1 |
Hi, |
2 |
re: load balancing it must be done by the ISP for bonding DSL lines |
3 |
properly. |
4 |
what they support is what you will have to implement, typically they |
5 |
will give you a managed router that you connect to and this will take |
6 |
care of the bonding for you. |
7 |
|
8 |
that said, you can do something similar with IPtables and packet marking |
9 |
and routing tables (see lartc) |
10 |
in the following iptables I have 2x DSL routers on eth1 and 2x DSL |
11 |
routers on eth3, which is why I use masquerade -- the kernel knows how |
12 |
to SNAT based on routing info |
13 |
then I say "for every NEW connection choose a DSL line" |
14 |
and then of course if a packet mark should be set then restore it, so |
15 |
that subsequent connections go out the same direction. |
16 |
|
17 |
this does mean of course, that you have 4x outgoing IP addresses for the |
18 |
4x Internet connections |
19 |
I appreciate this is not same thing as a bonded line, which would give |
20 |
you 1x outgoing IP address, but it is useful to have this kind of thing |
21 |
where bonded lines are not supported. |
22 |
|
23 |
just be careful of some sites, such as Internet banks, authenticate you |
24 |
against your IP, and if the subsequent connection comes from a differing |
25 |
IP they immediately log you out. |
26 |
|
27 |
This setup also means that you can add into the networking up/down and |
28 |
do things like |
29 |
# ip rule del from all fwmark 0xa lookup connA |
30 |
when interfaces go down |
31 |
|
32 |
the line that reads |
33 |
-A OUTPUT ! -o eth0 -j redirection |
34 |
means that if you have squid running it will also use all 4 connections |
35 |
(not possible in squid.conf) |
36 |
|
37 |
hope this helps! |
38 |
|
39 |
|
40 |
IPRULE: |
41 |
32758: from 192.168.4.0/24 lookup connD |
42 |
32759: from 192.168.3.0/24 lookup connC |
43 |
32760: from 192.168.2.0/24 lookup connB |
44 |
32761: from 192.168.1.0/24 lookup connA |
45 |
32762: from all fwmark 0xd lookup connD |
46 |
32763: from all fwmark 0xc lookup connC |
47 |
32764: from all fwmark 0xb lookup connB |
48 |
32765: from all fwmark 0xa lookup connA |
49 |
32766: from all lookup main |
50 |
32767: from all lookup default |
51 |
|
52 |
|
53 |
IPTABLES: |
54 |
*nat |
55 |
:PREROUTING ACCEPT |
56 |
:INPUT ACCEPT |
57 |
:OUTPUT ACCEPT |
58 |
:POSTROUTING ACCEPT |
59 |
-A POSTROUTING -o eth1 -j MASQUERADE |
60 |
-A POSTROUTING -o eth3 -j MASQUERADE |
61 |
COMMIT |
62 |
*mangle |
63 |
:PREROUTING ACCEPT |
64 |
:INPUT ACCEPT |
65 |
:FORWARD ACCEPT |
66 |
:OUTPUT ACCEPT |
67 |
:POSTROUTING ACCEPT |
68 |
:RESTORE |
69 |
:WAN1 |
70 |
:WAN2 |
71 |
:WAN3 |
72 |
:WAN4 |
73 |
:redirection |
74 |
-A PREROUTING -j redirection |
75 |
-A OUTPUT ! -o eth0 -j redirection |
76 |
-A RESTORE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask |
77 |
0xffffffff |
78 |
-A RESTORE -j ACCEPT |
79 |
-A WAN1 -j MARK --set-xmark 0xa/0xffffffff |
80 |
-A WAN1 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
81 |
-A WAN2 -j MARK --set-xmark 0xb/0xffffffff |
82 |
-A WAN2 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
83 |
-A WAN3 -j MARK --set-xmark 0xc/0xffffffff |
84 |
-A WAN3 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
85 |
-A WAN4 -j MARK --set-xmark 0xd/0xffffffff |
86 |
-A WAN4 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
87 |
-A redirection -p tcp -m state --state RELATED,ESTABLISHED -j RESTORE |
88 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
89 |
--every 4 --packet 0 -j WAN1 |
90 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
91 |
--every 4 --packet 1 -j WAN2 |
92 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
93 |
--every 4 --packet 2 -j WAN3 |
94 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
95 |
--every 4 --packet 3 -j WAN4 |
96 |
COMMIT |
97 |
*filter |
98 |
:INPUT ACCEPT |
99 |
:FORWARD ACCEPT |
100 |
:OUTPUT ACCEPT |
101 |
:fail2ban-SSH |
102 |
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH |
103 |
-A fail2ban-SSH -j RETURN |
104 |
COMMIT |