Re: RE: Load Balancing , MSN and SSL

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, I think you could mark packets based on ports 1863 and hosts
messenger.hotmail.com , gateway.messenger.hotmail.com, webmessenger.msn.com



On 7/5/07, Randy D. Wallace Jr. <randywallacejr@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> HI All ,
>
> I am running a FC6 box with two internet links with load balance . Every
> thing is working fine expect the MSN connection that failed and
> reconnect every time and SSL connections .  I would link to know if with
> the nona howto I could fix that .
>
> I have been tried with no success to redirect that connection only to
> one link but its look like do not work . Here my configuration :
>
> #!/bin/bash
> #
> # Script Baseado em
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> #
> #
> #
>
>
> IF0=eth1
>
> function interface_interna() {
>         VALOR_IP=0
>         while [ $VALOR_IP -lt 254 ] ; do
>            if [ $VALOR_IP -ne 33 ] ; then
>                 P0_NET=192.168.${VALOR_IP}.0
>                 IP0=192.168.${VALOR_IP}.1
>                 ip route add $P0_NET dev $IF0 src $IP0 table T1
>                 ip route add $P0_NET dev $IF0 src $IP0 table T2
>            fi
>            VALOR_IP=$(expr $VALOR_IP + 1)
>         done
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
> table T1
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
> table T2
> }
>
>
>
> IP1=xxx.xxx.xxx.18
> IF1=eth0
> P1_NET=xxx.xxx.xxx.16/30
> P1=xxx.xxx.xxx.17
>
>
> IP2=192.168.254.250
> IF2=eth2
> P2_NET=192.168.254.248/29
> P2=192.168.254.254
>
>
>
> ip route add $P1_NET dev $IF1 src $IP1 table T1
> ip route add default via $P1 table T1
> ip route add $P2_NET dev $IF2 src $IP2 table T2
> ip route add default via $P2 table T2
>
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
>
> ip rule add from $IP1 table T1
> ip rule add from $IP2 table T2
>
> ip route add $P0_NET     dev $IF0 table T1
> ip route add $P1_NET     dev $IF1 table T1
> ip route add $P2_NET     dev $IF2 table T1
> ip route add 127.0.0.0/8 dev lo   table T1
>
> ip route add $P0_NET     dev $IF0 table T2
> ip route add $P1_NET     dev $IF1 table T2
> ip route add $P2_NET     dev $IF2 table T2
> ip route add 127.0.0.0/8 dev lo   table T2
>
> interface_interna
>
> ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
> nexthop via $P2 dev $IF2 weight 1
>
> #ROTAS DE BACKUP
>
> ip route add default via $P2 dev $IF2 metric 1 table T1
> ip route add default via $P1 dev $IF1 metric 1 table T2
>
> #ROTAS DE SERVICOS
>
> ip rule add fwmark 2 table 21 prio 20
> ip rule add fwmark 3 table 22 prio 20
>
> ip route add default via $P1 dev $IF1 table 21
> ip route add default via $P2 dev $IF2 table 22
>
> ip route flush cache
>
> Here the iptables mangles rules :
>
> ############# MSN Services #####################
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
> msnmessenger -j MARK  --set-mark 2
> iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
> msnmessenger -j MARK  --set-mark 2
> ############### SSL Services ###########
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
> -j MARK  --set-mark 2

My experience with the layer7 module has been sketchy.  Have you checked to
make sure that the layer7 module is catching msnmessenger traffic?  It would
be a good idea to try

#iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \
- --log-prefix 'MSN Messenger Packet: '

and consult /var/log/messages and make sure that layer7 is seeing it.
If it's not, the packets for msn traffic will never get marked.

a much better solution would be to mark based on destination port, and let connection
tracking take care of the rest. for example:

#DNS Traffic
#iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2
#iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

hope this helps!

>
> I add the rules from DNS and FTP too .
>
> But it's not seems to work .
>
> Any help will be appreciated .
>
> Saulo Silva
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E
pFsHeJgpBIGDG6oPHdhZpnc=
=TgHZ
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc




--
"The network is the computer"
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux