LARTC - Dec 2006 - load balacing with https home banking

Hello everybody.
I''m running linux 2.6.19 with nth match to
alternatively snat outgoing connections to
two different ip addresses for load balancing
between two adsl lines:
Here is:

$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
adslA
$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
multiport --dports 80,443 -j SNAT --to adslB

Things are working pretty good, but some
applications (https home banking for example),
don''t work correctly (because the remote
server see two different ip addresses). Is
there any trick to tell iptables to snat
always with the same source ip for the same
destination host? I have also modified SNAT
with SAME, but no luck.

TIA

you can try static ips of home banking like:

$IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m multiport -d
200.200.200.1 --dports
80,443 -j SNAT --to-source adslB

where 200.200.200.1 is ip of homebanking site... and it´s going out via adslB



Marco Berizzi wrote:
> Hello everybody.
> I''m running linux 2.6.19 with nth match to
> alternatively snat outgoing connections to
> two different ip addresses for load balancing
> between two adsl lines:
> Here is:
> 
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
> adslA
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -j SNAT --to adslB
> 
> Things are working pretty good, but some
> applications (https home banking for example),
> don''t work correctly (because the remote
> server see two different ip addresses). Is
> there any trick to tell iptables to snat
> always with the same source ip for the same
> destination host? I have also modified SNAT
> with SAME, but no luck.
> 
> TIA
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

-- 
Sds.

Alexandre J. Correa
Onda Internet
www.ondainternet.com.br
Linux User ID #142329

I was reading something about -m conmark, where u can set a mark to each
connection and make it persistent at the initial connection link.

On 12/11/06, Marco Berizzi <pupilla@hotmail.com>
wrote:
>
> Hello everybody.
> I''m running linux 2.6.19 with nth match to
> alternatively snat outgoing connections to
> two different ip addresses for load balancing
> between two adsl lines:
> Here is:
>
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
> adslA
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -j SNAT --to adslB
>
> Things are working pretty good, but some
> applications (https home banking for example),
> don''t work correctly (because the remote
> server see two different ip addresses). Is
> there any trick to tell iptables to snat
> always with the same source ip for the same
> destination host? I have also modified SNAT
> with SAME, but no luck.
>
> TIA
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

On Monday 11 December 2006 08:15, Marco Berizzi wrote:
> Hello everybody.
> I''m running linux 2.6.19 with nth match to
> alternatively snat outgoing connections to
> two different ip addresses for load balancing
> between two adsl lines:
> Here is:
>
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
> adslA
> $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> multiport --dports 80,443 -j SNAT --to adslB
>
> Things are working pretty good, but some
> applications (https home banking for example),
> don''t work correctly (because the remote
> server see two different ip addresses). Is
> there any trick to tell iptables to snat
> always with the same source ip for the same
> destination host? I have also modified SNAT
> with SAME, but no luck.
You need to use iptables CONNMARK to keep track of "wich conn" with
"wich
ISP", see this[1] thread for reference and a nano HOWTO.

[1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
-- 
Luciano

Luciano Ruete wrote:

> You need to use iptables CONNMARK to keep track of "wich conn"
with
"wich
> ISP", see this[1] thread for reference and a nano HOWTO.
>
> [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
Thanks for the hint, however the really setup is
a little different and AFAIK the connmark approach
doesn''t help.
This linux box have three ip addresses: 1 for
the main internet link (hdsl_ip) plus 2 other for
the two adsl connection (all binded to eth0).
The default gateway''s box is the hdsl ISP router.
This is used for ipsec tunnels (driven by swan),
and other ''serious'' traffic:

/sbin/route add default gw hdsl_router metric 1

Then there is the route for the two adsl links,
which are used for internet surfing traffic:

ip route add default equalize table adsl \
nexthop dev eth0 via adsl_router_A weight 1 \
nexthop dev eth0 via adsl_router_B weight 1

ip rule add fwmark 1 table adsl priority 400

$IPTABLES -t mangle -A OUTPUT --protocol tcp -m multiport --dports
80,443 -j MARK --set-mark 1

Squid is running on top of this same box. What
I''m trying to do is to split the browsing traffic
(that generated by squid) to the two adsl lines.
The problem is the packet source ip sent by squid
which is taken from the default route, so I must
nat these packet with these rule:

$IPTABLES -t nat -A POSTROUTING -s hdsl_ip --protocol tcp -m
multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to
adsl_A
$IPTABLES -t nat -A POSTROUTING -s hdsl_ip --protocol tcp -m
multiport --dports 80,443 -j SNAT --to adsl_B

Look at this:

iptables v1.3.6
Kernel 2.6.17

man iptables

search for "SAME" target:

   SAME
       Similar  to SNAT/DNAT depending on chain: it takes a range of
addresses
       (`--to 1.2.3.4-1.2.3.7'') and gives a client the  same
source-/destina-
       tion-address for each connection.

       --to <ipaddr>-<ipaddr>
              Addresses  to map source to. May be specified more than
once for
              multiple ranges.

       --nodst
              Don''t use the destination-ip in the calculations when
selecting
              the new source-ip



В Вто, 19/12/2006 в 21:21 -0300, Luciano Ruete пишет:
> On Monday 11 December 2006 08:15, Marco Berizzi wrote:
> > Hello everybody.
> > I''m running linux 2.6.19 with nth match to
> > alternatively snat outgoing connections to
> > two different ip addresses for load balancing
> > between two adsl lines:
> > Here is:
> >
> > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> > multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT
--to
> > adslA
> > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m
> > multiport --dports 80,443 -j SNAT --to adslB
> >
> > Things are working pretty good, but some
> > applications (https home banking for example),
> > don''t work correctly (because the remote
> > server see two different ip addresses). Is
> > there any trick to tell iptables to snat
> > always with the same source ip for the same
> > destination host? I have also modified SNAT
> > with SAME, but no luck.
> 
> You need to use iptables CONNMARK to keep track of "wich conn"
with "wich
> ISP", see this[1] thread for reference and a nano HOWTO.
> 
> [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
-- 
Покотиленко Костик <casper@meteor.dp.ua>

??????????? ?????? wrote:
> search for "SAME" target:
I have already tried. See below.
> > > destination host? I have also modified SNAT
> > > with SAME, but no luck.