From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id BAC351381F3 for ; Mon, 27 May 2013 14:32:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7B853E0BB3; Mon, 27 May 2013 14:31:56 +0000 (UTC) Received: from uberouter3.guranga.net (unknown [78.25.223.226]) by pigeon.gentoo.org (Postfix) with ESMTP id 2C7EAE0B85 for ; Mon, 27 May 2013 14:31:55 +0000 (UTC) Received: from [192.168.151.100] (unknown [192.168.151.100]) by uberouter3.guranga.net (Postfix) with ESMTPA id 328E38297C for ; Mon, 27 May 2013 15:31:54 +0100 (BST) Message-ID: <51A36E59.4020406@thegeezer.net> Date: Mon, 27 May 2013 15:31:53 +0100 From: thegeezer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IP Load Sharing - Per Packet Load Balancing (Linux router) References: <51A35AAC.6040205@thegeezer.net> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000704070905020505010801" X-Archives-Salt: 924fb346-7925-4c62-960b-50ec2f134fe6 X-Archives-Hash: 1aa8b28ffd2006ea2d88e2c429fb5e00 This is a multi-part message in MIME format. --------------000704070905020505010801 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 05/27/2013 02:53 PM, Nick Khamis wrote: > And who says you can't teach an old man new tricks huh geezer ;)? > Thank you so much for your response!!! That sorts out outgoing > traffic, have you had to setup rules for incoming traffic? I mean > from the outside world to a server for example? > > Kind Regards, > > Nick. in this instance for me there is no need for incoming NAT however, all you need in the mangle table is for each incoming connection: # iptables -t mangle -I redirection 2 -i eth1 -j WAN1 to ensure that packet marking happens for incoming packets too, but after the RELATED connections are marked. in my example of 2 connections on each interface it gets messy and so I would suggest doing this for only one Internet connect per interface -- otherwise the return packets will be forced out one direction resulting in TCP handshakes failing. once you are flagging incoming packets, then normal iptables NAT rules can be used, if you have e.g. iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.69 then this would apply for *all* external IP addresses. in this instance you could have DNS like this webserver1.domain.tld A externalIP-WAN1 A externalIP-WAN2 that would then allow you to to have some resiliency if you were hosting a web server behind two adsl connections and wanted to ensure a level of load balancing / robustness altenatively you can have iptables -t nat -I PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.69 iptables -t nat -I PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.70 which would allow you to have a different web server on each adsl connection. hope this helps, PS one thing i've just remembered is to be wary of /proc/sys/net/ipv4/conf//rp_filter as the way it detects reverse paths seemingly is to ignore everything above /etc/sysctl.conf net.ipv4.conf.default.rp_filter rp_filter - BOOLEAN 1 - do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes. 0 - No source validation. --------------000704070905020505010801 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 05/27/2013 02:53 PM, Nick Khamis wrote:
And who says you can't teach an old man new tricks huh geezer ;)?
Thank you so much for your response!!! That sorts out outgoing
traffic, have you had to setup rules for incoming traffic? I mean
from the outside world to a server for example?

Kind Regards,

Nick.
in this instance for me there is no need for incoming NAT
however, all you need in the mangle table is for each incoming connection:
# iptables -t mangle -I redirection 2 -i eth1 -j WAN1
to ensure that packet marking happens for incoming packets too, but after the RELATED connections are marked.
in my example of 2 connections on each interface it gets messy and so I would suggest doing this for only one Internet connect per interface -- otherwise the return packets will be forced out one direction resulting in TCP handshakes failing.

once you are flagging incoming packets, then normal iptables NAT rules can be used,
if you have e.g.
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.69
then this would apply for *all* external IP addresses.

in this instance you could have DNS like this
webserver1.domain.tld  A  externalIP-WAN1
                                        A externalIP-WAN2
that would then allow you to to have some resiliency if you were hosting a web server behind two adsl connections and wanted to ensure a level of load balancing / robustness


altenatively you can have
iptables -t nat -I PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.69
iptables -t nat -I PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.70

which would allow you to have a different web server on each adsl connection.

hope this helps,


PS one thing i've just remembered is to be wary of /proc/sys/net/ipv4/conf/<interfaces>/rp_filter
as the way it detects reverse paths seemingly is to ignore everything above
/etc/sysctl.conf

net.ipv4.conf.default.rp_filter 

rp_filter - BOOLEAN
	1 - do source validation by reversed path, as specified in RFC1812
	    Recommended option for single homed hosts and stub network
	    routers. Could cause troubles for complicated (not loop free)
	    networks running a slow unreliable protocol (sort of RIP),
	    or using static routes.

	0 - No source validation.


--------------000704070905020505010801--