[LARTC] Packet Level Load Balance inbound/outbound success with nth and route

[Joe Nuts <joenuts@gmail.com>]

First of all, I'd like to thank Andy Furniss for his direction and for
helping me get a working example up and running.

For the following set up to work, you will need a linux computer at
the ISP (server), a linux computer at the client location (client),
and some a public range of IP's you plan to send down to your client.

(as this configuration involves patching the linux kernel, I assume
you have already downloaded it, and have previously compiled a kernel)
steps to set up the linux computers are )
make sure both computers have forwarding allowed (i do this with a
'net.ipv4.ip_forward = 1' line in my /etc/sysctl.conf)
download iptables source, and patch-o-matic files from netfilter.org
unzip those files. run the patch-o-matic script. when you get to the
'nth' and 'ROUTE' packages, select Y.
then, in the kernel config, under networking options, under netfilter
configuration, under iptables support, select nth, and under packet
mangling, select ROUTE.
compile the kernel, reboot with new kernel.
compile iptables, make && make install.
even after running make install, on my system, the two iptables
libraries didnt make it to /lib/iptables, so i had to copy them
manually. (copy libipt_nth.so and libipt_ROUTE.so from the iptables
source to /lib/iptables)

now, I use GRE tunnels from the server to the client to send inbound
traffic, I assume you can use any kind of tunnel, just make sure
support for whatever you want to use is installed in to the kernel.

for the sake of the example, IP's will be defined as follows :
Local IP at client : 66.81.23.1 (eth0)
DSL #1 at client : 64.20.12.46 (eth1) (64.20.12.45 is gateway)
DSL #2 at client : 64.20.12.50 (eth2) (64.20.12.49 is gateway)

Public IP of server : 66.80.22.30
Public IP Range sent to client : 66.81.23.0/24

the tunnels need to be set up on both the client and the server
--server--
ip tunnel add client_tun1 mode gre remote 66.20.12.46 local 66.80.22.30 ttl 255
ip tunnel add client_tun2 mode gre remote 66.20.12.50 local 66.80.22.30 ttl 255
ip link set client_tun1 up
ip link set client_tun2 up
ip addr add 172.16.0.1/30 dev client_tun1
ip addr add 172.16.0.5/30 dev client_tun2
--client--
ip tunnel add client_tun1 mode gre remote 66.80.22.30 local 66.20.12.46 ttl 255
ip tunnel add client_tun2 mode gre remote 66.80.22.30 local 66.20.12.50 ttl 255
ip link set client_tun1 up
ip link set client_tun2 up
ip addr add 172.16.0.2/30 dev client_tun1
ip addr add 172.16.0.6/30 dev client_tun2

traffic outbound from the client doesnt need to go out the tunnel, but
it does need to be split
--client--
iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth
--counter 0 --every 2 --packet 0 -j ROUTE --oif eth1 --gw 64.20.12.45
iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth
--counter 0 --every 2 --packet 1 -j ROUTE --oif eth2 --gw 64.20.12.49

traffic inbound to the client will go to the server, and come to
client through the tunnel
--server--
iptables -A POSTROUTING --destination 66.81.23.0/24 -t mangle -m nth
--counter 0 --every 2 --packet 0 -j ROUTE --oif client_tun1 --gw
172.16.0.2
iptables -A POSTROUTING --destination 66.81.23.0/24 -t mangle -m nth
--counter 0 --every 2 --packet 1 -j ROUTE --oif client_tun2 --gw
172.16.0.6


Of course this set up can be used to divide across more than two
links, just duplicate / modify the lines as needed.
Computers behind the client can now be given public IP's in that
range, set their gateway to 66.81.23.1, and they're up and running on
both lines.

I hope this helps someone like me!
Sincerely,
Joe Comeaux
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/