Re: [gentoo-user] IP Load Sharing - Per Packet Load Balancing (Linux router)

[thegeezer <thegeezer@thegeezer.net>]

Hi,
re: load balancing it must be done by the ISP for bonding DSL lines
properly.
what they support is what you will have to implement, typically they
will give you a managed router that you connect to and this will take
care of the bonding for you.

that said, you can do something similar with IPtables and packet marking
and routing tables (see lartc)
in the following iptables I have 2x DSL routers on eth1 and 2x DSL
routers on eth3, which is why I use masquerade -- the kernel knows how
to SNAT based on routing info
then I say "for every NEW connection choose a DSL line"
and then of course if a packet mark should be set then restore it, so
that subsequent connections go out the same direction.

this does mean of course, that you have 4x outgoing IP addresses for the
4x Internet connections
I appreciate this is not same thing as a bonded line, which would give
you 1x outgoing IP address, but it is useful to have this kind of thing
where bonded lines are not supported.

just be careful of some sites, such as Internet banks, authenticate you
against your IP, and if the subsequent connection comes from a differing
IP they immediately log you out.

This setup also means that you can add into the networking up/down and
do things like
# ip rule del from all fwmark 0xa lookup connA
when interfaces go down

the line that reads
-A OUTPUT ! -o eth0 -j redirection
means that if you have squid running it will also use all 4 connections
(not possible in squid.conf)

hope this helps!


IPRULE:
32758:    from 192.168.4.0/24 lookup connD
32759:    from 192.168.3.0/24 lookup connC
32760:    from 192.168.2.0/24 lookup connB
32761:    from 192.168.1.0/24 lookup connA
32762:    from all fwmark 0xd lookup connD
32763:    from all fwmark 0xc lookup connC
32764:    from all fwmark 0xb lookup connB
32765:    from all fwmark 0xa lookup connA
32766:    from all lookup main
32767:    from all lookup default


IPTABLES:
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth3 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:RESTORE
:WAN1
:WAN2
:WAN3
:WAN4
:redirection
-A PREROUTING -j redirection
-A OUTPUT ! -o eth0 -j redirection
-A RESTORE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask
0xffffffff
-A RESTORE -j ACCEPT
-A WAN1 -j MARK --set-xmark 0xa/0xffffffff
-A WAN1 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A WAN2 -j MARK --set-xmark 0xb/0xffffffff
-A WAN2 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A WAN3 -j MARK --set-xmark 0xc/0xffffffff
-A WAN3 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A WAN4 -j MARK --set-xmark 0xd/0xffffffff
-A WAN4 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A redirection -p tcp -m state --state RELATED,ESTABLISHED -j RESTORE
-A redirection -p tcp -m state --state NEW -m statistic --mode nth
--every 4 --packet 0 -j WAN1
-A redirection -p tcp -m state --state NEW -m statistic --mode nth
--every 4 --packet 1 -j WAN2
-A redirection -p tcp -m state --state NEW -m statistic --mode nth
--every 4 --packet 2 -j WAN3
-A redirection -p tcp -m state --state NEW -m statistic --mode nth
--every 4 --packet 3 -j WAN4
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A fail2ban-SSH -j RETURN
COMMIT