Re: [gentoo-user] IP Load Sharing - Per Packet Load Balancing (Linux router)

[thegeezer <thegeezer@thegeezer.net>]

[-- Attachment #1: Type: text/plain, Size: 2323 bytes --]

On 05/27/2013 02:53 PM, Nick Khamis wrote:
> And who says you can't teach an old man new tricks huh geezer ;)?
> Thank you so much for your response!!! That sorts out outgoing
> traffic, have you had to setup rules for incoming traffic? I mean
> from the outside world to a server for example?
>
> Kind Regards,
>
> Nick.
in this instance for me there is no need for incoming NAT
however, all you need in the mangle table is for each incoming connection:
# iptables -t mangle -I redirection 2 -i eth1 -j WAN1
to ensure that packet marking happens for incoming packets too, but
after the RELATED connections are marked.
in my example of 2 connections on each interface it gets messy and so I
would suggest doing this for only one Internet connect per interface --
otherwise the return packets will be forced out one direction resulting
in TCP handshakes failing.

once you are flagging incoming packets, then normal iptables NAT rules
can be used,
if you have e.g.
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.0.69
then this would apply for *all* external IP addresses.

in this instance you could have DNS like this
webserver1.domain.tld  A  externalIP-WAN1
                                        A externalIP-WAN2
that would then allow you to to have some resiliency if you were hosting
a web server behind two adsl connections and wanted to ensure a level of
load balancing / robustness


altenatively you can have
iptables -t nat -I PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.0.69
iptables -t nat -I PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.0.70

which would allow you to have a different web server on each adsl
connection.

hope this helps,


PS one thing i've just remembered is to be wary of
/proc/sys/net/ipv4/conf/<interfaces>/rp_filter
as the way it detects reverse paths seemingly is to ignore everything above

/etc/sysctl.conf

net.ipv4.conf.default.rp_filter 

rp_filter - BOOLEAN
	1 - do source validation by reversed path, as specified in RFC1812
	    Recommended option for single homed hosts and stub network
	    routers. Could cause troubles for complicated (not loop free)
	    networks running a slow unreliable protocol (sort of RIP),
	    or using static routes.

	0 - No source validation.




[-- Attachment #2: Type: text/html, Size: 3871 bytes --]