RE: [LARTC] Load balancing using connmark
El jue, 10-05-2007 a las 16:01 +0800, Salim S I escribió: Hi Salim, Thanks for your reply, > On closer look, I am wrong about shorewall. It seems to be a different > approach to load balancing. They connmark the incoming packets from > WAN, rather than outgoing packets. I think it should work well, but I > wonder why this approach is not popular. There must be some drawback > to it. I can’t think of one,though. I think the main advantage of shorewall solution is that it applies connmark to incoming packets from the wan as you point, leaving load balancing to outgoing connections to the main table. In any case, with this second solution I don't see wrong routed packages on wan interfaces using tcpdump, whereas with the first solution I do. More testing is required. Regarding to your previous reply, can you elaborate more on "...This approach will work, but you need some sort of stateful-ness in netfilter..." Cheers! -- Francis Brosnan Blazquez <[EMAIL PROTECTED]> Advanced Software Production Line, S.L. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Load balancing using connmark
Hi, I've been implementing a load balancing solution using CONNMARK, based on solution described by Luciano Ruete at [1]. Gracias por el post y por apuntar en la dirección correcta Luciano! Once implemented, I've found that due to some reason packets aren't properly marked (or improperly remarked) and sent out using the wrong interface. My topo setup is: [82.123.136.74]: eth1 : mark:0x1 --\ +--[FW BOX] -- eth0: 192.168.0.53 [217.146.74.82]: eth2 : mark:0x2 --/ Using conntrack tool, shows that after a while, it starts to appear packets marked with 0x2 or 0x1 not comming from the proper source IP. >> conntrack -L | grep mark=2 | grep '82.123.136.74'; conntrack -L | grep mark=1 | grep '217.146.74.82' tcp 6 425543 ESTABLISHED src=192.168.0.178 dst=82.216.53.249 sport=1552 dport=443 packets=818 bytes=93471 src=82.216.53.249 dst=82.123.136.74 sport=443 dport=1552 packets=875 bytes=83909 [ASSURED] mark=2 use=1 tcp 6 428681 ESTABLISHED src=192.168.0.177 dst=89.139.122.12 sport=2361 dport=443 packets=122 bytes=29381 src=89.139.122.12 dst=82.123.136.74 sport=443 dport=2361 packets=139 bytes=14120 [ASSURED] mark=2 use=1 This is quite odd since solution proposed at [1] looks good. I'll cite it here for clarity (suppose I already have all ip rule stuff installed): iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark After giving a try during several days, I've found that another firewall solution, shorewall [2], implements built-in load balacing for free by using the following set of instructions: iptables -t mangle -A PREROUTING -m connmark ! --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF iptables -t mangle -A OUTPUT -m connmark ! --mark 0/0xFF -j CONNMARK --restore-mark --mask 0xFF iptables -t mangle -N routemark iptables -t mangle -A PREROUTING -i eth1 -m mark --mark 0/0xFF -j routemark iptables -t mangle -A routemark -i eth1 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth2 -m mark --mark 0/0xFF -j routemark iptables -t mangle -A routemark -i eth2 -j MARK --set-mark 2 iptables -t mangle -A routemark -m mark ! --mark 0/0xFF -j CONNMARK --save-mark --mask 0xFF After a bit of testing with the second solution, it seems to behave better, doing all marking job at the PREROUTING and OUTPUT. Did anybody find that some packages doesn't get properly routed according to the mark with the first solution? What you do think about the second solution? Cheers! [1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html [2] http://www.shorewall.net -- Francis Brosnan Blazquez <[EMAIL PROTECTED]> Advanced Software Production Line, S.L. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Configuring several route tables for the same network interface
Hi, I've been following documentation provided at [1] in order to setup a firewall to use two internet connections with different providers. While instructions found in [1] are pretty clear, I'm not able to install new route tables (apart from the main and local), always getting: RTNETLINK answers: File exists Here is the situation: [INET] -- [Provider Router 1] -- [10.0.0.1] --Linux Box 10.0.0.0/29 \ eth1 |- [10.0.0.4] 10.0.1.0/29 / [10.0.1.4] [INET] -- [Provider Router 2] -- [10.0.1.1] -- What I'm trying to do is to have two routing tables, one for each different gateway, and using "ip rule from" to instruct the linux box to use one table or another according to the source address (either: 10.0.0.4 or 10.0.1.4). The set of instruction I've used are exactly the same as [1] but with one difference: our linux box only have one NIC adapter (with two IPs configured) as opposed to the example, which has two NIC adapters. So, the question would be: it is possible to have several route tables, or it is only allowed to have one routing table for each NIC. Supposing this context, is there any way to make traffic coming through "Provider Router 2" to be replied by the linux box using the same router, avoiding to always use the "Provider Router 1" which is the default via installed in the "main" route table? Thanks for your attention! [1] http://lartc.org/howto/lartc.rpdb.multiple-links.html -- Francis Brosnan Blazquez <[EMAIL PROTECTED]> Advanced Software Production Line, S.L. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc