i''ve read your http://lartc.org/howto/lartc.rpdb.multiple-links.html
article
as well as Advanced IP Routing (esp. chapter 10.4) and still unable to make
this thing work. am i that helpless? :)
is there anyone to guide me through the multiple ISP setup?
into details. i got 2 dsl connections from different ISPs (A and B), both
connections use PPPoE, both got assigned with dynamic IPs in different
networks using different gateways. A is asynchronous 2048/256 while B is
synchronous 1024/1024. both are connected to a Debian GNU Linux 3.1 box
(P3/800, 384 RAM, 3 NICs - 2 for DSL and 1 for LAN) via separete NICs and
both work as i''ve set both ppp connections to use unit option. default
gateway for internet is B. got DNS server set up on the router to serve my
local (LAN) zone and to forward requests to A''s DNS servers because
B''s
often fail to resolve and take much time to refresh their zones. right now i
got iptables NAT set up to masquerade my LAN via B. provider B forces me to
use their cache servers (www, ftp) which is very nasty as they aren''t
show
my IP.
i want one of my local machines 192.168.0.16/26 to be masqueraded through A,
while 4 others DHCP assigned PCs would use B. also i''d like to use B
for ftp
server set up on my router box.
some more details:
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
213.219.88.1 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
212.7.9.115 0.0.0.0 255.255.255.255 UH 0 0 0
ppp1
192.168.0.0 0.0.0.0 255.255.255.192 U 0 0 0
eth1
0.0.0.0 212.7.9.115 0.0.0.0 UG 0 0 0
ppp1
ip route show table local
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 82.147.186.159 dev ppp1 proto kernel scope host src 82.147.186.159
broadcast 192.168.0.63 dev eth1 proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev eth1 proto kernel scope host src 192.168.0.1
broadcast 192.168.0.0 dev eth1 proto kernel scope link src 192.168.0.1
local 213.219.95.230 dev ppp0 proto kernel scope host src 213.219.95.230
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
i''m not sure if it''s correct but here''s my iptables
script:
#!/bin/sh
PPP=(ppp0 ppp1)
IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk
''{print $3}''`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk ''{print
$3}''`)
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ppp+ -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 55000:55500 -j ACCEPT
#passive ftp
iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 4663 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -m udp --dport 4673 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 5000:5010 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -m udp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos
Minimize-Delay
iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j
DNAT --to 192.168.0.16:4662
iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4663 -j
DNAT --to 192.168.0.62:4663
iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j
DNAT --to 192.168.0.16:4672
iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 4673 -j
DNAT --to 192.168.0.62:4673
iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 5000:5010 -j
DNAT --to 192.168.0.16:5000-5010
iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 15402 -j
DNAT --to 192.168.0.16:15402
iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 15402 -j
DNAT --to 192.168.0.16:15402
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to
192.168.0.1:3128
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o ppp1 -j SNAT --to ${IP[1]}
here''s my network layout
ppp0 (ADSL 2048/256)
|
| ppp1 (SDSL 1024/1024)
| |
-------- LINUX -------
|
eth0 (192.168.0.1 DHCP+DNS, Squid, Samba)
|
|
-----8 port 100mbit dumb switch
| | | | |
192.168.0.16/26 | | |
| | - DHCP
assigned clients
| ---
(192.168.0.0/26)
-----
i need 192.168.0.16 to take ppp0 route for all it''s needs (masquaraded
on
ppp0) and use transparent squid cache set up on 192.168.0.1 for www. while
all other DHCP assigned clients would use masquerading on ppp1 for all their
needs and use forced load-ballanced cache of second ISP.
Hi This Link may help you http://linux.com.lb/wiki/index.pl?node=Load%20Balancing%20Across%20Multiple%20Links hare ----- Original Message ----- From: "Anonymous" <netmon@hot.ee> To: <lartc@mailman.ds9a.nl> Sent: Thursday, September 29, 2005 2:53 PM Subject: [LARTC] need help on multiple isp routing> here''s my network layout > > > ppp0 (ADSL 2048/256) > | > | ppp1 (SDSL 1024/1024) > | | > -------- LINUX ------- > | > eth0 (192.168.0.1 DHCP+DNS, Squid, Samba) > | > | > -----8 port 100mbit dumb switch > | | | | | > 192.168.0.16/26 | | | > | | - DHCP > assigned clients > | --- > (192.168.0.0/26) > ----- > > i need 192.168.0.16 to take ppp0 route for all it''s needs (masquaraded on > ppp0) and use transparent squid cache set up on 192.168.0.1 for www. while > all other DHCP assigned clients would use masquerading on ppp1 for all > their needs and use forced load-ballanced cache of second ISP. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >
thank you very much for your reply! i''ve red your article even it mention a 50x50 multipath load ballance (am i right?) solution which is not exactly what i need. now i begin to realize how wrong i was. but i need more like a "split" kind of access with 2 different ISPs - 1 ISP for just 1 PC (192.168.0.16), and then another ISP for all the other clients (192.168.0.0/26). anyway your article is kinda helpfull. i don''t give up on split access idea, even i already spent 3 days of my 6 day vacation trying to configure it. i still have 3 days more! :) ----- Original Message ----- From: "hareram" <hareram@sol.net.in> To: "Anonymous" <netmon@hot.ee>; <lartc@mailman.ds9a.nl> Sent: Friday, September 30, 2005 9:20 AM Subject: Re: [LARTC] need help on multiple isp routing> Hi > > This Link may help you > > http://linux.com.lb/wiki/index.pl?node=Load%20Balancing%20Across%20Multiple%20Links > > hare > ----- Original Message ----- > From: "Anonymous" <netmon@hot.ee> > To: <lartc@mailman.ds9a.nl> > Sent: Thursday, September 29, 2005 2:53 PM > Subject: [LARTC] need help on multiple isp routing > > >> here''s my network layout >> >> >> ppp0 (ADSL 2048/256) >> | >> | ppp1 (SDSL 1024/1024) >> | | >> -------- LINUX ------- >> | >> eth0 (192.168.0.1 DHCP+DNS, Squid, Samba) >> | >> | >> -----8 port 100mbit dumb switch >> | | | | | >> 192.168.0.16/26 | | | >> | | - DHCP >> assigned clients >> | --- >> (192.168.0.0/26) >> ----- >> >> i need 192.168.0.16 to take ppp0 route for all it''s needs (masquaraded on >> ppp0) and use transparent squid cache set up on 192.168.0.1 for www. >> while all other DHCP assigned clients would use masquerading on ppp1 for >> all their needs and use forced load-ballanced cache of second ISP. >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > >
Hi the best way to do is Source route Routing and Masq hare ----- Original Message ----- From: "Anonymous" <netmon@hot.ee> To: "LARTC" <lartc@mailman.ds9a.nl> Sent: Friday, September 30, 2005 1:05 PM Subject: Re: [LARTC] need help on multiple isp routing> thank you very much for your reply! i''ve red your article even it mention > a 50x50 multipath load ballance (am i right?) solution which is not > exactly what i need. now i begin to realize how wrong i was. but i need > more like a "split" kind of access with 2 different ISPs - 1 ISP for just > 1 PC (192.168.0.16), and then another ISP for all the other clients > (192.168.0.0/26). anyway your article is kinda helpfull. i don''t give up > on split access idea, even i already spent 3 days of my 6 day vacation > trying to configure it. i still have 3 days more! :) > > ----- Original Message ----- > From: "hareram" <hareram@sol.net.in> > To: "Anonymous" <netmon@hot.ee>; <lartc@mailman.ds9a.nl> > Sent: Friday, September 30, 2005 9:20 AM > Subject: Re: [LARTC] need help on multiple isp routing > > >> Hi >> >> This Link may help you >> >> http://linux.com.lb/wiki/index.pl?node=Load%20Balancing%20Across%20Multiple%20Links >> >> hare >> ----- Original Message ----- >> From: "Anonymous" <netmon@hot.ee> >> To: <lartc@mailman.ds9a.nl> >> Sent: Thursday, September 29, 2005 2:53 PM >> Subject: [LARTC] need help on multiple isp routing >> >> >>> here''s my network layout >>> >>> >>> ppp0 (ADSL 2048/256) >>> | >>> | ppp1 (SDSL 1024/1024) >>> | | >>> -------- LINUX ------- >>> | >>> eth0 (192.168.0.1 DHCP+DNS, Squid, Samba) >>> | >>> | >>> -----8 port 100mbit dumb switch >>> | | | | | >>> 192.168.0.16/26 | | | >>> | | - DHCP >>> assigned clients >>> | --- >>> (192.168.0.0/26) >>> ----- >>> >>> i need 192.168.0.16 to take ppp0 route for all it''s needs (masquaraded >>> on ppp0) and use transparent squid cache set up on 192.168.0.1 for www. >>> while all other DHCP assigned clients would use masquerading on ppp1 for >>> all their needs and use forced load-ballanced cache of second ISP. >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> >> > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >
could someone take a fresh look at my configuration and then tell me where
from i took the wrong turn.
yes, outgoing packets take different routes/gateways based on a ip
fwmark/iptables mark. at least i believe they do. but when i run an iftop
session (one per each of ppp interfaces) i see that packets (with correct
outgoing ip) going out and get replies only on ppp0, while ppp1 only send
(outgoing ip''a also correct) and recieve but doesn''t forward.
some mistake i
did in filter input/forward nat prerouting, huh? i don''t get it...
should i
somehow mark incoming packets as well? i''m lost :( or drop packets from
ppp0
on ppp1 and then ppp1 on ppp0?
#!/bin/sh
PPP=(ppp0 ppp1)
IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk
''{print $3}''`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk ''{print
$3}''`)
GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk
''{print $5}''`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk ''{print
$5}''`)
route del default
ip route flush table auxiliary
ip route show table main | grep -Ev ^default \
| while read ROUTE ; do
ip route add table auxiliary $ROUTE
done
ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]}
ip route add table main default via ${GATEWAY[0]} dev ${PPP[0]}
ip rule add fwmark 252 table auxiliary
ip rule add fwmark 254 table main
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 55000:55500 -j ACCEPT
iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 4663 -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -m udp --dport 4673 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 5000:5010 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -m udp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.62 -j MARK --set-mark 252
iptables -t mangle -A PREROUTING -s 192.168.0.16 -j MARK --set-mark 254
iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos
Minimize-Delay
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j
DNAT --to 192.168.0.16:4662
iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4663 -j
DNAT --to 192.168.0.62:4663
iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j
DNAT --to 192.168.0.16:4672
iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 4673 -j
DNAT --to 192.168.0.62:4673
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5000:5010 -j
DNAT --to 192.168.0.16:5000-5010
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 15402 -j
DNAT --to 192.168.0.16:15402
iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 15402 -j
DNAT --to 192.168.0.16:15402
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp -s 192.168.0.16 --dport
80 -j DNAT --to 192.168.0.1:3128
#iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.16 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.62 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.16 -j SNAT --to ${IP[0]}
iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.62 -j SNAT --to ${IP[1]}
i finally made it! yeeee-ha! it works! the only thing i have to configure is
how to make those 2 links to use their own DNS servers, as ISP''s1
servers do
not answer queries from ISP''s2 ip address and vise versa. i run BIND
(as
caching and also for my local zone) on my router configured to forward
requests to ISP''s1 DNS servers. i really don''t want to run 2
copies of BIND
with forwarders of ISP2 as the only difference in configuration. would
anybody come up with a more elegant solution on that issue? i''m sure it
is
not nice to specify both ISP''s servers as forwarders for a single
server as
the server itself uses default gateway of ISP1. and then about services
installed on a router machine itself - ftp, www. they do not seem to listen
on ISP''s2 ip. any solution besides configuring virtual servers?
here''s my firewall script. i''d like if someone would correct
me. especially
on mangle table as i''m still not sure if i mark packets correctly.
#!/bin/sh
PPP=(ppp0 ppp1)
IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk
''{print $3}''`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk ''{print
$3}''`)
GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk
''{print $5}''`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk ''{print
$5}''`)
ip route flush table auxiliary
ip route show table main | grep -Ev ^default \
| while read ROUTE ; do
ip route add table auxiliary $ROUTE
done
ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]}
ip rule add fwmark 0xfc table auxiliary
echo 0 > /proc/sys/net/ipv4/conf/${PPP[0]}/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/${PPP[1]}/rp_filter
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ${PPP[0]} -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ${PPP[0]} -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ${PPP[0]} -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 55000:55500 -j ACCEPT
iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 4663 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 4673 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 5000:5010 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ${PPP[1]} -p tcp -m tcp --dport 15502 -j ACCEPT
iptables -A FORWARD -i ${PPP[1]} -p udp -m udp --dport 15502 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.59 -j MARK --set-mark 252
###
iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A INPUT -i ${PPP[1]} -j MARK --set-mark 252
#iptables -t mangle -A FORWARD -d 192.168.0.59 -j MARK --set-mark 252
iptables -t mangle -A OUTPUT -o ${PPP[1]} -j MARK --set-mark 252
iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A POSTROUTING -s 192.168.0.59 -j MARK --set-mark 252
iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 4662 -j
DNAT --to 192.168.0.16:4662
iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 4663 -j
DNAT --to 192.168.0.62:4663
iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 4672 -j
DNAT --to 192.168.0.16:4672
iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 4673 -j
DNAT --to 192.168.0.62:4673
iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport
5000:5010 -j DNAT --to 192.168.0.16:5000-5010
iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 15402 -j
DNAT --to 192.168.0.16:15402
iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 15402 -j
DNAT --to 192.168.0.16:15402
iptables -t nat -A PREROUTING -i ${PPP[1]} -p tcp -m tcp --dport 15502 -j
DNAT --to 192.168.0.59:15502
iptables -t nat -A PREROUTING -i ${PPP[1]} -p udp -m udp --dport 15502 -j
DNAT --to 192.168.0.59:15502
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp -s 192.168.0.16 --dport
80 -j DNAT --to 192.168.0.1:3128
iptables -t nat -A POSTROUTING -o ${PPP[1]} -s 192.168.0.59 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${PPP[0]} -s 192.168.0.0/26 -j MASQUERADE
On Monday 2005-October-03 09:37, Anonymous wrote:> configure is how to make those 2 links to use their own DNS servers,Why?> as ISP''s1 servers do not answer queries from ISP''s2 ip address andSo? They''re answering queries from your ISP1 address, no? Is this a problem?> vise versa. i run BIND (as caching and also for my local zone) on my > router configured to forward requests to ISP''s1 DNS servers. i really > don''t want to run 2 copies of BIND with forwarders of ISP2 as the > only difference in configuration. would anybody come up with a more > elegant solution on that issue? i''m sure it is not nice to specifyJust don''t use forwarders at all. wget the latest root hints file or just use what you have, for "type hints" for the "." zone. Forwarding is rarely a good idea. It gains you nothing. You won''t increase the load on the root servers.> both ISP''s servers as forwarders for a single server as the server > itself uses default gateway of ISP1.So this is not a problem, but still, forwarders are not helping you.> and then about services > installed on a router machine itself - ftp, www. they do not seem to > listen on ISP''s2 ip. any solution besides configuring virtual > servers?I prefer Julian''s approach to dual gateway routing ... his routes patch and the nano.txt HOWTO. That provides more of what people tend to want from multiple ISP connections in a more transparent way. All services use both links equally (or as weighted.) I''m sure there are situations in which splitting traffic by service or destination makes sense ... just not at my 3 dual-ISP sites. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header