| View previous topic :: View next topic |
| Author |
Message |
ddaas
Tux's lil' helper
Joined: 28 Feb 2005
Posts: 106
Location: Germany
|
 Posted: Mon Oct 01, 2007 10:03 am Post subject: Load Balancing using iptables |
 |
|
Hi there,
I have 2 Internet connections and I want to implement the following on my linux router/firewall. It has 3 inferfaces (1xlan & 2xwan)
1. Load balancing some sort of traffic (ex http)
Web Traffic comming from the lan should balances in a round-robin fashion across wans connections.(per destination load balancing)
2. Some sort of traffic should always use one of the two connections.
Ex: icmp and tcp/ssh should always use wan1 and tcp/smtp,pop,imap should always use wan2.
O thought of something like this:
| Code: | #!/bin/bash
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 22 -s 10.0.0.0/24 -j SNAT --to-source 190.17.0.x
iptables -t nat -A POSTROUTING -o eth1 -p icmp -s 10.0.0.0/24 -j SNAT --to-source 192.17.0.x
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m multiport --dports 25,110,143 -s 10.0.0.0/24 -j SNAT --to-source 89.0.x.x
echo "1" > /proc/sys/net/ipv4/ip_forward
|
What confuses me is that SNAT is done in POSTROUTING, this means after the routing process. How could I make the decision on what interface to send the packets based on protocol/ip/etc after the routing decision? Routing decision means choosind the outgoing interface based on some criteria (ex ip dest). right?
Please, help me understand this issue.
Many thanks
_________________
Best regards,
ddaas |
|
| Back to top |
|
 |
Dagger
Retired Dev
Joined: 11 Jun 2003
Posts: 765
Location: UK
|
| Posted: Mon Oct 01, 2007 10:53 am Post subject: |
|
|
1
well it's not that easy. First thing you need to have some kind of route protocol running on your gateway machine which will tell packets which route they should use.
2
SNAT is only changing SOURCE IP address, so it looks like your external IP address (which will allow packets flow in both directions) rather than 10.x.x.x SNAT has nothing to do with routing. SNAT can change the address of packet which has already been routed.
Using the rules
| Quote: | | Code: |
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 22 -s 10.0.0.0/24 -j SNAT --to-source 190.17.0.x
iptables -t nat -A POSTROUTING -o eth1 -p icmp -s 10.0.0.0/24 -j SNAT --to-source 192.17.0.x
|
|
You can decide to forward/drop packets for specific protocol/address.
_________________
95% of all computer errors occur between chair and keyboard (TM)
Join the FSF as an Associate Member!
Post under CC license. |
|
| Back to top |
|
|
ddaas
Tux's lil' helper
Joined: 28 Feb 2005
Posts: 106
Location: Germany
|
| Posted: Mon Oct 01, 2007 11:52 am Post subject: |
|
|
Thanks for the answer.
1. Can't I tell the packets what route should they use? I mean some sort of static routes and the linux box should alternate these routes per-destination basis.
If this is not possible, is there any advantage of using a linux Router and 2 Internet connections?
2. I'll make some tests and if there are problems I'll post them here.
Thanks.
_________________
Best regards,
ddaas |
|
| Back to top |
|
|
|
Networking & Security
