From: Patrick McHardy <kaber@trash.net>
To: Marco Berizzi <pupilla@hotmail.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: load balacing with https home banking
Date: Wed, 13 Dec 2006 23:45:14 +0100 [thread overview]
Message-ID: <4580827A.7090708@trash.net> (raw)
In-Reply-To: <BAY103-DAV25AE1C31A08B7725D1CACB2D60@phx.gbl>
Marco Berizzi wrote:
> [sorry for posting a user question to this
> list, but no luck with netfilter@ and lartc@]
>
> Hello everybody.
> I'm running linux 2.6.19 (with iptables 1.3.7)
> with nth match to alternatively snat outgoing
> connections to two different ip addresses for
> load balancing between two adsl lines:
> Here is:
>
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
> adslA
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -j SNAT --to adslB
This just does NAT, where is the balancing?
> Things are working pretty good, but some
> applications (https home banking for example),
> don't work correctly (because the remote
> server see two different ip addresses). Is
> there a way to automagically tell netfilter
> to snat always with the same source ip for
> the same destination host? I have also
> modified SNAT with SAME, but no luck.
Multipath routing uses cached routes, so all attempts to communicate
between the same pair of hosts should use the same route. The
solution is to let routing make the decision and just use netfilter
to make sure the same route is used for all packets of a connection,
even if a cached route is evicted.
So you need something like:
ip route add default nexthop dev ppp0 realm 1 table 100
ip rule add fwmark 0x1 lookup 100
ip route add default nexthop dev ppp1 realm 2 table 200
ip rule add fwmark 0x2 lookup 200
ip route add default nexthop dev ppp0 realm 1 nexthop ppp1 realm 2
and:
iptables -A POSTROUTING -m connmark --connmark !0x0 -j RETURN
iptables -A POSTROUTING -m realm --realm 0x1 -j CONNMARK --set-mark 0x1
iptables -A POSTROUTING -m realm --realm 0x2 -j CONNMARK --set-mark 0x2
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
Different TOS values might still break the thing, for it should work for
HTTP/HTTPS.
next prev parent reply other threads:[~2006-12-13 22:45 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-13 14:09 load balacing with https home banking Marco Berizzi
2006-12-13 22:45 ` Patrick McHardy [this message]
2006-12-14 9:59 ` Marco Berizzi
2006-12-14 10:47 ` Patrick McHardy
2006-12-14 10:59 ` Marco Berizzi
2006-12-25 1:49 ` Krzysztof Oledzki
-- strict thread matches above, loose matches on Subject: below --
2006-12-13 14:09 Marco Berizzi
2006-12-07 14:08 Marco Berizzi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4580827A.7090708@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pupilla@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.