equalize traffic when link is down

equalize traffic when link is down

[Daniel Wittenberg]

If you use equalize with 2 default gateways (like 2 ISP's), and one of
them goes down, what happens to the traffic?  Will it automatically go
out the one up link, or will some traffic fail to go out?

Dan

Re: [SPAM-RATING-1] Re: equalize traffic when link is down

[Daniel Wittenberg]

Ok, makes sense, so if we just drop the cache timeout (don't remember if
you can configure that or not) then we can adjust the "switch-over" time
in case the default is too high.

Great, thanks!
Dan

On Sat, 2003-03-08 at 01:53, hare ram wrote:
> Hi
> 
> AFAIK,
> 
> If the First Link down, the total traffic will move to Other Second  Link,
> if you are configure and load balancing the Link
> 
> If you make the static routes , them the traffic will be dead
> 
> If you made the Loadbalance the both the  links,
>  then it  will take some time to clear the routecache, once fresh route
> cache build you will have the fresh routes,
> so all the traffic will move towards active link.
> 
> 
> hare

Re: equalize traffic when link is down

[hare ram]

Hi

AFAIK,

If the First Link down, the total traffic will move to Other Second  Link,
if you are configure and load balancing the Link

If you make the static routes , them the traffic will be dead

If you made the Loadbalance the both the  links,
 then it  will take some time to clear the routecache, once fresh route
cache build you will have the fresh routes,
so all the traffic will move towards active link.


hare

-----
----- Original Message -----
From: "Daniel Wittenberg" <daniel-wittenberg@starken.com>
To: "Netfilter" <netfilter@lists.netfilter.org>
Sent: Saturday, March 08, 2003 12:36 PM
Subject: equalize traffic when link is down


> If you use equalize with 2 default gateways (like 2 ISP's), and one of
> them goes down, what happens to the traffic?  Will it automatically go
> out the one up link, or will some traffic fail to go out?
>
> Dan
>
>
>

Re: [SPAM-RATING-1] Re: equalize traffic when link is down

[hare ram]

Yes

you can make some cron job for the testing the both links active or not

if one of the things down, you can clear the route cache

but who ever have been in the cached will be lost

hare
----- Original Message -----
From: "Daniel Wittenberg" <daniel-wittenberg@starken.com>
To: "Netfilter" <netfilter@lists.netfilter.org>
Sent: Saturday, March 08, 2003 1:10 PM
Subject: Re: [SPAM-RATING-1] Re: equalize traffic when link is down


> Ok, makes sense, so if we just drop the cache timeout (don't remember if
> you can configure that or not) then we can adjust the "switch-over" time
> in case the default is too high.
>
> Great, thanks!
> Dan
>
> On Sat, 2003-03-08 at 01:53, hare ram wrote:
> > Hi
> >
> > AFAIK,
> >
> > If the First Link down, the total traffic will move to Other Second
Link,
> > if you are configure and load balancing the Link
> >
> > If you make the static routes , them the traffic will be dead
> >
> > If you made the Loadbalance the both the  links,
> >  then it  will take some time to clear the routecache, once fresh route
> > cache build you will have the fresh routes,
> > so all the traffic will move towards active link.
> >
> >
> > hare
>
>
>
>

QoS

[Franco Antonio Catena]

Hi fellows


Its possible to do something LIKE QoS or CBQ using IPTABLES ?? I want to
control the amount of Kbps per port in INBOUND and OUTBOUND directions

thanks

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 25/2/2003
 

Re: QoS

[SBlaze]

--- Franco Antonio Catena <facatena@surson.com.br> wrote:
> Hi fellows
> 
> 
> Its possible to do something LIKE QoS or CBQ using IPTABLES ?? I want to
> control the amount of Kbps per port in INBOUND and OUTBOUND directions
> 
> thanks
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.459 / Virus Database: 258 - Release Date: 25/2/2003
>  
> 
> 
I believe this can better help you than iptables...as iptables is just a
firewall soloution... you are looking more for a routing soloution

http://lartc.org/

=====
"No touchy NO TOUCHY! Emperor Kuzko -=Emperor's New Groove=-"

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

IPTABLES so estrange

[Franco Antonio Catena]

Hi,

I have a linux box with 2 netcardas eth0 External and eth1 intternal. I
want that apache runs in port 81 instead of 80 becouse I have a nat
forwarding to IIS. The problem is that the script dont work. Im not able
to telnet from internal address to port 81. The Apache was started but I
dont know why I cant telnet 192.168.1.1 81?
 

for i in `ls /lib/modules/2.4.18-2cl/kernel/net/ipv4/netfilter/ip*|cut
-f \
3 -d "."|cut -f 6 -d "/"|grep -v ipchains`;do  modprobe $i;done

#modprobe ip_tables
#insmod ip_conntrack
#insmod ip_conntrack_ftp
#modprobe ipt_LOG
#modprobe ipt_multi[Bport
#modprobe ipt_REJECT
#modprobe ipt_MASQUERADE


iptables -F

# Politicas default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT



iptables -P FORWARD ACCEPT


iptables -A INPUT -i eth0 --fragment -p icmp -j LOG --log-prefix
"Fragmented ICMP: "
iptables -A INPUT -i eth0 --fragment -p icmp -j DROP 


iptables -A INPUT -i eth0 -p tcp --dport 3128 -j LOG --log-prefix "USO
DO  SQUID "

iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 81 -j LOG
--log-prefix "WEB INTERNA "
iptables -A INPUT -i eth0 -m multiport -p tcp --dport
21,22,25,53,80,81,110,500,3128 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/255.255.255.0  -m multiport -p tcp -d
192.168.1.1 --dport 21,22,25,53,80,81,110,500,3128 -j ACCEPT
iptables -A INPUT -i eth0 -m multiport -p udp --dport
21,25,53,80,110,500 -j ACCEPT


iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p  tcp --dport 22 -j
ACCEPT
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p  tcp --dport 81 -j
ACCEPT

iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED




iptables -A INPUT -i eth0 -p tcp --dport 3128 -j DROP

iptables -A INPUT -i eth0 -j LOG --log-prefix "FIREWALL : INPUT "

iptables -A INPUT -i eth0 -j DROP

# Regras de Saida

iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 443
--sport 1024:65535 -j ACCEPT

#Bloqueando saida NETbios
iptables -A OUTPUT -o eth0 -m multiport -p tcp --dport 135,137,138,139
-j DROP
iptables -A OUTPUT -o eth0 -m multiport -p udp --dport 135,137,138,139
-j DROP


iptables -A OUTPUT -o eth0 -j ACCEPT

# NAT
#iptables -t nat -A PREROUTING -j NAT --to-dest 192.168.1.1 -d
apache.surson.com.br -p tvp 
iptables -t nat -A PREROUTING -j DNAT --to-dest 192.168.1.2 -i eth0 -p
tcp -m multiport --dport 21,25,80,110,3389,137,50,51,1723
#iptables -t nat -A PREROUTING --dst apache.surson.com.br -p TCP --dport
80  -j DNAT --to-destination 192.168.1.1

# Masquerade
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.0.0 -d
192.168.0.0/255.255.0.0 -j LOG --log-prefix "Firewall VPN " 

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.0.0 -d \!
192.168.0.0/255.255.0.0 -j MASQUERADE


# Bloqueio de saida de pacotes do tipo Windows Networking
iptables -A FORWARD -i eth0 -m multiport -p tcp --dport 135,137,138,139
-j LOG --log-prefix " Fire BLOQ TCP NETBIOS " 
iptables -A FORWARD -i eth0 -m multiport -p udp --dport 135,137,138,139
-j LOG --log-prefix " Fire BLOQ UDP NETBIOS "
iptables -A FORWARD -i eth0 -m multiport -p tcp --dport 135,137,138,139
-j DROP
iptables -A FORWARD -i eth0 -m multiport -p udp --dport 135,137,138,139
-j DROP

# Forwarding para saida
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT



iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp  --dport
3128  -j DROP
iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp --dport
8080 -j DROP
iptables -A FORWARD -i eth1 -j ACCEPT


# Kernel Level
echo "32768" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1"     > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo "1"     > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1"     > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1"     > /proc/sys/net/ipv4/ip_forward

for i in /proc/sys/net/ipv4/conf/*/rp_filter 
do
  echo 0 > $i 
done

for i in /proc/sys/net/ipv4/conf/*/log_martians
 do
  echo 1 > $i 
 done

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 25/2/2003