From: Patrick McHardy <kaber@trash.net>
To: jeev <smallpox@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: DUAL wan issue, destination-based routing
Date: Wed, 28 May 2008 07:03:05 +0200 [thread overview]
Message-ID: <483CE789.40806@trash.net> (raw)
In-Reply-To: <840713630805271651r116edbb8y58973325c2f7fa49@mail.gmail.com>
jeev wrote:
> Hey guys, i was reading on the netfilter site.
>
> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
> same situation... my only problem is that I dont want to do load
> balancing, i've just come from using PFSENSE/freebsd to use
> ClarkConnect on CentOS i guess.. i've never used iptables before. i've
> tried things like:
>
> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
>
> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
> default via 71.x.x.1 dev eth3
>
> so right now i have all traffic go out eth3, i'd love to have the ips
> and ipblocks i select and have it go out one of the cable interfaces.
> so for the example above, i want www.speedtest.net (because it shows
> the ip) to go out eth2 but it's still going out eth3.
If you only want to distribute outgoing traffic, thats quite easy:
- set up routing rules and tables for both connections:
ip rule add fwmark 0x1 lookup 100
ip route add default via ... dev <dev1> table 100
ip rule add fwmark 0x2 lookup 200
ip route add default via ... dev <dev2> table 200
- set up distribution, in this case using iptables and equal
shares:
iptables -t mangle -A PREROUTING -m connmark --mark 0x0 \
-m statistic --mode nth --every 2 \
-j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -m connmark --mark 0x0 \
-j CONNMARK --set-mark 0x2
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
^ duplicate these three rules with OUTPUT instead of PREROUTING
for locally generated traffic.
You can use any criteria you like for distribution, the important
thing is to make sure connections stay on one connection when using
NAT (since many providers don't allow spoofed addresses), which is
done by checking whether the connection has already been routed
using "-m connmark --mark 0x0" before marking. You might also want
to check out the RATEEST target and match, they allow to include
the current load in the decision.
Dealing with incoming connections on both internet connections
is trickier because you need to make sure they go out the same
way they came in, so I'll skip this because I'm short on time
right now :)
next prev parent reply other threads:[~2008-05-28 5:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-27 23:44 DUAL wan issue, destination-based routing jeev
2008-05-27 23:51 ` jeev
2008-05-28 5:03 ` Patrick McHardy [this message]
2008-05-28 11:50 ` Jan Engelhardt
2008-05-28 20:26 ` jeev
2008-05-28 21:50 ` ArcosCom Linux User
2008-05-29 14:48 ` paulobruck1
2008-05-29 21:23 ` ArcosCom Linux User
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=483CE789.40806@trash.net \
--to=kaber@trash.net \
--cc=netfilter@vger.kernel.org \
--cc=smallpox@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox