -N MARCAR_IFACE_OUT /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark 0x0000/0xf000 -j RETURN /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m physdev --physdev-out eth1 -m state --state NEW -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m physdev --physdev-out eth3 -m state --state NEW -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark /sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN /sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN /sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT /sbin/ip rule add prio 50 table main /sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150 /sbin/ip rule add prio 150 from a1.b1.c1.d1/26 table 150 /sbin/ip route add default via ga1.gb1.gc1.gd1 dev wan0 src a1.b1.c1.d1 proto static table 150 /sbin/ip route append prohibit default table 150 metric 1 proto static /sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151 /sbin/ip rule add prio 151 from a2.b2.c2.d2/24 table 151 /sbin/ip route add default via ga2.gb2.gc2.gd2 dev wan0 src a2.b2.c2.d2 proto static table 151 /sbin/ip route append prohibit default table 151 metric 1 proto static /sbin/ip rule add prio 200 table 200 /sbin/ip route add default table 200 proto static nexthop via ga1.gb1.gc1.gd1 dev wan0 weight 1 nexthop via ga2.gb2.gc2.gd2 dev wan0 weight 1 /sbin/ip route flush cache ===END=== Regards El Vie, 2 de Marzo de 2007, 9:43, ArcosCom Linux User escribió: > In the file "comandos.log" you can see how I implement the "load > balancing". > > The explanation is: > 1) Add more filters to routing decisions that depending on fwmark value > of packets use one or another link to send the packet. > 2) In PREROUTING mark the connection to know the "incoming" iface and > keep that into conntrack table. > 3) In POSTROUTING the same, to allow outgoing packages select the same > interface. > > In my configuration wan0 is a bridge (without STP) that links all the WAN > interfaces and I make aliases for all, that is why you can see the > "physdev" match used, but if you don't use a bridge, you can replace the > wan0 and bridge selection by only your wan ifaces. > > With this configuration, I expect these: > 1) Allow UPnP work fine (appears to be working for now). > 2) Allow the correct incoming DNAT work fine. > 3) Allow the correct outgoing conections tracks fine. > 4) Allow only 1 iptables rules if I need DNAT to one machine from any > wan iface (very usefull for p2p programs). > > You can see, too, that I use masks with marks, that is because I use > another marks to allow traffic control (with other marks). > > I'm testing this configuration for two days now, and appears to be working > fine. > > Last note: This file is not my real script, my real script parse one > config file where I define all my wan ifaces, my real script generates > this files to allow me debug the command execution results, order, output, > etc... > > Regards > > El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria escribió: >> On 3/2/07, Tom Lobato <tomlobato@xxxxxxxxx> wrote: >>> >>> >>> Hi all! >>> >>> >>> After that good thread "DGD patch not detecting dead gateway" I was >>> able to set up a Load Balancing with ping based DGD (without Julian >>> Anastasov patch). But now I'm facing a new problem and tried some >>> options, with only partial solutions. >>> >>> I made a script based on >>> http://www.mail-archive.com/lartc@xxxxxxxxxxxxxxx/msg16257.html (Thank >>> you Manish Kathuria), without Julian A. patch, and with routes/rules as >>> described in nano.txt. It works fine, but... >>> >>> The problem: I do DNAT for internet located people to access my LAN >>> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. >>> It appears that the connection from outside can enter, but when reply >>> packets try to get back across nat machine, it falls into the round >>> robin default route selection to define its gateway. Well, of course, >>> this reply must leave the router via the same interface whose initial >>> packets entered. >>> >>> >>> vnc initial >>> request packet reply that got >>> \ wrong route >>> \ ^ >>> \ / >>> V / >>> isp1 isp2 isp3 >>> _|____|____|__ >>> | | >>> | dnat | >>> |_____________| >>> ^ >>> | >>> | >>> V >>> LAN estation, the >>> vnc server >>> >>> >>> >>> What I need is a way to force packets leave the router via the same >>> interface whose its request entered this. >>> I'd like to hear opinions about the problem (and also solution =). >>> Remember, I can't apply the DGD patch from J.A. because it only checks >>> the first hop for dead detection. >>> I will apreciate any help. >>> >>> Thank you, >>> >>> >>> >>> Tom Lobato >>> >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@xxxxxxxxxxxxxxx >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >> >> I had overlooked this. I had also faced a similar problem. There are >> two possible solutions, one is to apply Julian's patches because even >> though you are not using the patches for DGD, they do help in making >> NAT processing with multiple gateways work properly. The other option >> is to mark the packets using CONNTRACK. There was a good discussion on >> this topic some days back. You can check the thread using the >> following links to the archives: >> >> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html >> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html >> >> -- >> Manish Kathuria >> Tux Technologies >> http://www.tuxtechnologies.co.in/ >> _______________________________________________ >> LARTC mailing list >> LARTC@xxxxxxxxxxxxxxx >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
