From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?G=E1sp=E1r_Lajos?= Subject: Re: fail in the connmark load-balancing Date: Tue, 28 Feb 2012 12:16:35 +0100 Message-ID: <4F4CB793.9080105@freemail.hu> References: <1329084658.18690.375.camel@andrew-desktop> <1330167236.30413.175.camel@andrew-desktop> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: =?ISO-8859-1?Q?Usu=E1rio_do_Sistema?= Cc: Andrew Beverley , Mail List - Netfilter Hi, A few comments... 2012-02-27 19:15 keltez=E9ssel, Usu=E1rio do Sistema =EDrta: > eth1: LAN Interface > eth0: WAN1 > eth2: WAN2 > > #!/bin/bash > > # flush all iptables entries > iptables -t filter -F > iptables -t filter -X > iptables -t nat -F > iptables -t nat -X > iptables -t mangle -F > iptables -t mangle -X > iptables -t filter -P INPUT ACCEPT > iptables -t filter -P OUTPUT ACCEPT > iptables -t filter -P FORWARD ACCEPT By default the policies are set to ACCEPT... I would set them to DROP and I would write my own "ACCEPT-ing" rules... iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -A INPUT -j ACCEPT -i lo iptables -t filter -A INPUT -j ACCEPT -s {trusted newtork} iptables -t filter -A OUTPUT -j ACCEPT -o lo But don't change them if you don't want to filter the connections... :D I would ACCEPT every packet (as the first rule) that comes/goes on the=20 lo interface... (in the PREROUTING/INPUT/OUTPUT/POSTROUTING chains in=20 the raw/mangle/filter tables) > iptables -t mangle -N CONNMARK1 > iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1 > iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark > > iptables -t mangle -N CONNMARK2 > iptables -t mangle -A CONNMARK2 -j MARK --set-mark 2 > iptables -t mangle -A CONNMARK2 -j CONNMARK --save-mark > > iptables -t mangle -N RESTOREMARK > iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark > iptables -t mangle -A PREROUTING -i eth1 -s 0/0 -d 0/0 -m state > --state ESTABLISHED,RELATED -j RESTOREMARK > iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m > statistic --mode nth --every 2 --packet 0 -j CONNMARK1 > iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m > statistic --mode nth --every 2 --packet 1 -j CONNMARK2 Hmm... :D iptables -t mangle -N MARKS iptables -t mangle -A MARKS - RETURN -m mark ! --mark 0/3 iptables -t mangle -A MARKS -j MARK --set-mark 3/3 -m state --state=20 ESTABLISED,RELATED iptables -t mangle -A MARKS -j MARK --set-mark 1/3 -m mark --mark 0/3 -= m=20 mode statistic --mode nth --every 2 iptables -t mangle -A MARKS -j MARK --set-mark 2/3 -m mark --mark 0/3 iptables -t mangle -A PREROUTING -j ACCEPT -i lo iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -j MARKS iptables -t mangle -A INPUT -j ACCEPT -i lo (put this as the first rule= =20 in the INPUT...) iptables -t mangle -A INPUT -j CONNMARK --save-mark (put this as the=20 last rule in the INPUT...) iptables -t mangle -A OUTPUT -j ACCEPT -o lo iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT -j MARKS (use this if you want to=20 load-balance the traffic that originates from you firewall) iptables -t mangle -A POSTROUTING -j ACCEPT -o lo (put this as the firs= t=20 rule in the POSTROUTING...) iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark (put this as=20 the last rule in the POSTROUTING...) > iptables -t nat -N SNAT1 > iptables -t nat -A SNAT1 -j SNAT --to-source 192.168.217.254 > > iptables -t nat -N SNAT2 > iptables -t nat -A SNAT2 -j SNAT --to-source 192.168.216.254 > iptables -t nat -A POSTROUTING -o eth2 -j SNAT1 > iptables -t nat -A POSTROUTING -o eth0 -j SNAT2 How do you like these "one-liners"? iptables -t nat -A POSTROUTING -j SNAT -o eth0 ! -s 192.168.216.254=20 --to-source 192.168.216.254 iptables -t nat -A POSTROUTING -j SNAT -o eth2 ! -s 192.168.217.254=20 --to-source 192.168.217.254 > ip route add 192.168.217.0 via 192.168.217.1 table oitelecom > ip route add 192.168.216.0 via 192.168.216.1 table gvttelecom > ip route add default via 192.168.217.1 table oitelecom > ip route add default via 192.168.216.1 table gvttelecom Maybe it is better: ip route add default via 192.168.216.1 src 192.168.216.254 dev eth0=20 table gvttelecom ip route add default via 192.168.217.1 src 192.168.217.254 dev eth2=20 table oitelecom > ip rule del from 192.168.217.254 table oitelecom > ip rule add from 192.168.217.254 table oitelecom > > ip rule del fwmark 1 table oitelecom > ip rule del fwmark 2 table gvttelecom > > ip rule add fwmark 1 table oitelecom > ip rule add fwmark 2 table gvttelecom Use mask in marks: ip rule add fwmark 1/3 table oitelecom ip rule add fwmark 2/3 table gvttelecom Maybe you need to copy other local routes: ip route show table main | grep -E=20 '(^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^192\.168\.)' |=20 while read ROUTE do ip route add table ovtelecom ${ROUTE} 2>/dev/null ip route add table gvttelecom ${ROUTE} 2>/dev/null done Be carefull with this last one, as it copies the 192.168.x.x routes too= !!!!! > ip route flush cache > > > thanks....any tips is welcome. Swifty