From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Randy D. Wallace Jr." Date: Thu, 05 Jul 2007 11:52:17 +0000 Subject: [LARTC] RE: Load Balancing , MSN and SSL Message-Id: <468CDB71.60505@gmail.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HI All , > > I am running a FC6 box with two internet links with load balance . Every > thing is working fine expect the MSN connection that failed and > reconnect every time and SSL connections . I would link to know if with > the nona howto I could fix that . > > I have been tried with no success to redirect that connection only to > one link but its look like do not work . Here my configuration : > > #!/bin/bash > # > # Script Baseado em > http://lartc.org/howto/lartc.rpdb.multiple-links.html > # > # > # > > > IF0=eth1 > > function interface_interna() { > VALOR_IP=0 > while [ $VALOR_IP -lt 254 ] ; do > if [ $VALOR_IP -ne 33 ] ; then > P0_NET2.168.${VALOR_IP}.0 > IP02.168.${VALOR_IP}.1 > ip route add $P0_NET dev $IF0 src $IP0 table T1 > ip route add $P0_NET dev $IF0 src $IP0 table T2 > fi > VALOR_IP=$(expr $VALOR_IP + 1) > done > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > table T1 > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > table T2 > } > > > > IP1=xxx.xxx.xxx.18 > IF1=eth0 > P1_NET=xxx.xxx.xxx.16/30 > P1=xxx.xxx.xxx.17 > > > IP22.168.254.250 > IF2=eth2 > P2_NET2.168.254.248/29 > P22.168.254.254 > > > > ip route add $P1_NET dev $IF1 src $IP1 table T1 > ip route add default via $P1 table T1 > ip route add $P2_NET dev $IF2 src $IP2 table T2 > ip route add default via $P2 table T2 > > ip route add $P1_NET dev $IF1 src $IP1 > ip route add $P2_NET dev $IF2 src $IP2 > > ip rule add from $IP1 table T1 > ip rule add from $IP2 table T2 > > ip route add $P0_NET dev $IF0 table T1 > ip route add $P1_NET dev $IF1 table T1 > ip route add $P2_NET dev $IF2 table T1 > ip route add 127.0.0.0/8 dev lo table T1 > > ip route add $P0_NET dev $IF0 table T2 > ip route add $P1_NET dev $IF1 table T2 > ip route add $P2_NET dev $IF2 table T2 > ip route add 127.0.0.0/8 dev lo table T2 > > interface_interna > > ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ > nexthop via $P2 dev $IF2 weight 1 > > #ROTAS DE BACKUP > > ip route add default via $P2 dev $IF2 metric 1 table T1 > ip route add default via $P1 dev $IF1 metric 1 table T2 > > #ROTAS DE SERVICOS > > ip rule add fwmark 2 table 21 prio 20 > ip rule add fwmark 3 table 22 prio 20 > > ip route add default via $P1 dev $IF1 table 21 > ip route add default via $P2 dev $IF2 table 22 > > ip route flush cache > > Here the iptables mangles rules : > > ############# MSN Services ##################### > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto > msnmessenger -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto > msnmessenger -j MARK --set-mark 2 > ############### SSL Services ########### > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl > -j MARK --set-mark 2 My experience with the layer7 module has been sketchy. Have you checked to make sure that the layer7 module is catching msnmessenger traffic? It would be a good idea to try #iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \ - --log-prefix 'MSN Messenger Packet: ' and consult /var/log/messages and make sure that layer7 is seeing it. If it's not, the packets for msn traffic will never get marked. a much better solution would be to mark based on destination port, and let connection tracking take care of the rest. for example: #DNS Traffic #iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2 #iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT hope this helps! > > I add the rules from DNS and FTP too . > > But it's not seems to work . > > Any help will be appreciated . > > Saulo Silva -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E pFsHeJgpBIGDG6oPHdhZpnc=TgHZ -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc