load balacing with https home banking

load balacing with https home banking

[Marco Berizzi]

[sorry for posting a user question to this
list, but no luck with netfilter@ and lartc@]

Hello everybody.
I'm running linux 2.6.19 (with iptables 1.3.7)
with nth match to alternatively snat outgoing
connections to two different ip addresses for
load balancing between two adsl lines:
Here is:

$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
adslA
$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -j SNAT --to adslB

Things are working pretty good, but some
applications (https home banking for example),
don't work correctly (because the remote
server see two different ip addresses). Is
there a way to automagically tell netfilter
to snat always with the same source ip for
the same destination host? I have also
modified SNAT with SAME, but no luck.

TIA

Re: load balacing with https home banking

[Patrick McHardy]

Marco Berizzi wrote:
> [sorry for posting a user question to this
> list, but no luck with netfilter@ and lartc@]
> 
> Hello everybody.
> I'm running linux 2.6.19 (with iptables 1.3.7)
> with nth match to alternatively snat outgoing
> connections to two different ip addresses for
> load balancing between two adsl lines:
> Here is:
> 
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
> adslA
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -j SNAT --to adslB

This just does NAT, where is the balancing?

> Things are working pretty good, but some
> applications (https home banking for example),
> don't work correctly (because the remote
> server see two different ip addresses). Is
> there a way to automagically tell netfilter
> to snat always with the same source ip for
> the same destination host? I have also
> modified SNAT with SAME, but no luck.


Multipath routing uses cached routes, so all attempts to communicate
between the same pair of hosts should use the same route. The
solution is to let routing make the decision and just use netfilter
to make sure the same route is used for all packets of a connection,
even if a cached route is evicted.

So you need something like:

ip route add default nexthop dev ppp0 realm 1 table 100
ip rule add fwmark 0x1 lookup 100
ip route add default nexthop dev ppp1 realm 2 table 200
ip rule add fwmark 0x2 lookup 200
ip route add default nexthop dev ppp0 realm 1 nexthop ppp1 realm 2

and:

iptables -A POSTROUTING -m connmark --connmark !0x0 -j RETURN
iptables -A POSTROUTING -m realm --realm 0x1 -j CONNMARK --set-mark 0x1
iptables -A POSTROUTING -m realm --realm 0x2 -j CONNMARK --set-mark 0x2

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

Different TOS values might still break the thing, for it should work for
HTTP/HTTPS.

Re: load balacing with https home banking

[Marco Berizzi]

Patrick McHardy wrote:


> This just does NAT, where is the balancing?

Indeed. The really setup is a little different.
This linux box have three ip addresses: 1 for
the main internet link (hdsl_ip) plus 2 other for
the two adsl connection (all binded to eth0).
The default gateway's box is the hdsl ISP router.
This is used for ipsec tunnels (driven by swan),
and other 'serious' traffic:

/sbin/route add default gw hdsl_router metric 1

Then there is the route for the two adsl links,
which are used for internet surfing traffic:

ip route add default equalize table adsl \
nexthop dev eth0 via adsl_router_A weight 1 \
nexthop dev eth0 via adsl_router_B weight 1

ip rule add fwmark 1 table adsl priority 400

$IPTABLES -t mangle -A OUTPUT --protocol tcp -m multiport --dports
80,443 -j MARK --set-mark 1

Squid is running on top of this same box. What
I'm trying to do is to split the browsing traffic
(that generated by squid) to the two adsl lines.
The problem is the packet source ip sent by squid
which is taken from the default route, so I must
nat these packet with these rule:

$IPTABLES -t nat -A POSTROUTING -s hdsl_ip --protocol tcp -m
multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
adsl_A
$IPTABLES -t nat -A POSTROUTING -s hdsl_ip --protocol tcp -m
multiport --dports 80,443 -j SNAT --to adsl_B

> Different TOS values might still break the thing, for it should work
for
> HTTP/HTTPS.

Just for ask: why different TOS values should break?

Re: load balacing with https home banking

[Patrick McHardy]

Marco Berizzi wrote:
> Patrick McHardy wrote:
> 
>>Different TOS values might still break the thing, for it should work
> 
> for
> 
>>HTTP/HTTPS.
> 
> 
> Just for ask: why different TOS values should break?

Cached routes are keyed on (src,dst,iif,oif,mark,tos).
Different tos values cause new routing lookups which
might result in a different path.

Re: load balacing with https home banking

[Marco Berizzi]

Patrick McHardy wrote:


> Marco Berizzi wrote:
> > Patrick McHardy wrote:
> >
> >>Different TOS values might still break the thing, for it should work
> >
> > for
> >
> >>HTTP/HTTPS.
> >
> >
> > Just for ask: why different TOS values should break?
>
> Cached routes are keyed on (src,dst,iif,oif,mark,tos).
> Different tos values cause new routing lookups which
> might result in a different path.

thanks for the explanation.

PS: Any tips about the previous message ;-) ?

Re: load balacing with https home banking

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 635 bytes --]



On Thu, 14 Dec 2006, Patrick McHardy wrote:

> Marco Berizzi wrote:
>> Patrick McHardy wrote:
>>
>>> Different TOS values might still break the thing, for it should work
>>
>> for
>>
>>> HTTP/HTTPS.
>>
>>
>> Just for ask: why different TOS values should break?
>
> Cached routes are keyed on (src,dst,iif,oif,mark,tos).
> Different tos values cause new routing lookups which
> might result in a different path.

IMHO you man not relay on routing cache anyway, as it may be invalidated 
(flushed) at any time, for example when you add or remove a single routing 
entry.

Best regards,

 				Krzysztof Olędzki

load balacing with https home banking

[Marco Berizzi]

[sorry for posting a user question to this
list, but no luck with netfilter@ and lartc@]

Hello everybody.
I'm running linux 2.6.19 (with iptables 1.3.7)
with nth match to alternatively snat outgoing
connections to two different ip addresses for
load balancing between two adsl lines:
Here is:

$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
adslA
$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -j SNAT --to adslB

Things are working pretty good, but some
applications (https home banking for example),
don't work correctly (because the remote
server see two different ip addresses). Is
there a way to automagically tell netfilter
to snat always with the same source ip for
the same destination host? I have also
modified SNAT with SAME, but no luck.

TIA

load balacing with https home banking

[Marco Berizzi]

Hello everybody.
I'm running linux 2.6.19 with nth match to
alternatively snat outgoing connections to
two different ip addresses.
Here is:

$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
adslA
$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -j SNAT --to adslB

Things are working pretty good, but some
applications (home banking for example),
don't work correctly. Is there a way to
tell iptables to snat always with the same
source ip for the same destination host?