On Mon, Apr 20, 2009 at 09:38:13AM -0600, Lloyd Standish wrote: > Thomas, somehow I had the erroneous idea that ALL packets, even those originating at the local machine, go through PREROUTING. I finally understand now why I need the OUTPUT statements. As soon as I added those, the load balancing started to work! Great > # restore the fwmark on packets that belong to an existing connection > # this prerouting stuff would only be for connections initiated on the LAN > > iptables -A PREROUTING -i eth0 -t mangle -m state --state ESTABLISHED,RELATED -j RESTOREMARK This is too restrictive, drop the -i eth0, your forwarded packets from the internet will not arrive thru eth0 but still need a CONNMARK -> MARK restore. > iptables -A PREROUTING -i eth0 -t mangle -m mark ! --mark 0 -j RETURN > iptables -A PREROUTING -t mangle -j CONNMARK1 > iptables -A PREROUTING -t mangle -m statistic --mode nth --every 2 --packet 0 -j CONNMARK2 Otherwise you might assign a different mark again here, and that doesn't work with NATed connections. Possibly you should also use -m state --state NEW to prevent the marking stuff taking place on any other packets than the initial ones. > Once this is working for LAN I want to try load balancing according the byte count of each interface, if that is possible. Hmm, I don't see how to do this with out using some kind of script that constantly checks the load of your links and then modifies iptables rules accordingly. Don't forget that you are loadbalancing connections, not individual packets. But maybe you can cook something up the recent match or something, if you do, please keep the list posted ;) Thomas -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
