Re: DNAT and Load Balancing

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I solved this exact problem (with incoming connections on three
different adsl) markin packets on PREROUTING chain. Obviously with
three different routing tables.

# incoming connections for DNAT to DMZ need to be marked here in PREROUTING
iptables -t mangle -N mymark
iptables -t mangle -F mymark
# first of all RETURN for "local" interfaces
iptables -t mangle -A mymark -i $E0_IF -j RETURN
iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
iptables -t mangle -A mymark -i $VPN_IF -j RETURN
# then mark and save incoming connections from the external universe
iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
iptables -t mangle -A mymark -j CONNMARK --save-mark

#restore mark before ROUTING decision
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# non marked incoming connections need to be marked (DNAT to DMZ only)
iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark



On 3/2/07, Alex Samad <alex@xxxxxxxxxxxx> wrote:
On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote:
> On 3/2/07, Tom Lobato <tomlobato@xxxxxxxxx> wrote:
> >
> >
> >    Hi all!
> >
> >
> >    After that good thread "DGD patch not detecting dead gateway" I was
> >able to set up a Load Balancing with ping based DGD (without Julian
> >Anastasov patch). But now I'm facing a new problem and tried some
> >options, with only partial solutions.
> >
> >    I made a script based on
> >http://www.mail-archive.com/lartc@xxxxxxxxxxxxxxx/msg16257.html (Thank
> >you Manish Kathuria), without Julian A. patch, and with routes/rules as
> >described in nano.txt. It works fine, but...
> >
> >    The problem: I do DNAT for internet located people to access my LAN
> >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> >It appears that the connection from outside can enter, but when reply
> >packets try to get back across nat machine, it falls into the round
> >robin default route selection to define its gateway. Well, of course,
> >this reply must leave the router via the same interface whose initial
> >packets entered.
> >
> >
> >    vnc initial
> >request packet      reply that got
> >            \                   wrong route
> >             \                       ^
> >              \                     /
> >              V                  /
> >              isp1 isp2 isp3
> >               _|____|____|__
> >              |                    |
> >              |      dnat      |
> >              |_____________|
> >                        ^
> >                         |
> >                         |
> >                        V
> >              LAN estation, the
> >                  vnc server
> >
> >
> >
> >    What I need is a way to force packets leave the router via the same
> >interface whose its request entered this.
> >    I'd like to hear opinions about the problem (and also solution =).
> >Remember, I can't apply the DGD patch from J.A. because it only checks
> >the first hop for dead detection.
> >    I will apreciate any help.
> >
> >    Thank you,
> >
> >
> >
> >    Tom Lobato
> >
> >
> >_______________________________________________
> >LARTC mailing list
> >LARTC@xxxxxxxxxxxxxxx
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
>
> I had overlooked this. I had also faced a similar problem.  There are
> two possible solutions, one is to apply Julian's patches because even

This sounds exactly like my problem, until I appplied julian's patch, I would
suggest giving it  a try

> though you are not using the patches for DGD, they do help in making
> NAT processing with multiple gateways work properly. The other option
> is to mark the packets using CONNTRACK. There was a good discussion on
> this topic some days back. You can check the thread using the
> following links to the archives:
>
> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
>
> --
> Manish Kathuria
> Tux Technologies
> http://www.tuxtechnologies.co.in/
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF6G04kZz88chpJ2MRAplNAKDrYspoCJYOEe3+3xMllBDP0vAuLQCgvBsM
3HkDStEOSQErTD2RarWObXs=
=/G6Y
-----END PGP SIGNATURE-----

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux