Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Load balancing with Iptables and packet tagging


    Hello everyone !

    I am working on a redhat enterprise ( pretty much like a fedora core ).


    I have about 20 stations/users behind an iptables firewall.

    I have been able to do some sort of load balancing ( it is actually not load balancing but I don't really know how to call that ).

    I have eth0 : internal network
    eth1 : cable modem
    eth2 : wireless card connected to a wireless router that is hooked up to a cable modem as well

    So basically I have 2 external interfaces and one internal.


    The idea is to have the the serious stuff: web / mail / ssh access going through eth1 and the rest ( all the junk such as bittorrent, aim ) go through eth2.


    I use a combination of routing, iptables and packet "marking" to do this.

    I will provide my configurations at the end of the post so that you can see what I'm doing.


    I actually know that the "load balancing" works because for test purposes I decided to have the web go through eth2 and the mail through eth1 and it worked like a charm !

    Now, when I have people using bittorrent for some reason traffic goes through eth2 but also eth1 .
    Here's my routing rule :
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 6881:6999 -j MARK --set-mark 2
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 6881:6999 -j MARK --set-mark 2

    6881:6999 is the range that I assume bittorrent uses.
    set-mark 2 means that I'm tagging the packets with a 2 that informs the kernel to route packet to eth2.


    I know that this is not something that people usually do but as anybody have an idea ?


    Thanks

    part of the rc.firewall
    -------------
    echo "1" > /proc/sys/net/ipv4/ip_forward
    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -Z
    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
    # bittorrent redirection to eth2
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport 6881:6999 -j MARK --set-mark 2
    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 6881:6999 -j MARK --set-mark 2
    $IPTABLES -A FORWARD -j ACCEPT
    -----------------

    script I execute to create routing rules ( aet is the wireless network, insight is my cable modem )
    -------------
    ip route flush cache;
    ip route add default via 192.168.1.1 table aet;
    ip route add default via xx.xx.xx.xxx table insight;
    ip rule add fwmark 1 table insight;
    ip rule add fwmark 2 table aet
    ----------

    ip route show table aet
    ----
    default via 192.168.1.1 dev eth2
    ----

    ip route show table insight
    ---
    default via xx.xx.xx.1 dev eth1
    ---

    ip route
    -------
    10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.254
    192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.110
    xx.xx.xx.0/23 dev eth1 proto kernel scope link src xx.xx.xx.162
    169.254.0.0/16 dev eth2 scope link
    default via xx.xx.xx.1 dev eth1
    ------

  2. #2
    Just Joined!
    Join Date
    Jan 2005
    Location
    Toronto, ON, Canada
    Posts
    79
    -->
    First of all a think you are doing policy routing instead of load balancing as you are
    setting up rules to route data in different routes on protocol and source/destination
    info basis. Load balancing is traffic shaping and bandwidth management based also on
    protocol and source/destination info basis. There are also some
    (commercials as far as I know) that do dynamic NAT in real time based on bandwidth
    availability on the external lines.


    If it works like a charm for the test you did. It should work the same way for bitorrent.
    Except if some of your LAN bitorrent clients have registerd as their external IP the one
    assigned to eth1 and some external bittorrent peers are looking foe them.

    Are the packets you have sniffed in eth1 incoming to your LAN from
    internet(SYN is from internet)?

    afrolinux

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •