Re: [LARTC] Load Balance and SNAT problem.

From: VladSun <vladsun@relef.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Load Balance and SNAT problem.
Date: Mon, 25 Jun 2007 21:30:25 +0000	[thread overview]
Message-ID: <468033F1.9020408@relef.net> (raw)
In-Reply-To: <7e47206b0706242007q487365d3gb7c12658b9669edd@mail.gmail.com>

John Chang написа:
>
> I am developing load balancing router, But I have a question about 
> fail over.
> The follow diagram is my test environment and scripts.
> -------------------------------------------------------------------
> Environment Setting
>
> PC1(192.168.10.2 <http://192.168.10.2>)
> |
> (LAN)
> |
> PC2-eth2( 192.168.10.1 <http://192.168.10.1>)
> + +
> PC2-eth0(111.111.111.2 <http://111.111.111.2>) PC2-eth1(222.222.222.2 
> <http://222.222.222.2> )
> | |
> (WAN1) (WAN2)
> | |
> PC3-eth0(111.111.111.1 <http://111.111.111.1>) PC3-eth1( 222.222.222.1 
> <http://222.222.222.1>)
> + +
> PC2-eth2(172.16.0.1 <http://172.16.0.1>)
>
> PC2-Linux Kernel 2.6.21
> PC2-Iptables 1.3.7
>
>
> -------------------------------------------------------------------
> Iptables rules:
>
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 111.111.111.2 
> <http://111.111.111.2>
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 222.222.222.2 
> <http://222.222.222.2>
>
> # table 101
> ip route flush table 101
> ip route add 192.168.10.0/24 <http://192.168.10.0/24> dev eth2 table 101
> ip route add default via 111.111.111.1 <http://111.111.111.1> dev eth0 
> table 101
>
> # table 102
> ip route flush table 102
> ip route add 192.168.10.0/24 <http://192.168.10.0/24> dev eth2 table 102
> ip route add default via 222.222.222.1 <http://222.222.222.1> dev eth1 
> table 102
>
> ip rule del fwmark 1 table 101
> ip rule del fwmark 2 table 102
> ip rule add fwmark 1 table 101
> ip rule add fwmark 2 table 102
>
> iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m state --state NEW -m statistic 
> --mode nth --every 2 --packet 1 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -m state --state NEW -m statistic 
> --mode nth --every 2 --packet 2 -j MARK --set-mark 2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
>
> -----------------------------------------------------------------------------
>
Well ... I am not sure about it but you may try to do it this way:

iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 1 -j SNAT --to 
111.111.111.2 <http://111.111.111.2>
iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 2 -j SNAT --to 
222.222.222.2 <http://222.222.222.2>

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic 
--mode nth --every 2 --packet 1 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic 
--mode nth --every 2 --packet 2 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

This is done without using iproute.
There is another solution, but it works only with kernels up to 2.6.10:

iptables -t nat -A POSTROUTING -o ! eth2 -j SNAT --to 111.111.111.2 
<http://111.111.111.2>,222.222.222.2 <http://222.222.222.2>

".... For those kernels, if you specify more than one source
address, either via an address range or multiple --to-source options, a 
simple round-robin (one after another in cycle) takes
place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have 
the ability to NAT to multiple ranges anymore. ..."
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc