Hello!
I have set up a LINUX router with two seperate uplinks to do load
balancing. I made all the configuration after the "NANO-HOWTO to use
more than one independent Internet connection" document. I patched my
2.4.24 kernel with patches, described in this document. My
configuration is:
---------------------------------------------------------------
#!/bin/bash
#------------------------------
LAN_IF - LAN interface
LAN_IP - LAN IP
LAN_NET - LAN network/mask
#------------------------------
INET1_IF - external interface no. 1
INET1_IP - external IP no. 1
INET1_NET - external network/mask no. 1
INET1_GW - remote gateway no. 1
#------------------------------
INET2_IF - external interface no. 2
INET2_IP - external IP no. 2
INET2_NET - external network/mask no. 2
INET2_GW - remote gateway no. 2
#------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
IPTABLES=/usr/sbin/iptables
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IPTABLES -t filter -X keep_state
$IPTABLES -t nat -X keep_state
$IPTABLES -t filter -N keep_state
$IPTABLES -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A keep_state -j RETURN
$IPTABLES -t nat -N keep_state
$IPTABLES -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A keep_state -j RETURN
$IPTABLES -t nat -A PREROUTING -j keep_state
$IPTABLES -t nat -A POSTROUTING -j keep_state
$IPTABLES -t nat -A OUTPUT -j keep_state
$IPTABLES -t filter -A INPUT -j keep_state
$IPTABLES -t filter -A FORWARD -j keep_state
$IPTABLES -t filter -A OUTPUT -j keep_state
/sbin/ip rule del prio 50 table main
/sbin/ip rule add prio 50 table main
/sbin/ip route del default table main
/sbin/ip rule del prio 201 from $INET1_NET table 201
/sbin/ip rule add prio 201 from $INET1_NET table 201
/sbin/ip route add default via $INET1_GW dev $INET1_IF \
src $INET1_IP proto static table 201
/sbin/ip route append prohibit default table 201 metric 1 proto static
/sbin/ip rule del prio 202 from $INET2_NET table 202
/sbin/ip rule add prio 202 from $INET2_NET table 202
/sbin/ip route add default via $INET2_GW dev $INET2_IF \
src $INET2_IP proto static table 202
/sbin/ip route append prohibit default table 202 metric 1 proto static
/sbin/ip rule del prio 222 table 222
/sbin/ip rule add prio 222 table 222
/sbin/ip route add default table 222 proto static \
nexthop via $INET1_GW dev $INET1_IF \
nexthop via $INET2_GW dev $INET2_IF
$IPTABLES -t nat -A POSTROUTING -o $INET1_IF -s $LAN_NET -j SNAT --to-source
$INET1_IP
$IPTABLES -t nat -A POSTROUTING -o $INET2_IF -s $LAN_NET -j SNAT --to-source
$INET2_IP
---------------------------------------------------------------------------------
Load balancing works well, and everything seems to be OK.
But there is a problem: two uplinks are from different ISP''s, so they
have their own SMTP servers. I have to use only one SMTP server to
send e-mail, so I set up SMTP server of ISP1 in my e-mail client
program. But because of load balancing, SMTP traffic sometimes go
through the second line ISP2, and then the SMTP server of ISP1 refuses
to accept my message.
So I would like to "tie" SMTP traffic to ISP1 line. What rules should
I use? Perhaps I should mark all the SMTP traffic with IPTABLES MARK?
I would be very grateful for your help and suggestions...
Rokas Zakarevicius
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, On Fri, 6 Feb 2004, Rokas wrote:> have their own SMTP servers. I have to use only one SMTP server to > send e-mail, so I set up SMTP server of ISP1 in my e-mail client > program. But because of load balancing, SMTP traffic sometimes go > through the second line ISP2, and then the SMTP server of ISP1 refuses > to accept my message. > > So I would like to "tie" SMTP traffic to ISP1 line. What rules shouldWhat about /sbin/ip rule add prio 80 to $SMTP_IP table 201 Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi all, I had a problem like that and i solved making a rule with iptables that all traffic to port 25 i was routing to ip that was accept to send. Or you may try to creat a rule when outgoing traffic is via ISP2 you change the source ip. Try a let me know. []''s Anderson> > Hello! > > I have set up a LINUX router with two seperate uplinksto do load> balancing. I made all the configuration after the "NANO-HOWTO to use> more than one independent Internet connection" document. I patched my> 2.4.24 kernel with patches, described in this document.My> configuration is: > ---------------------------------------------------------------> #!/bin/bash > #------------------------------ > LAN_IF - LAN interface > LAN_IP - LAN IP > LAN_NET - LAN network/mask > #------------------------------ > INET1_IF - external interface no. 1 > INET1_IP - external IP no. 1 > INET1_NET - external network/mask no. 1 > INET1_GW - remote gateway no. 1 > #------------------------------ > INET2_IF - external interface no. 2 > INET2_IP - external IP no. 2 > INET2_NET - external network/mask no. 2 > INET2_GW - remote gateway no. 2 > #------------------------------ > echo "1" > /proc/sys/net/ipv4/ip_forward > > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe ip_nat_ftp > /sbin/modprobe ip_conntrack_irc > /sbin/modprobe ip_nat_irc > > IPTABLES=/usr/sbin/iptables > > $IPTABLES -t filter -P INPUT ACCEPT > $IPTABLES -t filter -P OUTPUT ACCEPT > $IPTABLES -t filter -P FORWARD ACCEPT > $IPTABLES -t nat -P PREROUTING ACCEPT > $IPTABLES -t nat -P POSTROUTING ACCEPT > $IPTABLES -t nat -P OUTPUT ACCEPT > $IPTABLES -t mangle -P PREROUTING ACCEPT > $IPTABLES -t mangle -P INPUT ACCEPT > $IPTABLES -t mangle -P OUTPUT ACCEPT > $IPTABLES -t mangle -P FORWARD ACCEPT > $IPTABLES -t mangle -P POSTROUTING ACCEPT > $IPTABLES -t nat -F > $IPTABLES -t mangle -F > $IPTABLES -t filter -F > $IPTABLES -t filter -X keep_state > $IPTABLES -t nat -X keep_state > > $IPTABLES -t filter -N keep_state > $IPTABLES -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT> $IPTABLES -t filter -A keep_state -j RETURN > $IPTABLES -t nat -N keep_state > $IPTABLES -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT> $IPTABLES -t nat -A keep_state -j RETURN > > $IPTABLES -t nat -A PREROUTING -j keep_state > $IPTABLES -t nat -A POSTROUTING -j keep_state > $IPTABLES -t nat -A OUTPUT -j keep_state > $IPTABLES -t filter -A INPUT -j keep_state > $IPTABLES -t filter -A FORWARD -j keep_state > $IPTABLES -t filter -A OUTPUT -j keep_state > > /sbin/ip rule del prio 50 table main > /sbin/ip rule add prio 50 table main > /sbin/ip route del default table main > > /sbin/ip rule del prio 201 from $INET1_NET table 201 > /sbin/ip rule add prio 201 from $INET1_NET table 201 > /sbin/ip route add default via $INET1_GW dev $INET1_IF\> src $INET1_IP proto static table 201 > /sbin/ip route append prohibit default table 201 metric1 proto static> > /sbin/ip rule del prio 202 from $INET2_NET table 202 > /sbin/ip rule add prio 202 from $INET2_NET table 202 > /sbin/ip route add default via $INET2_GW dev $INET2_IF\> src $INET2_IP proto static table 202 > /sbin/ip route append prohibit default table 202 metric1 proto static> > /sbin/ip rule del prio 222 table 222 > /sbin/ip rule add prio 222 table 222 > /sbin/ip route add default table 222 proto static \ > nexthop via $INET1_GW dev $INET1_IF \ > nexthop via $INET2_GW dev $INET2_IF > > $IPTABLES -t nat -A POSTROUTING -o $INET1_IF -s $LAN_NET -j SNAT --to-source $INET1_IP> $IPTABLES -t nat -A POSTROUTING -o $INET2_IF -s $LAN_NET -j SNAT --to-source $INET2_IP> ---------------------------------------------------------------------------------> > Load balancing works well, and everything seems to be OK.> But there is a problem: two uplinks are from differentISP''s, so they> have their own SMTP servers. I have to use only one SMTP server to> send e-mail, so I set up SMTP server of ISP1 in my e-mail client> program. But because of load balancing, SMTP traffic sometimes go> through the second line ISP2, and then the SMTP serverof ISP1 refuses> to accept my message. > > So I would like to "tie" SMTP traffic to ISP1 line. What rules should> I use? Perhaps I should mark all the SMTP traffic withIPTABLES MARK?> > I would be very grateful for your help and suggestions...> > Rokas Zakarevicius > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/>__________________________________________________________________________ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thank you very much for suggestion. I added a static route for SMTP server, and it works OK. But what method should I use, if I want to "tie" for example all the HTTPS (TCP 443) traffic to one line. Should I mark packets in mangle PREROUTING table or somewhere else ? Maybe you have some experience with similar issues... Thank you for your advices. Good luck ! :) Rokas Zakarevicius Kaunas, Lithuania> Hi all, > I had a problem like that and i solved making a rule > with iptables that all traffic to port 25 i was routing > to ip that was accept to send.> Or you may try to creat a rule when outgoing traffic is > via ISP2 you change the source ip.> Try a let me know.> []''s > Anderson_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/