John Chang написа:

I am developing load balancing router, But I have a question about fail over.
The follow diagram is my test environment and scripts.
Environment Setting

PC1( <>)
PC2-eth2( <>)
+ +
PC2-eth0( <>) PC2-eth1( <> )
| |
(WAN1) (WAN2)
| |
PC3-eth0( <>) PC3-eth1( <>)
+ +
PC2-eth2( <>)

PC2-Linux Kernel 2.6.21
PC2-Iptables 1.3.7

Iptables rules:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to <> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to <>

# table 101
ip route flush table 101
ip route add <> dev eth2 table 101
ip route add default via <> dev eth0 table 101

# table 102
ip route flush table 102
ip route add <> dev eth2 table 102
ip route add default via <> dev eth1 table 102

ip rule del fwmark 1 table 101
ip rule del fwmark 2 table 102
ip rule add fwmark 1 table 101
ip rule add fwmark 2 table 102

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 2 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark


Well ... I am not sure about it but you may try to do it this way:

iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 1 -j SNAT --to <> iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 2 -j SNAT --to <>

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 2 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

This is done without using iproute.
There is another solution, but it works only with kernels up to 2.6.10:

iptables -t nat -A POSTROUTING -o ! eth2 -j SNAT --to <>, <>

".... For those kernels, if you specify more than one source
address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore. ..."
LARTC mailing list

Reply via email to