From: "Gáspár Lajos" <swifty@freemail.hu>
To: "Usuário do Sistema" <maiconlp@ig.com.br>
Cc: Andrew Beverley <andy@andybev.com>,
Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: fail in the connmark load-balancing
Date: Tue, 28 Feb 2012 12:16:35 +0100 [thread overview]
Message-ID: <4F4CB793.9080105@freemail.hu> (raw)
In-Reply-To: <CAMTjHryS-nWPExfpprHeQ2UmW5O0bEthL+34p3RSqgAfHtk=4A@mail.gmail.com>
Hi,
A few comments...
2012-02-27 19:15 keltezéssel, Usuário do Sistema írta:
> eth1: LAN Interface
> eth0: WAN1
> eth2: WAN2
>
> #!/bin/bash
>
> # flush all iptables entries
> iptables -t filter -F
> iptables -t filter -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -t filter -P INPUT ACCEPT
> iptables -t filter -P OUTPUT ACCEPT
> iptables -t filter -P FORWARD ACCEPT
By default the policies are set to ACCEPT...
I would set them to DROP and I would write my own "ACCEPT-ing" rules...
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -s {trusted newtork}
iptables -t filter -A OUTPUT -j ACCEPT -o lo
But don't change them if you don't want to filter the connections... :D
I would ACCEPT every packet (as the first rule) that comes/goes on the
lo interface... (in the PREROUTING/INPUT/OUTPUT/POSTROUTING chains in
the raw/mangle/filter tables)
> iptables -t mangle -N CONNMARK1
> iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
> iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark
>
> iptables -t mangle -N CONNMARK2
> iptables -t mangle -A CONNMARK2 -j MARK --set-mark 2
> iptables -t mangle -A CONNMARK2 -j CONNMARK --save-mark
>
> iptables -t mangle -N RESTOREMARK
> iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -i eth1 -s 0/0 -d 0/0 -m state
> --state ESTABLISHED,RELATED -j RESTOREMARK
> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
> statistic --mode nth --every 2 --packet 0 -j CONNMARK1
> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
> statistic --mode nth --every 2 --packet 1 -j CONNMARK2
Hmm... :D
iptables -t mangle -N MARKS
iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state
ESTABLISED,RELATED
iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3 -m
mode statistic --mode nth --every 2
iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3
iptables -t mangle -A PREROUTING -j ACCEPT -i lo
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARKS
iptables -t mangle -A INPUT -j ACCEPT -i lo (put this as the first rule
in the INPUT...)
iptables -t mangle -A INPUT -j CONNMARK --save-mark (put this as the
last rule in the INPUT...)
iptables -t mangle -A OUTPUT -j ACCEPT -o lo
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j MARKS (use this if you want to
load-balance the traffic that originates from you firewall)
iptables -t mangle -A POSTROUTING -j ACCEPT -o lo (put this as the first
rule in the POSTROUTING...)
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark (put this as
the last rule in the POSTROUTING...)
> iptables -t nat -N SNAT1
> iptables -t nat -A SNAT1 -j SNAT --to-source 192.168.217.254
>
> iptables -t nat -N SNAT2
> iptables -t nat -A SNAT2 -j SNAT --to-source 192.168.216.254
> iptables -t nat -A POSTROUTING -o eth2 -j SNAT1
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT2
How do you like these "one-liners"?
iptables -t nat -A POSTROUTING -j SNAT -o eth0 ! -s 192.168.216.254
--to-source 192.168.216.254
iptables -t nat -A POSTROUTING -j SNAT -o eth2 ! -s 192.168.217.254
--to-source 192.168.217.254
> ip route add 192.168.217.0 via 192.168.217.1 table oitelecom
> ip route add 192.168.216.0 via 192.168.216.1 table gvttelecom
> ip route add default via 192.168.217.1 table oitelecom
> ip route add default via 192.168.216.1 table gvttelecom
Maybe it is better:
ip route add default via 192.168.216.1 src 192.168.216.254 dev eth0
table gvttelecom
ip route add default via 192.168.217.1 src 192.168.217.254 dev eth2
table oitelecom
> ip rule del from 192.168.217.254 table oitelecom
> ip rule add from 192.168.217.254 table oitelecom
>
> ip rule del fwmark 1 table oitelecom
> ip rule del fwmark 2 table gvttelecom
>
> ip rule add fwmark 1 table oitelecom
> ip rule add fwmark 2 table gvttelecom
Use mask in marks:
ip rule add fwmark 1/3 table oitelecom
ip rule add fwmark 2/3 table gvttelecom
Maybe you need to copy other local routes:
ip route show table main | grep -E
'(^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^192\.168\.)' |
while read ROUTE
do
ip route add table ovtelecom ${ROUTE} 2>/dev/null
ip route add table gvttelecom ${ROUTE} 2>/dev/null
done
Be carefull with this last one, as it copies the 192.168.x.x routes too!!!!!
> ip route flush cache
>
>
> thanks....any tips is welcome.
Swifty
next prev parent reply other threads:[~2012-02-28 11:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-11 20:19 fail in the connmark load-balancing Usuário do Sistema
2012-02-12 22:10 ` Andrew Beverley
2012-02-13 11:19 ` Usuário do Sistema
2012-02-13 22:03 ` Usuário do Sistema
2012-02-25 10:53 ` Andrew Beverley
2012-02-27 16:40 ` Usuário do Sistema
2012-02-27 17:07 ` Usuário do Sistema
2012-02-27 18:15 ` Usuário do Sistema
2012-02-28 11:16 ` Gáspár Lajos [this message]
2012-03-02 21:24 ` Usuário do Sistema
2012-03-05 13:34 ` Gáspár Lajos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4CB793.9080105@freemail.hu \
--to=swifty@freemail.hu \
--cc=andy@andybev.com \
--cc=maiconlp@ig.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.