bluntman

Hello everyone !

I am working on a redhat enterprise ( pretty much like a fedora core ).


I have about 20 stations/users behind an iptables firewall.

I have been able to do some sort of load balancing ( it is actually not load balancing but I don't really know how to call that ).

I have eth0 : internal network
eth1 : cable modem
eth2 : wireless card connected to a wireless router that is hooked up to a cable modem as well

So basically I have 2 external interfaces and one internal.


The idea is to have the the serious stuff: web / mail / ssh access going through eth1 and the rest ( all the junk such as bittorrent, aim ) go through eth2.


I use a combination of routing, iptables and packet "marking" to do this.

I will provide my configurations at the end of the post so that you can see what I'm doing.


I actually know that the "load balancing" works because for test purposes I decided to have the web go through eth2 and the mail through eth1 and it worked like a charm !

Now, when I have people using bittorrent for some reason traffic goes through eth2 but also eth1 .
Here's my routing rule :
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6881:6999 -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6881:6999 -j MARK --set-mark 2

6881:6999 is the range that I assume bittorrent uses.
set-mark 2 means that I'm tagging the packets with a 2 that informs the kernel to route packet to eth2.


I know that this is not something that people usually do but as anybody have an idea ?


Thanks

part of the rc.firewall
-------------
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
# bittorrent redirection to eth2
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6881:6999 -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6881:6999 -j MARK --set-mark 2
$IPTABLES -A FORWARD -j ACCEPT
-----------------

script I execute to create routing rules ( aet is the wireless network, insight is my cable modem )
-------------
ip route flush cache;
ip route add default via 192.168.1.1 table aet;
ip route add default via xx.xx.xx.xxx table insight;
ip rule add fwmark 1 table insight;
ip rule add fwmark 2 table aet
----------

ip route show table aet
----
default via 192.168.1.1 dev eth2
----

ip route show table insight
---
default via xx.xx.xx.1 dev eth1
---

ip route
-------
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.254
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.110
xx.xx.xx.0/23 dev eth1 proto kernel scope link src xx.xx.xx.162
169.254.0.0/16 dev eth2 scope link
default via xx.xx.xx.1 dev eth1
------

afrolinux

First of all a think you are doing policy routing instead of load balancing as you are
setting up rules to route data in different routes on protocol and source/destination
info basis. Load balancing is traffic shaping and bandwidth management based also on
protocol and source/destination info basis. There are also some
(commercials as far as I know) that do dynamic NAT in real time based on bandwidth
availability on the external lines.


If it works like a charm for the test you did. It should work the same way for bitorrent.
Except if some of your LAN bitorrent clients have registerd as their external IP the one
assigned to eth1 and some external bittorrent peers are looking foe them.

Are the packets you have sniffed in eth1 incoming to your LAN from
internet(SYN is from internet)?

afrolinux