LARTC - Jul 2007 - Load Balancing , MSN and SSL

HI All ,

I am running a FC6 box with two internet links with load balance . Every
thing is working fine expect the MSN connection that failed and reconnect
every time and SSL connections .  I would link to know if with the nona
howto I could fix that .

I have been tried with no success to redirect that connection only to one
link but its look like do not work . Here my configuration :

#!/bin/bash
#
# Script Baseado em http://lartc.org/howto/lartc.rpdb.multiple-links.html
#
#
#


IF0=eth1

function interface_interna() {
        VALOR_IP=0
        while [ $VALOR_IP -lt 254 ] ; do
           if [ $VALOR_IP -ne 33 ] ; then
                P0_NET=192.168.${VALOR_IP}.0
                IP0=192.168.${VALOR_IP}.1
                ip route add $P0_NET dev $IF0 src $IP0 table T1
                ip route add $P0_NET dev $IF0 src $IP0 table T2
           fi
           VALOR_IP=$(expr $VALOR_IP + 1)
        done
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2table T1
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2table T2
}



IP1=xxx.xxx.xxx.18
IF1=eth0
P1_NET=xxx.xxx.xxx.16/30
P1=xxx.xxx.xxx.17


IP2=192.168.254.250
IF2=eth2
P2_NET=192.168.254.248/29
P2=192.168.254.254



ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET     dev $IF0 table T1
ip route add $P1_NET     dev $IF1 table T1
ip route add $P2_NET     dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo   table T1

ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add $P2_NET     dev $IF2 table T2
ip route add 127.0.0.0/8 dev lo   table T2

interface_interna

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1

#ROTAS DE BACKUP

ip route add default via $P2 dev $IF2 metric 1 table T1
ip route add default via $P1 dev $IF1 metric 1 table T2

#ROTAS DE SERVICOS

ip rule add fwmark 2 table 21 prio 20
ip rule add fwmark 3 table 22 prio 20

ip route add default via $P1 dev $IF1 table 21
ip route add default via $P2 dev $IF2 table 22

ip route flush cache

Here the iptables mangles rules :

############# MSN Services #####################
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2
iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2
############### SSL Services ###########
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl -j
MARK  --set-mark 2

I add the rules from DNS and FTP too .

But it''s not seems to work .

Any help will be appreciated .

Saulo Silva


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Refer to the archives.
Use connmark.
 
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Saulo Silva
Sent: Thursday, July 05, 2007 9:01 AM
To: LARTC@mailman.ds9a.nl
Subject: [LARTC] Load Balancing , MSN and SSL
 
HI All , 

I am running a FC6 box with two internet links with load balance . Every
thing is working fine expect the MSN connection that failed and
reconnect every time and SSL connections .  I would link to know if with
the nona howto I could fix that . 

I have been tried with no success to redirect that connection only to
one link but its look like do not work . Here my configuration : 

#!/bin/bash 
#
# Script Baseado em
http://lartc.org/howto/lartc.rpdb.multiple-links.html
# 
#
#


IF0=eth1

function interface_interna() {
        VALOR_IP=0
        while [ $VALOR_IP -lt 254 ] ; do
           if [ $VALOR_IP -ne 33 ] ; then 
                P0_NET=192.168.${VALOR_IP}.0
                IP0=192.168.${VALOR_IP}.1 
                ip route add $P0_NET dev $IF0 src $IP0 table T1
                ip route add $P0_NET dev $IF0 src $IP0 table T2 
           fi
           VALOR_IP=$(expr $VALOR_IP + 1)
        done 
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T1
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T2
}



IP1=xxx.xxx.xxx.18
IF1=eth0
P1_NET=xxx.xxx.xxx.16/30
P1=xxx.xxx.xxx.17 


IP2=192.168.254.250
IF2=eth2
P2_NET=192.168.254.248/29
P2=192.168.254.254



ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1 
ip route add $P2_NET dev $IF2 src $IP2

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET     dev $IF0 table T1
ip route add $P1_NET     dev $IF1 table T1
ip route add $P2_NET     dev $IF2 table T1 
ip route add 127.0.0.0/8 dev lo   table T1

ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add $P2_NET     dev $IF2 table T2 
ip route add 127.0.0.0/8 dev lo   table T2

interface_interna 

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1

#ROTAS DE BACKUP 

ip route add default via $P2 dev $IF2 metric 1 table T1 
ip route add default via $P1 dev $IF1 metric 1 table T2

#ROTAS DE SERVICOS 

ip rule add fwmark 2 table 21 prio 20   
ip rule add fwmark 3 table 22 prio 20

ip route add default via $P1 dev $IF1 table 21
ip route add default via $P2 dev $IF2 table 22

ip route flush cache

Here the iptables mangles rules : 

############# MSN Services ##################### 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
############### SSL Services ########### 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
-j MARK  --set-mark 2

I add the rules from DNS and FTP too . 

But it''s not seems to work . 

Any help will be appreciated . 

Saulo Silva






_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

http://mailman.ds9a.nl/pipermail/lartc/2007q2/020779.html
 
http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
 
Two different approaches. 
 
-----Original Message-----
From: Saulo Silva [mailto:sauloaugustosilva@gmail.com] 
Sent: Thursday, July 05, 2007 11:58 AM
To: Salim S I
Subject: Re: [LARTC] Load Balancing , MSN and SSL
 
I already tried with that with no success . 
Could you explain that better  ? 
2007/7/4, Salim S I <salim.si@cipherium.com.tw>: 
Refer to the archives.
Use connmark.
 
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl [mailto:
<mailto:lartc-bounces@mailman.ds9a.nl>  lartc-bounces@mailman.ds9a.nl]
On Behalf Of Saulo Silva
Sent: Thursday, July 05, 2007 9:01 AM
To: LARTC@mailman.ds9a.nl
Subject: [LARTC] Load Balancing , MSN and SSL
 
HI All , 

I am running a FC6 box with two internet links with load balance . Every
thing is working fine expect the MSN connection that failed and
reconnect every time and SSL connections .  I would link to know if with
the nona howto I could fix that . 

I have been tried with no success to redirect that connection only to
one link but its look like do not work . Here my configuration : 

#!/bin/bash 
#
# Script Baseado em
http://lartc.org/howto/lartc.rpdb.multiple-links.html
# 
#
#


IF0=eth1

function interface_interna() {
        VALOR_IP=0
        while [ $VALOR_IP -lt 254 ] ; do
           if [ $VALOR_IP -ne 33 ] ; then 
                P0_NET=192.168.${VALOR_IP}.0
                IP0=192.168.${VALOR_IP}.1 
                ip route add $P0_NET dev $IF0 src $IP0 table T1
                ip route add $P0_NET dev $IF0 src $IP0 table T2 
           fi
           VALOR_IP=$(expr $VALOR_IP + 1)
        done 
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T1
        ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T2
}



IP1=xxx.xxx.xxx.18
IF1=eth0
P1_NET=xxx.xxx.xxx.16/30
P1=xxx.xxx.xxx.17 


IP2=192.168.254.250
IF2=eth2
P2_NET=192.168.254.248/29
P2=192.168.254.254



ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1 
ip route add $P2_NET dev $IF2 src $IP2

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET     dev $IF0 table T1
ip route add $P1_NET     dev $IF1 table T1
ip route add $P2_NET     dev $IF2 table T1 
ip route add 127.0.0.0/8 dev lo   table T1

ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add $P2_NET     dev $IF2 table T2 
ip route add 127.0.0.0/8 dev lo   table T2

interface_interna 

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1

#ROTAS DE BACKUP 

ip route add default via $P2 dev $IF2 metric 1 table T1 
ip route add default via $P1 dev $IF1 metric 1 table T2

#ROTAS DE SERVICOS 

ip rule add fwmark 2 table 21 prio 20   
ip rule add fwmark 3 table 22 prio 20

ip route add default via $P1 dev $IF1 table 21
ip route add default via $P2 dev $IF2 table 22

ip route flush cache

Here the iptables mangles rules : 

############# MSN Services ##################### 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
############### SSL Services ########### 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
-j MARK  --set-mark 2

I add the rules from DNS and FTP too . 

But it''s not seems to work . 

Any help will be appreciated . 

Saulo Silva



 


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> HI All , 
> 
> I am running a FC6 box with two internet links with load balance . Every
> thing is working fine expect the MSN connection that failed and
> reconnect every time and SSL connections .  I would link to know if with
> the nona howto I could fix that . 
> 
> I have been tried with no success to redirect that connection only to
> one link but its look like do not work . Here my configuration : 
> 
> #!/bin/bash 
> #
> # Script Baseado em
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> # 
> #
> #
> 
> 
> IF0=eth1
> 
> function interface_interna() {
>         VALOR_IP=0
>         while [ $VALOR_IP -lt 254 ] ; do
>            if [ $VALOR_IP -ne 33 ] ; then 
>                 P0_NET=192.168.${VALOR_IP}.0
>                 IP0=192.168.${VALOR_IP}.1 
>                 ip route add $P0_NET dev $IF0 src $IP0 table T1
>                 ip route add $P0_NET dev $IF0 src $IP0 table T2 
>            fi
>            VALOR_IP=$(expr $VALOR_IP + 1)
>         done 
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
> table T1
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
> table T2
> }
> 
> 
> 
> IP1=xxx.xxx.xxx.18
> IF1=eth0
> P1_NET=xxx.xxx.xxx.16/30
> P1=xxx.xxx.xxx.17 
> 
> 
> IP2=192.168.254.250
> IF2=eth2
> P2_NET=192.168.254.248/29
> P2=192.168.254.254
> 
> 
> 
> ip route add $P1_NET dev $IF1 src $IP1 table T1
> ip route add default via $P1 table T1
> ip route add $P2_NET dev $IF2 src $IP2 table T2
> ip route add default via $P2 table T2
> 
> ip route add $P1_NET dev $IF1 src $IP1 
> ip route add $P2_NET dev $IF2 src $IP2
> 
> ip rule add from $IP1 table T1
> ip rule add from $IP2 table T2
> 
> ip route add $P0_NET     dev $IF0 table T1
> ip route add $P1_NET     dev $IF1 table T1
> ip route add $P2_NET     dev $IF2 table T1 
> ip route add 127.0.0.0/8 dev lo   table T1
> 
> ip route add $P0_NET     dev $IF0 table T2
> ip route add $P1_NET     dev $IF1 table T2
> ip route add $P2_NET     dev $IF2 table T2 
> ip route add 127.0.0.0/8 dev lo   table T2
> 
> interface_interna 
> 
> ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
> nexthop via $P2 dev $IF2 weight 1
> 
> #ROTAS DE BACKUP 
> 
> ip route add default via $P2 dev $IF2 metric 1 table T1 
> ip route add default via $P1 dev $IF1 metric 1 table T2
> 
> #ROTAS DE SERVICOS 
> 
> ip rule add fwmark 2 table 21 prio 20   
> ip rule add fwmark 3 table 22 prio 20
> 
> ip route add default via $P1 dev $IF1 table 21
> ip route add default via $P2 dev $IF2 table 22
> 
> ip route flush cache
> 
> Here the iptables mangles rules : 
> 
> ############# MSN Services ##################### 
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
> msnmessenger -j MARK  --set-mark 2 
> iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
> msnmessenger -j MARK  --set-mark 2 
> ############### SSL Services ########### 
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
> -j MARK  --set-mark 2
My experience with the layer7 module has been sketchy.  Have you checked to
make sure that the layer7 module is catching msnmessenger traffic?  It would
be a good idea to try

#iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \
- --log-prefix ''MSN Messenger Packet: ''

and consult /var/log/messages and make sure that layer7 is seeing it.
If it''s not, the packets for msn traffic will never get marked.

a much better solution would be to mark based on destination port, and let
connection
tracking take care of the rest. for example:

#DNS Traffic
#iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2
#iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

hope this helps!
> 
> I add the rules from DNS and FTP too . 
> 
> But it''s not seems to work . 
> 
> Any help will be appreciated . 
> 
> Saulo Silva
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E
pFsHeJgpBIGDG6oPHdhZpnc=TgHZ
-----END PGP SIGNATURE-----

Hi, I think you could mark packets based on ports 1863 and hosts
messenger.hotmail.com , gateway.messenger.hotmail.com, webmessenger.msn.com



On 7/5/07, Randy D. Wallace Jr. <randywallacejr@gmail.com>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > HI All ,
> >
> > I am running a FC6 box with two internet links with load balance .
Every
> > thing is working fine expect the MSN connection that failed and
> > reconnect every time and SSL connections .  I would link to know if
with
> > the nona howto I could fix that .
> >
> > I have been tried with no success to redirect that connection only to
> > one link but its look like do not work . Here my configuration :
> >
> > #!/bin/bash
> > #
> > # Script Baseado em
> > http://lartc.org/howto/lartc.rpdb.multiple-links.html
> > #
> > #
> > #
> >
> >
> > IF0=eth1
> >
> > function interface_interna() {
> >         VALOR_IP=0
> >         while [ $VALOR_IP -lt 254 ] ; do
> >            if [ $VALOR_IP -ne 33 ] ; then
> >                 P0_NET=192.168.${VALOR_IP}.0
> >                 IP0=192.168.${VALOR_IP}.1
> >                 ip route add $P0_NET dev $IF0 src $IP0 table T1
> >                 ip route add $P0_NET dev $IF0 src $IP0 table T2
> >            fi
> >            VALOR_IP=$(expr $VALOR_IP + 1)
> >         done
> >         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src
10.1.2.2
> >         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src
10.1.2.2
> > table T1
> >         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src
10.1.2.2
> > table T2
> > }
> >
> >
> >
> > IP1=xxx.xxx.xxx.18
> > IF1=eth0
> > P1_NET=xxx.xxx.xxx.16/30
> > P1=xxx.xxx.xxx.17
> >
> >
> > IP2=192.168.254.250
> > IF2=eth2
> > P2_NET=192.168.254.248/29
> > P2=192.168.254.254
> >
> >
> >
> > ip route add $P1_NET dev $IF1 src $IP1 table T1
> > ip route add default via $P1 table T1
> > ip route add $P2_NET dev $IF2 src $IP2 table T2
> > ip route add default via $P2 table T2
> >
> > ip route add $P1_NET dev $IF1 src $IP1
> > ip route add $P2_NET dev $IF2 src $IP2
> >
> > ip rule add from $IP1 table T1
> > ip rule add from $IP2 table T2
> >
> > ip route add $P0_NET     dev $IF0 table T1
> > ip route add $P1_NET     dev $IF1 table T1
> > ip route add $P2_NET     dev $IF2 table T1
> > ip route add 127.0.0.0/8 dev lo   table T1
> >
> > ip route add $P0_NET     dev $IF0 table T2
> > ip route add $P1_NET     dev $IF1 table T2
> > ip route add $P2_NET     dev $IF2 table T2
> > ip route add 127.0.0.0/8 dev lo   table T2
> >
> > interface_interna
> >
> > ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
> > nexthop via $P2 dev $IF2 weight 1
> >
> > #ROTAS DE BACKUP
> >
> > ip route add default via $P2 dev $IF2 metric 1 table T1
> > ip route add default via $P1 dev $IF1 metric 1 table T2
> >
> > #ROTAS DE SERVICOS
> >
> > ip rule add fwmark 2 table 21 prio 20
> > ip rule add fwmark 3 table 22 prio 20
> >
> > ip route add default via $P1 dev $IF1 table 21
> > ip route add default via $P2 dev $IF2 table 22
> >
> > ip route flush cache
> >
> > Here the iptables mangles rules :
> >
> > ############# MSN Services #####################
> > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
> > msnmessenger -j MARK  --set-mark 2
> > iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
> > msnmessenger -j MARK  --set-mark 2
> > ############### SSL Services ###########
> > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
ssl
> > -j MARK  --set-mark 2
>
> My experience with the layer7 module has been sketchy.  Have you checked to
> make sure that the layer7 module is catching msnmessenger traffic?  It
would
> be a good idea to try
>
> #iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j
LOG \
> - --log-prefix ''MSN Messenger Packet: ''
>
> and consult /var/log/messages and make sure that layer7 is seeing it.
> If it''s not, the packets for msn traffic will never get marked.
>
> a much better solution would be to mark based on destination port, and let
connection
> tracking take care of the rest. for example:
>
> #DNS Traffic
> #iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2
> #iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> #iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
>
> hope this helps!
>
> >
> > I add the rules from DNS and FTP too .
> >
> > But it''s not seems to work .
> >
> > Any help will be appreciated .
> >
> > Saulo Silva
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E
> pFsHeJgpBIGDG6oPHdhZpnc> =TgHZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

-- 
"The network is the computer"