From: "Gáspár Lajos" <swifty@freemail.hu>
To: "Usuário do Sistema" <maiconlp@ig.com.br>
Cc: Andrew Beverley <andy@andybev.com>,
Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: fail in the connmark load-balancing
Date: Tue, 28 Feb 2012 12:16:35 +0100 [thread overview]
Message-ID: <4F4CB793.9080105@freemail.hu> (raw)
In-Reply-To: <CAMTjHryS-nWPExfpprHeQ2UmW5O0bEthL+34p3RSqgAfHtk=4A@mail.gmail.com>
Hi,
A few comments...
2012-02-27 19:15 keltezéssel, Usuário do Sistema írta:
> eth1: LAN Interface
> eth0: WAN1
> eth2: WAN2
>
> #!/bin/bash
>
> # flush all iptables entries
> iptables -t filter -F
> iptables -t filter -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -t filter -P INPUT ACCEPT
> iptables -t filter -P OUTPUT ACCEPT
> iptables -t filter -P FORWARD ACCEPT
By default the policies are set to ACCEPT...
I would set them to DROP and I would write my own "ACCEPT-ing" rules...
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -s {trusted newtork}
iptables -t filter -A OUTPUT -j ACCEPT -o lo
But don't change them if you don't want to filter the connections... :D
I would ACCEPT every packet (as the first rule) that comes/goes on the
lo interface... (in the PREROUTING/INPUT/OUTPUT/POSTROUTING chains in
the raw/mangle/filter tables)
> iptables -t mangle -N CONNMARK1
> iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
> iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark
>
> iptables -t mangle -N CONNMARK2
> iptables -t mangle -A CONNMARK2 -j MARK --set-mark 2
> iptables -t mangle -A CONNMARK2 -j CONNMARK --save-mark
>
> iptables -t mangle -N RESTOREMARK
> iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -i eth1 -s 0/0 -d 0/0 -m state
> --state ESTABLISHED,RELATED -j RESTOREMARK
> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
> statistic --mode nth --every 2 --packet 0 -j CONNMARK1
> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
> statistic --mode nth --every 2 --packet 1 -j CONNMARK2
Hmm... :D
iptables -t mangle -N MARKS
iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3
iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state
ESTABLISED,RELATED
iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3 -m
mode statistic --mode nth --every 2
iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3
iptables -t mangle -A PREROUTING -j ACCEPT -i lo
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j MARKS
iptables -t mangle -A INPUT -j ACCEPT -i lo (put this as the first rule
in the INPUT...)
iptables -t mangle -A INPUT -j CONNMARK --save-mark (put this as the
last rule in the INPUT...)
iptables -t mangle -A OUTPUT -j ACCEPT -o lo
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j MARKS (use this if you want to
load-balance the traffic that originates from you firewall)
iptables -t mangle -A POSTROUTING -j ACCEPT -o lo (put this as the first
rule in the POSTROUTING...)
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark (put this as
the last rule in the POSTROUTING...)
> iptables -t nat -N SNAT1
> iptables -t nat -A SNAT1 -j SNAT --to-source 192.168.217.254
>
> iptables -t nat -N SNAT2
> iptables -t nat -A SNAT2 -j SNAT --to-source 192.168.216.254
> iptables -t nat -A POSTROUTING -o eth2 -j SNAT1
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT2
How do you like these "one-liners"?
iptables -t nat -A POSTROUTING -j SNAT -o eth0 ! -s 192.168.216.254
--to-source 192.168.216.254
iptables -t nat -A POSTROUTING -j SNAT -o eth2 ! -s 192.168.217.254
--to-source 192.168.217.254
> ip route add 192.168.217.0 via 192.168.217.1 table oitelecom
> ip route add 192.168.216.0 via 192.168.216.1 table gvttelecom
> ip route add default via 192.168.217.1 table oitelecom
> ip route add default via 192.168.216.1 table gvttelecom
Maybe it is better:
ip route add default via 192.168.216.1 src 192.168.216.254 dev eth0
table gvttelecom
ip route add default via 192.168.217.1 src 192.168.217.254 dev eth2
table oitelecom
> ip rule del from 192.168.217.254 table oitelecom
> ip rule add from 192.168.217.254 table oitelecom
>
> ip rule del fwmark 1 table oitelecom
> ip rule del fwmark 2 table gvttelecom
>
> ip rule add fwmark 1 table oitelecom
> ip rule add fwmark 2 table gvttelecom
Use mask in marks:
ip rule add fwmark 1/3 table oitelecom
ip rule add fwmark 2/3 table gvttelecom
Maybe you need to copy other local routes:
ip route show table main | grep -E
'(^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^192\.168\.)' |
while read ROUTE
do
ip route add table ovtelecom ${ROUTE} 2>/dev/null
ip route add table gvttelecom ${ROUTE} 2>/dev/null
done
Be carefull with this last one, as it copies the 192.168.x.x routes too!!!!!
> ip route flush cache
>
>
> thanks....any tips is welcome.
Swifty
next prev parent reply other threads:[~2012-02-28 11:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-11 20:19 fail in the connmark load-balancing Usuário do Sistema
2012-02-12 22:10 ` Andrew Beverley
2012-02-13 11:19 ` Usuário do Sistema
2012-02-13 22:03 ` Usuário do Sistema
2012-02-25 10:53 ` Andrew Beverley
2012-02-27 16:40 ` Usuário do Sistema
2012-02-27 17:07 ` Usuário do Sistema
2012-02-27 18:15 ` Usuário do Sistema
2012-02-28 11:16 ` Gáspár Lajos [this message]
2012-03-02 21:24 ` Usuário do Sistema
2012-03-05 13:34 ` Gáspár Lajos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4CB793.9080105@freemail.hu \
--to=swifty@freemail.hu \
--cc=andy@andybev.com \
--cc=maiconlp@ig.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox