* [LARTC] RE: Load Balancing , MSN and SSL
@ 2007-07-05 11:52 Randy D. Wallace Jr.
2007-07-08 18:04 ` Jorge Evangelista
0 siblings, 1 reply; 2+ messages in thread
From: Randy D. Wallace Jr. @ 2007-07-05 11:52 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> HI All ,
>
> I am running a FC6 box with two internet links with load balance . Every
> thing is working fine expect the MSN connection that failed and
> reconnect every time and SSL connections . I would link to know if with
> the nona howto I could fix that .
>
> I have been tried with no success to redirect that connection only to
> one link but its look like do not work . Here my configuration :
>
> #!/bin/bash
> #
> # Script Baseado em
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> #
> #
> #
>
>
> IF0=eth1
>
> function interface_interna() {
> VALOR_IP=0
> while [ $VALOR_IP -lt 254 ] ; do
> if [ $VALOR_IP -ne 33 ] ; then
> P0_NET\x192.168.${VALOR_IP}.0
> IP0\x192.168.${VALOR_IP}.1
> ip route add $P0_NET dev $IF0 src $IP0 table T1
> ip route add $P0_NET dev $IF0 src $IP0 table T2
> fi
> VALOR_IP=$(expr $VALOR_IP + 1)
> done
> ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2
> ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2
> table T1
> ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2
> table T2
> }
>
>
>
> IP1=xxx.xxx.xxx.18
> IF1=eth0
> P1_NET=xxx.xxx.xxx.16/30
> P1=xxx.xxx.xxx.17
>
>
> IP2\x192.168.254.250
> IF2=eth2
> P2_NET\x192.168.254.248/29
> P2\x192.168.254.254
>
>
>
> ip route add $P1_NET dev $IF1 src $IP1 table T1
> ip route add default via $P1 table T1
> ip route add $P2_NET dev $IF2 src $IP2 table T2
> ip route add default via $P2 table T2
>
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
>
> ip rule add from $IP1 table T1
> ip rule add from $IP2 table T2
>
> ip route add $P0_NET dev $IF0 table T1
> ip route add $P1_NET dev $IF1 table T1
> ip route add $P2_NET dev $IF2 table T1
> ip route add 127.0.0.0/8 dev lo table T1
>
> ip route add $P0_NET dev $IF0 table T2
> ip route add $P1_NET dev $IF1 table T2
> ip route add $P2_NET dev $IF2 table T2
> ip route add 127.0.0.0/8 dev lo table T2
>
> interface_interna
>
> ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
> nexthop via $P2 dev $IF2 weight 1
>
> #ROTAS DE BACKUP
>
> ip route add default via $P2 dev $IF2 metric 1 table T1
> ip route add default via $P1 dev $IF1 metric 1 table T2
>
> #ROTAS DE SERVICOS
>
> ip rule add fwmark 2 table 21 prio 20
> ip rule add fwmark 3 table 22 prio 20
>
> ip route add default via $P1 dev $IF1 table 21
> ip route add default via $P2 dev $IF2 table 22
>
> ip route flush cache
>
> Here the iptables mangles rules :
>
> ############# MSN Services #####################
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
> msnmessenger -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
> msnmessenger -j MARK --set-mark 2
> ############### SSL Services ###########
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
> -j MARK --set-mark 2
My experience with the layer7 module has been sketchy. Have you checked to
make sure that the layer7 module is catching msnmessenger traffic? It would
be a good idea to try
#iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \
- --log-prefix 'MSN Messenger Packet: '
and consult /var/log/messages and make sure that layer7 is seeing it.
If it's not, the packets for msn traffic will never get marked.
a much better solution would be to mark based on destination port, and let connection
tracking take care of the rest. for example:
#DNS Traffic
#iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2
#iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
hope this helps!
>
> I add the rules from DNS and FTP too .
>
> But it's not seems to work .
>
> Any help will be appreciated .
>
> Saulo Silva
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E
pFsHeJgpBIGDG6oPHdhZpnc=TgHZ
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] RE: Load Balancing , MSN and SSL
2007-07-05 11:52 [LARTC] RE: Load Balancing , MSN and SSL Randy D. Wallace Jr.
@ 2007-07-08 18:04 ` Jorge Evangelista
0 siblings, 0 replies; 2+ messages in thread
From: Jorge Evangelista @ 2007-07-08 18:04 UTC (permalink / raw)
To: lartc
Hi, I think you could mark packets based on ports 1863 and hosts
messenger.hotmail.com , gateway.messenger.hotmail.com, webmessenger.msn.com
On 7/5/07, Randy D. Wallace Jr. <randywallacejr@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > HI All ,
> >
> > I am running a FC6 box with two internet links with load balance . Every
> > thing is working fine expect the MSN connection that failed and
> > reconnect every time and SSL connections . I would link to know if with
> > the nona howto I could fix that .
> >
> > I have been tried with no success to redirect that connection only to
> > one link but its look like do not work . Here my configuration :
> >
> > #!/bin/bash
> > #
> > # Script Baseado em
> > http://lartc.org/howto/lartc.rpdb.multiple-links.html
> > #
> > #
> > #
> >
> >
> > IF0=eth1
> >
> > function interface_interna() {
> > VALOR_IP=0
> > while [ $VALOR_IP -lt 254 ] ; do
> > if [ $VALOR_IP -ne 33 ] ; then
> > P0_NET\x192.168.${VALOR_IP}.0
> > IP0\x192.168.${VALOR_IP}.1
> > ip route add $P0_NET dev $IF0 src $IP0 table T1
> > ip route add $P0_NET dev $IF0 src $IP0 table T2
> > fi
> > VALOR_IP=$(expr $VALOR_IP + 1)
> > done
> > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2
> > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2
> > table T1
> > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2
> > table T2
> > }
> >
> >
> >
> > IP1=xxx.xxx.xxx.18
> > IF1=eth0
> > P1_NET=xxx.xxx.xxx.16/30
> > P1=xxx.xxx.xxx.17
> >
> >
> > IP2\x192.168.254.250
> > IF2=eth2
> > P2_NET\x192.168.254.248/29
> > P2\x192.168.254.254
> >
> >
> >
> > ip route add $P1_NET dev $IF1 src $IP1 table T1
> > ip route add default via $P1 table T1
> > ip route add $P2_NET dev $IF2 src $IP2 table T2
> > ip route add default via $P2 table T2
> >
> > ip route add $P1_NET dev $IF1 src $IP1
> > ip route add $P2_NET dev $IF2 src $IP2
> >
> > ip rule add from $IP1 table T1
> > ip rule add from $IP2 table T2
> >
> > ip route add $P0_NET dev $IF0 table T1
> > ip route add $P1_NET dev $IF1 table T1
> > ip route add $P2_NET dev $IF2 table T1
> > ip route add 127.0.0.0/8 dev lo table T1
> >
> > ip route add $P0_NET dev $IF0 table T2
> > ip route add $P1_NET dev $IF1 table T2
> > ip route add $P2_NET dev $IF2 table T2
> > ip route add 127.0.0.0/8 dev lo table T2
> >
> > interface_interna
> >
> > ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
> > nexthop via $P2 dev $IF2 weight 1
> >
> > #ROTAS DE BACKUP
> >
> > ip route add default via $P2 dev $IF2 metric 1 table T1
> > ip route add default via $P1 dev $IF1 metric 1 table T2
> >
> > #ROTAS DE SERVICOS
> >
> > ip rule add fwmark 2 table 21 prio 20
> > ip rule add fwmark 3 table 22 prio 20
> >
> > ip route add default via $P1 dev $IF1 table 21
> > ip route add default via $P2 dev $IF2 table 22
> >
> > ip route flush cache
> >
> > Here the iptables mangles rules :
> >
> > ############# MSN Services #####################
> > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
> > msnmessenger -j MARK --set-mark 2
> > iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
> > msnmessenger -j MARK --set-mark 2
> > ############### SSL Services ###########
> > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
> > -j MARK --set-mark 2
>
> My experience with the layer7 module has been sketchy. Have you checked to
> make sure that the layer7 module is catching msnmessenger traffic? It would
> be a good idea to try
>
> #iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \
> - --log-prefix 'MSN Messenger Packet: '
>
> and consult /var/log/messages and make sure that layer7 is seeing it.
> If it's not, the packets for msn traffic will never get marked.
>
> a much better solution would be to mark based on destination port, and let connection
> tracking take care of the rest. for example:
>
> #DNS Traffic
> #iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2
> #iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> #iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>
> hope this helps!
>
> >
> > I add the rules from DNS and FTP too .
> >
> > But it's not seems to work .
> >
> > Any help will be appreciated .
> >
> > Saulo Silva
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E
> pFsHeJgpBIGDG6oPHdhZpnc> =TgHZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
--
"The network is the computer"
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-07-08 18:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-05 11:52 [LARTC] RE: Load Balancing , MSN and SSL Randy D. Wallace Jr.
2007-07-08 18:04 ` Jorge Evangelista
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.