Re: link redudancy, not load-balancing

[Thomas Jacob <jacob@internet24.de>]

Check out the CONNMARK target, and
the connmark matcher module.

The following is a setup pattern for
sending back traffic related to a connection to the router it was
initiated
from, to give you a rough idea, it's probably not a workable config
though...


# mark connections by router src MAC (you can probably just use the
incoming interface in your case).
iptables -t mangle -N MANGLE_IN
iptables -t mangle -A PREROUTING -i <EXT_IF> -j MANGLE_IN

iptables -t mangle -A MANGLE_IN -m mac --mac <ROUTER_ONE_MAC> \
   -j CONNMARK --set-mark 1
iptables -t mangle -A MANGLE_IN -m mac --mac <ROUTER_TWO_MAC> \
   -j CONNMARK --set-mark 2

# Restoring mark from connmark
iptables -t mangle -N MANGLE_OUT
iptables -t mangle -A PREROUTING -i <INT_IF> -j MANGLE_OUT
iptables -t mangle -A MANGLE_OUT -d <LOCAL_NET> -j RETURN
iptables -t mangle -A MANGLE_OUT -m connmark ! --mark 0 -j CONNMARK \  
   --restore-mark


# iproute stuff
ip rule add fwmark 1 pref 10001 table 100
ip route add default via <ROUTER_ONE_GW> table 101

ip rule add fwmark 2 pref 10002 table 101
ip route add default via <ROUTER_TWO_GW> table 102




On Fri, 2007-06-29 at 13:45 -0300, thiago@powers.com.br wrote:
> Whats up list,
> 
> I'll try to make my question clean and clear, but unfortunatelly not too
> short. The scenario is:
> 
> 2 internet providers connected to one linux router/firewall box (provider1,
> which is my default route, and provider2)
> 1 local network connected to the same box, with services running on
> different servers/internal ip addresses (localnet)
> 
> I need to hit services running on servers of this internal network, having
> the option of doing this using one internet connection or another, or both
> at the same time.
> 
> If the connection comes in through 'provider1', there's no mangle
> treatment, the packet that comes in also goes out through the default
> route.
> 
> If the connection comes in through 'provider2', directed to a service that
> runs on the router itself, using iproute2 + iptables/mangle I make it work;
> - I set a mark on both INPUT and OUTPUT mangle tables, marking the packet
> from/to its IP address,
> - and insert a routing rule to match the packet mark and redirect it to a
> 'secondary' routing table, which has provider2' gateway as default route,
> sending the established connection back through the correct path..
> 
> But lets say I want to hit, for example, the telnet service (tcp/23)  that
> is running on a server that is behing this nat.
> 
> Again, I want to be able to use this telnet service from the internet,
> throught provider1 and provider2 at the same time (its not link load
> balance; its a redundant path). The rules for 'provider1' are simple, as
> provider1 is my default route; my problem is how to match the traffic to
> use the secondary routing table when the internal server replies. Giving
> some names:
> 
> firewall/router box:
> provider1 / eth1 / internet address 1.2.3.4
> provider2 / eth2 / internet address 2.3.4.5
> localnet / eth3 / local address 10.0.0.1
> -
> internal server:
> server1 / local address 10.0.0.2
> --
> provider1 rules (as usual):
> 
> # established return
> iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> # routing, forwarding
> iptables -t nat -A PREROUTING -i eth1 -p tcp -d 1.2.3.4 --dport 23 -j DNAT
> --to 10.0.0.2
> iptables -A FORWARD -i eth1 -p tcp -d 10.0.0.2 --dport 23 -m state --state
> NEW -j ACCEPT
> # source nat
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4
> 
> And now: how do I mangle, this same scenario, to work with provider2 ? I
> understand that the FORWARD, PREROUTING and POSTROUTING rules are needed
> for provider2 as well.. but how do I arrange the mangle table to match
> server1's reply, and send it out using the secondary routing table, only if
> the connection came in through provider2 ?
> 
> Thanks for you time !
> 
> 
> --
> Thiago
> 
>