From mboxrd@z Thu Jan 1 00:00:00 1970 From: VladSun Date: Mon, 25 Jun 2007 21:30:25 +0000 Subject: Re: [LARTC] Load Balance and SNAT problem. Message-Id: <468033F1.9020408@relef.net> List-Id: References: <7e47206b0706242007q487365d3gb7c12658b9669edd@mail.gmail.com> In-Reply-To: <7e47206b0706242007q487365d3gb7c12658b9669edd@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: lartc@vger.kernel.org John Chang написа: > > I am developing load balancing router, But I have a question about > fail over. > The follow diagram is my test environment and scripts. > ------------------------------------------------------------------- > Environment Setting > > PC1(192.168.10.2 ) > | > (LAN) > | > PC2-eth2( 192.168.10.1 ) > + + > PC2-eth0(111.111.111.2 ) PC2-eth1(222.222.222.2 > ) > | | > (WAN1) (WAN2) > | | > PC3-eth0(111.111.111.1 ) PC3-eth1( 222.222.222.1 > ) > + + > PC2-eth2(172.16.0.1 ) > > PC2-Linux Kernel 2.6.21 > PC2-Iptables 1.3.7 > > > ------------------------------------------------------------------- > Iptables rules: > > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 111.111.111.2 > > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 222.222.222.2 > > > # table 101 > ip route flush table 101 > ip route add 192.168.10.0/24 dev eth2 table 101 > ip route add default via 111.111.111.1 dev eth0 > table 101 > > # table 102 > ip route flush table 102 > ip route add 192.168.10.0/24 dev eth2 table 102 > ip route add default via 222.222.222.1 dev eth1 > table 102 > > ip rule del fwmark 1 table 101 > ip rule del fwmark 2 table 102 > ip rule add fwmark 1 table 101 > ip rule add fwmark 2 table 102 > > iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark > iptables -t mangle -A PREROUTING -m state --state NEW -m statistic > --mode nth --every 2 --packet 1 -j MARK --set-mark 1 > iptables -t mangle -A PREROUTING -m state --state NEW -m statistic > --mode nth --every 2 --packet 2 -j MARK --set-mark 2 > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > ----------------------------------------------------------------------------- > Well ... I am not sure about it but you may try to do it this way: iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 1 -j SNAT --to 111.111.111.2 iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 2 -j SNAT --to 222.222.222.2 iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 2 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark This is done without using iproute. There is another solution, but it works only with kernels up to 2.6.10: iptables -t nat -A POSTROUTING -o ! eth2 -j SNAT --to 111.111.111.2 ,222.222.222.2 ".... For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore. ..." _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc