| 1 |
Hi, |
| 2 |
re: load balancing it must be done by the ISP for bonding DSL lines |
| 3 |
properly. |
| 4 |
what they support is what you will have to implement, typically they |
| 5 |
will give you a managed router that you connect to and this will take |
| 6 |
care of the bonding for you. |
| 7 |
|
| 8 |
that said, you can do something similar with IPtables and packet marking |
| 9 |
and routing tables (see lartc) |
| 10 |
in the following iptables I have 2x DSL routers on eth1 and 2x DSL |
| 11 |
routers on eth3, which is why I use masquerade -- the kernel knows how |
| 12 |
to SNAT based on routing info |
| 13 |
then I say "for every NEW connection choose a DSL line" |
| 14 |
and then of course if a packet mark should be set then restore it, so |
| 15 |
that subsequent connections go out the same direction. |
| 16 |
|
| 17 |
this does mean of course, that you have 4x outgoing IP addresses for the |
| 18 |
4x Internet connections |
| 19 |
I appreciate this is not same thing as a bonded line, which would give |
| 20 |
you 1x outgoing IP address, but it is useful to have this kind of thing |
| 21 |
where bonded lines are not supported. |
| 22 |
|
| 23 |
just be careful of some sites, such as Internet banks, authenticate you |
| 24 |
against your IP, and if the subsequent connection comes from a differing |
| 25 |
IP they immediately log you out. |
| 26 |
|
| 27 |
This setup also means that you can add into the networking up/down and |
| 28 |
do things like |
| 29 |
# ip rule del from all fwmark 0xa lookup connA |
| 30 |
when interfaces go down |
| 31 |
|
| 32 |
the line that reads |
| 33 |
-A OUTPUT ! -o eth0 -j redirection |
| 34 |
means that if you have squid running it will also use all 4 connections |
| 35 |
(not possible in squid.conf) |
| 36 |
|
| 37 |
hope this helps! |
| 38 |
|
| 39 |
|
| 40 |
IPRULE: |
| 41 |
32758: from 192.168.4.0/24 lookup connD |
| 42 |
32759: from 192.168.3.0/24 lookup connC |
| 43 |
32760: from 192.168.2.0/24 lookup connB |
| 44 |
32761: from 192.168.1.0/24 lookup connA |
| 45 |
32762: from all fwmark 0xd lookup connD |
| 46 |
32763: from all fwmark 0xc lookup connC |
| 47 |
32764: from all fwmark 0xb lookup connB |
| 48 |
32765: from all fwmark 0xa lookup connA |
| 49 |
32766: from all lookup main |
| 50 |
32767: from all lookup default |
| 51 |
|
| 52 |
|
| 53 |
IPTABLES: |
| 54 |
*nat |
| 55 |
:PREROUTING ACCEPT |
| 56 |
:INPUT ACCEPT |
| 57 |
:OUTPUT ACCEPT |
| 58 |
:POSTROUTING ACCEPT |
| 59 |
-A POSTROUTING -o eth1 -j MASQUERADE |
| 60 |
-A POSTROUTING -o eth3 -j MASQUERADE |
| 61 |
COMMIT |
| 62 |
*mangle |
| 63 |
:PREROUTING ACCEPT |
| 64 |
:INPUT ACCEPT |
| 65 |
:FORWARD ACCEPT |
| 66 |
:OUTPUT ACCEPT |
| 67 |
:POSTROUTING ACCEPT |
| 68 |
:RESTORE |
| 69 |
:WAN1 |
| 70 |
:WAN2 |
| 71 |
:WAN3 |
| 72 |
:WAN4 |
| 73 |
:redirection |
| 74 |
-A PREROUTING -j redirection |
| 75 |
-A OUTPUT ! -o eth0 -j redirection |
| 76 |
-A RESTORE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask |
| 77 |
0xffffffff |
| 78 |
-A RESTORE -j ACCEPT |
| 79 |
-A WAN1 -j MARK --set-xmark 0xa/0xffffffff |
| 80 |
-A WAN1 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
| 81 |
-A WAN2 -j MARK --set-xmark 0xb/0xffffffff |
| 82 |
-A WAN2 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
| 83 |
-A WAN3 -j MARK --set-xmark 0xc/0xffffffff |
| 84 |
-A WAN3 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
| 85 |
-A WAN4 -j MARK --set-xmark 0xd/0xffffffff |
| 86 |
-A WAN4 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff |
| 87 |
-A redirection -p tcp -m state --state RELATED,ESTABLISHED -j RESTORE |
| 88 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
| 89 |
--every 4 --packet 0 -j WAN1 |
| 90 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
| 91 |
--every 4 --packet 1 -j WAN2 |
| 92 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
| 93 |
--every 4 --packet 2 -j WAN3 |
| 94 |
-A redirection -p tcp -m state --state NEW -m statistic --mode nth |
| 95 |
--every 4 --packet 3 -j WAN4 |
| 96 |
COMMIT |
| 97 |
*filter |
| 98 |
:INPUT ACCEPT |
| 99 |
:FORWARD ACCEPT |
| 100 |
:OUTPUT ACCEPT |
| 101 |
:fail2ban-SSH |
| 102 |
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH |
| 103 |
-A fail2ban-SSH -j RETURN |
| 104 |
COMMIT |
Archives