Re: fail in the connmark load-balancing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

A few comments...

2012-02-27 19:15 keltezéssel, Usuário do Sistema írta:

eth1: LAN Interface
eth0: WAN1
eth2: WAN2

#!/bin/bash

# flush all iptables entries
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

By default the policies are set to ACCEPT...
I would set them to DROP and I would write my own "ACCEPT-ing" rules...

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP

iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -s {trusted newtork}

iptables -t filter -A OUTPUT -j ACCEPT -o lo

But don't change them if you don't want to filter the connections... :D
I would ACCEPT every packet (as the first rule) that comes/goes on the lo interface... (in the PREROUTING/INPUT/OUTPUT/POSTROUTING chains in the raw/mangle/filter tables) 


iptables -t mangle -N CONNMARK1
iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark

iptables -t mangle -N CONNMARK2
iptables -t mangle -A CONNMARK2 -j MARK --set-mark 2
iptables -t mangle -A CONNMARK2 -j CONNMARK --save-mark

iptables -t mangle -N RESTOREMARK
iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark



iptables -t mangle -A PREROUTING -i eth1 -s 0/0 -d 0/0 -m state
--state ESTABLISHED,RELATED -j RESTOREMARK
iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
statistic --mode nth --every 2 --packet 0 -j CONNMARK1
iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
statistic --mode nth --every 2 --packet 1 -j CONNMARK2

Hmm... :D

iptables -t mangle -N MARKS
iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state ESTABLISED,RELATED iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3 -m mode statistic --mode nth --every 2 
iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3

iptables -t mangle -A PREROUTING -j ACCEPT -i lo
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARKS
iptables -t mangle -A INPUT -j ACCEPT -i lo (put this as the first rule in the INPUT...) iptables -t mangle -A INPUT -j CONNMARK --save-mark (put this as the last rule in the INPUT...) 

iptables -t mangle -A OUTPUT -j ACCEPT -o lo
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j MARKS (use this if you want to load-balance the traffic that originates from you firewall)
iptables -t mangle -A POSTROUTING -j ACCEPT -o lo (put this as the first rule in the POSTROUTING...) iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark (put this as the last rule in the POSTROUTING...) 


iptables -t nat -N SNAT1
iptables -t nat -A SNAT1 -j SNAT --to-source 192.168.217.254

iptables -t nat -N SNAT2
iptables -t nat -A SNAT2 -j SNAT --to-source 192.168.216.254



iptables -t nat -A POSTROUTING -o eth2 -j SNAT1
iptables -t nat -A POSTROUTING -o eth0 -j SNAT2

How do you like these "one-liners"?
iptables -t nat -A POSTROUTING -j SNAT -o eth0 ! -s 192.168.216.254 --to-source 192.168.216.254 iptables -t nat -A POSTROUTING -j SNAT -o eth2 ! -s 192.168.217.254 --to-source 192.168.217.254 


ip route add 192.168.217.0 via 192.168.217.1 table oitelecom
ip route add 192.168.216.0 via 192.168.216.1 table gvttelecom
ip route add default via 192.168.217.1 table oitelecom
ip route add default via 192.168.216.1 table gvttelecom

Maybe it is better:
ip route add default via 192.168.216.1 src 192.168.216.254 dev eth0 table gvttelecom ip route add default via 192.168.217.1 src 192.168.217.254 dev eth2 table oitelecom 


ip rule del from 192.168.217.254 table oitelecom
ip rule add from 192.168.217.254 table oitelecom

ip rule del fwmark 1 table oitelecom
ip rule del fwmark 2 table gvttelecom

ip rule add fwmark 1 table oitelecom
ip rule add fwmark 2 table gvttelecom

Use mask in marks:
ip rule add fwmark 1/3 table oitelecom
ip rule add fwmark 2/3 table gvttelecom

Maybe you need to copy other local routes:
ip route show table main | grep -E '(^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^192\.168\.)' | while read ROUTE 
 do
 ip route add table ovtelecom ${ROUTE} 2>/dev/null
 ip route add table gvttelecom ${ROUTE} 2>/dev/null
 done

Be carefull with this last one, as it copies the 192.168.x.x routes too!!!!!

ip route flush cache


thanks....any tips is welcome.


Swifty

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux