Re: Load Balance and SNAT problem.

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John Chang написа:
I am developing load balancing router, But I have a question about fail over. 
The follow diagram is my test environment and scripts.
-------------------------------------------------------------------
Environment Setting

PC1(192.168.10.2 <http://192.168.10.2>)
|
(LAN)
|
PC2-eth2( 192.168.10.1 <http://192.168.10.1>)
+ +
PC2-eth0(111.111.111.2 <http://111.111.111.2>) PC2-eth1(222.222.222.2 <http://222.222.222.2> ) 
| |
(WAN1) (WAN2)
| |
PC3-eth0(111.111.111.1 <http://111.111.111.1>) PC3-eth1( 222.222.222.1 <http://222.222.222.1>) 
+ +
PC2-eth2(172.16.0.1 <http://172.16.0.1>)

PC2-Linux Kernel 2.6.21
PC2-Iptables 1.3.7


-------------------------------------------------------------------
Iptables rules:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 111.111.111.2 <http://111.111.111.2> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 222.222.222.2 <http://222.222.222.2> 

# table 101
ip route flush table 101
ip route add 192.168.10.0/24 <http://192.168.10.0/24> dev eth2 table 101
ip route add default via 111.111.111.1 <http://111.111.111.1> dev eth0 table 101 

# table 102
ip route flush table 102
ip route add 192.168.10.0/24 <http://192.168.10.0/24> dev eth2 table 102
ip route add default via 222.222.222.1 <http://222.222.222.1> dev eth1 table 102 

ip rule del fwmark 1 table 101
ip rule del fwmark 2 table 102
ip rule add fwmark 1 table 101
ip rule add fwmark 2 table 102

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 2 -j MARK --set-mark 2 
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

-----------------------------------------------------------------------------


Well ... I am not sure about it but you may try to do it this way:
iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 1 -j SNAT --to 111.111.111.2 <http://111.111.111.2> iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 2 -j SNAT --to 222.222.222.2 <http://222.222.222.2> 

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 2 -j MARK --set-mark 2 
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark


This is done without using iproute.
There is another solution, but it works only with kernels up to 2.6.10:
iptables -t nat -A POSTROUTING -o ! eth2 -j SNAT --to 111.111.111.2 <http://111.111.111.2>,222.222.222.2 <http://222.222.222.2> 

".... For those kernels, if you specify more than one source
address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore. ..." 
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux