From: "Javier Govea" <jgovea@magma.ca>
To: George Vieira <georgev@citadelcomputer.com.au>,
Javier Govea <jgovea@magma.ca>,
georgev@citadelcomputer.com.au
Cc: netfilter@lists.netfilter.org
Subject: RE: Round Robin Load Balancing
Date: Sun, 17 Aug 2003 12:38:50 -0400 (EDT) [thread overview]
Message-ID: <200308171638.h7HGcoOM009311@webmail1.magma.ca> (raw)
Hi guys,
Well I tried the rules as you suggested, but this rule:
iptables -t nat -A PREROUTING -m connmark --mark 1 -j ROUTE --oif ppp0
...
give me an error: Invalid argument. According to this link:
http://www.netfilter.org/documentation/pomlist/pom-extra.html#ROUTE
the ROUTE target "has to be used inside the mangle table." So I can't use it in the NAT
table.
The file mentioned by Geroge
(~georgev/iptables-1.2.7a/patch-o-matic/extra/ROUTE.patch.help) has an example using ROUTE
with the NAT table. However this example seems to refer to iptables-1.2.7a. I am using
iptables-1.2.8. I don't think it's a good idea to go back to install an older version.
What do u guys think??
Any more suggestions or ideas????? All tips are very welcome...
Thanx to all
Xavier
On Aug 11, "George Vieira" <georgev@citadelcomputer.com.au> wrote:
>
> Hate to burst your bubble but isn't the ROUTE module being used a _little_ too late. I
mean, it's suppose to reroute to a new device but your using it in POSTROUTING which means
it's to late to reroute it (basically leaving the interface and out to the internet)...
>
> From memory, the ROUTE module is supposed to be used in PREROUTING on the internal
interface so that it doesn't hit the routing table yet and the rule modifies which
interface to go out on..
>
> I just did a search for the file :
~georgev/iptables-1.2.7a/patch-o-matic/extra/ROUTE.patch.help
> --------------------------------------------------------------------------------
> Author: Cédric de Launois <delaunois@info.ucl.ac.be>
> Status: In Development/Works for me
>
> This option adds a `ROUTE' target, which allows you to directly resend
> a received packet through a specified interface, even and especially
> if the packet IP address is one of the router itself. Those packets
> are locally delivered and cannot be forwarded to another computer
> using the standard routing mechanisms.
>
> ROUTE target v1.2.7 options:
> --iface name Send the packet directly through iface name.
> --ifindex index Send the packet directly through iface index.
>
> Example :
> You want to install a ssh server on a computer inside your network but
> you also want it to appear exactly as if it was located on the router.
> A solution is to simply reroute packets with destination port 22 to the
> computer having the same IP as the router and hosting the ssh service,
> thanks to this ROUTE target and an ipip tunnel.
>
> # iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j ROUTE --iface tunl1
> # iptables -A PREROUTING -t nat -i tunl1 --j ROUTE --iface eth0
> --------------------------------------------------------------------------------
> So my guess is that you need to change some lines eg:
>
> > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source <ppp0-ip-addr>
> > iptables -t nat -A POSTROUTING -o ppp1 -j SNAT --to-source <ppp1-ip-addr>
> > iptables -t nat -A POSTROUTING -o ppp2 -j SNAT --to-source <ppp2-ip-addr>
> > iptables -t nat -A POSTROUTING -o ppp3 -j SNAT --to-source <ppp3-ip-addr>
> This appears to be OK.
>
> > iptables -t mangle -A PREROUTING -m nth --every 4 --packet 1 -m state --state new -j
CONNMARK --set-mark 1
> > iptables -t mangle -A PREROUTING -m nth --every 4 --packet 2 -m state --state new -j
CONNMARK --set-mark 2
> > iptables -t mangle -A PREROUTING -m nth --every 4 --packet 3 -m state --state new -j
CONNMARK --set-mark 3
> > iptables -t mangle -A PREROUTING -m nth --every 4 --packet 0 -m state --state new -j
CONNMARK --set-mark 4
> This _might_ be OK.. as long as it works and marks them.
>
> > iptables -t mangle -A OUTPUT -m nth --every 4 --packet 1 -m state --state new -j
CONNMARK --set-mark 1
> > iptables -t mangle -A OUTPUT -m nth --every 4 --packet 2 -m state --state new -j
CONNMARK --set-mark 2
> > iptables -t mangle -A OUTPUT -m nth --every 4 --packet 3 -m state --state new -j
CONNMARK --set-mark 3
> > iptables -t mangle -A OUTPUT -m nth --every 4 --packet 0 -m state --state new -j
CONNMARK --set-mark 4
> This only gets used by the local machine itself but usefull also if your SQUID and
transparent proxy.
>
> > iptables -t mangle -A POSTROUTING -m connmark --mark 1 -j ROUTE --oif ppp1
> > iptables -t mangle -A POSTROUTING -m connmark --mark 2 -j ROUTE --oif ppp2
> > iptables -t mangle -A POSTROUTING -m connmark --mark 3 -j ROUTE --oif ppp3
> > iptables -t mangle -A POSTROUTING -m connmark --mark 4 -j ROUTE --oif ppp0
> This should be replaced by the lines below (I think..)..
>
> iptables -t nat -A PREROUTING -m connmark --mark 1 -j ROUTE --oif ppp1
> iptables -t nat -A PREROUTING -m connmark --mark 2 -j ROUTE --oif ppp2
> iptables -t nat -A PREROUTING -m connmark --mark 3 -j ROUTE --oif ppp3
> iptables -t nat -A PREROUTING -m connmark --mark 4 -j ROUTE --oif ppp0
>
> Give this a try but I don't know if all of this is right and there's nothing else
missing... looks OK.
>
> Also, when testing use telnet and don't use a browser.. makes it easier to debug whereas
a browser pulls up to 20 connections and hard to figure out. Just telnet to a specific
host on the internet and use tcpdump on that host to see where the packets are routing
through..
>
> Good luck.
>
>
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> <a href='http://www.citadelcomputer.com.au'>http://www.citadelcomputer.com.au</a>
>
>
> -----Original Message-----
> From: Javier Govea [mailto:jgovea@magma.ca]
> Sent: Monday, August 11, 2003 5:08 AM
> To: Ramin Dousti; Javier Govea
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Round Robin Load Balancing
>
>
next reply other threads:[~2003-08-17 16:38 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-17 16:38 Javier Govea [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-11-18 8:47 Round Robin Load Balancing Vivek Kashyap
2003-08-11 11:00 George Vieira
2003-08-10 22:30 George Vieira
2003-08-11 7:25 ` Ramin Dousti
2003-08-10 19:15 Javier Govea
2003-08-10 19:07 Javier Govea
2003-07-31 14:48 Javier Govea
2003-07-31 20:02 ` Ramin Dousti
2003-07-29 15:50 Daniel Chemko
2003-07-29 15:38 Javier Govea
2003-07-28 21:14 Javier Govea
2003-07-27 18:46 Daniel Chemko
2003-07-27 17:40 Javier Govea
2003-07-27 18:51 ` Chris Wilson
2003-07-26 18:21 Javier Govea
2003-07-27 0:30 ` Ramin Dousti
2003-07-27 6:49 ` Daniel Chemko
2003-07-26 18:07 Javier Govea
2003-07-24 0:58 Javier Govea
2003-07-24 0:31 Javier Govea
2003-07-24 1:03 ` Ramin Dousti
2003-07-17 22:52 George Vieira
2003-07-17 22:36 Daniel Chemko
2003-07-17 20:29 Javier Govea
2003-07-18 4:57 ` Ramin Dousti
2003-07-15 19:44 Daniel Chemko
2003-07-15 20:54 ` Ramin Dousti
2003-07-15 19:33 Javier Govea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200308171638.h7HGcoOM009311@webmail1.magma.ca \
--to=jgovea@magma.ca \
--cc=georgev@citadelcomputer.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.