[LARTC] multipath routing
Lists @ Aptedtech
lists@aptedtech.com
Wed, 24 Mar 2004 16:22:39 -0900
This is a multi-part message in MIME format.
------=_NextPart_000_0002_01C411BC.39C6A4E0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
<snip>
I have a private lan that is connected to the world via 3 dsl lines. I put
up a linux box that handles all the dsl lines, lan gateway and all is
working well...until...one of the dsl lines goes down. My routing table is:
x.x.x.x dev ppp0 proto kernel scope link src x.x.x.x
x.x.x.x dev ppp1 proto kernel scope link src x.x.x.x
x.x.x.x dev ppp2 proto kernel scope link src x.x.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
255.255.255.0/24 dev eth0 scope link
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default equalize
nexthop via x.x.x.x dev ppp0 weight 1
nexthop via x.x.x.x dev ppp1 weight 1
nexthop via x.x.x.x dev ppp2 weight 1
When one of the dsl lines has trouble (temporarily looses sync, etc), the
kernel takes the entire default route out until the line comes back up.
When the line comes up, it puts a single default route back in instead of
the multipath route. If I can make it so the multipath route is maintained
even when one of the dsl lines goes down, that would be great. Is there a
way to have just one of the hops removed from the default multipath while
the line is down and then reinserted back in as a hop in the multipath
route? Thanks for any input.
-Chris
</snip>
Do you have the stateful firewall settings in your script?
According to nano.txt
http://www.ssi.bg/~ja/nano.txt
"At least for netfilter (not sure for ipfwadm/ipchains), the firewall
must be stateful. This can be done by:
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state
RELATED,ESTABLISHED \
-j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state
RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -A keep_state -j RETURN
and calling this at the beginning of the script:
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
"
/sbin/iptables-save
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00 2004
*nat
:PREROUTING ACCEPT [9983:812849]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:174]
:keep_state - [0:0]
-A PREROUTING -j keep_state
-A POSTROUTING -o ppp+ -j MASQUERADE
-A POSTROUTING -j keep_state
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00 2004
*filter
:INPUT ACCEPT [1020:161876]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [425:33288]
:keep_state - [0:0]
-A INPUT -i lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -m state --state INVALID -j DROP
-A INPUT -i ppp+ -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -p tcp -j DROP
-A INPUT -i ppp+ -p udp -j DROP
-A INPUT -i ppp+ -p icmp -j DROP
-A INPUT -j keep_state
-A FORWARD -i ppp+ -o eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth+ -o ppp+ -j ACCEPT
-A FORWARD -j keep_state
-A OUTPUT -o lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
The link you reference (http://www.ssi.bg/~ja/nano.txt) suggests several
patches to be applied to the kernel for the routing described to be
possible. I would like to do this, but it is a company box and they want a
"standard" installation which basically means no patching for me. The box
is running the most up to date kernel for a RedHat 9.0 install. Thanks for
any input.
-Chris
------=_NextPart_000_0002_01C411BC.39C6A4E0
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DVerdana size=3D1><I><snip></I></FONT> <BR><FONT =
face=3DVerdana=20
size=3D1><I>I have a private lan that is connected to the world via 3 =
dsl lines.=20
I put<BR>up a linux box that handles all the dsl lines, lan =
gateway and=20
all is<BR>working well...until...one of the dsl lines goes down. =
My=20
routing table is:<BR><BR>x.x.x.x dev ppp0 proto kernel scope =
link=20
src x.x.x.x<BR>x.x.x.x dev ppp1 proto kernel scope =
link=20
src x.x.x.x<BR>x.x.x.x dev ppp2 proto kernel scope =
link=20
src x.x.x.x<BR>192.168.1.0/24 dev eth0 proto kernel =
scope link=20
src 192.168.1.1<BR>255.255.255.0/24 dev eth0 scope=20
link<BR>169.254.0.0/16 dev eth0 scope link<BR>127.0.0.0/8 dev lo=20
scope link<BR>default equalize<BR> =
nexthop via=20
x.x.x.x dev ppp0 weight 1<BR> nexthop =
via=20
x.x.x.x dev ppp1 weight 1<BR> nexthop =
via=20
x.x.x.x dev ppp2 weight 1<BR><BR>When one of the dsl lines has =
trouble=20
(temporarily looses sync, etc), the<BR>kernel takes the entire default =
route out=20
until the line comes back up.<BR>When the line comes up, it puts a =
single=20
default route back in instead of<BR>the multipath route. If I can =
make it=20
so the multipath route is maintained<BR>even when one of the dsl lines =
goes=20
down, that would be great. Is there a<BR>way to have just one of =
the hops=20
removed from the default multipath while<BR>the line is down and then =
reinserted=20
back in as a hop in the multipath<BR>route? Thanks for any=20
input.<BR><BR>-Chris<BR></snip></I></FONT> <BR><BR><FONT =
face=3DVerdana=20
size=3D1>Do you have the stateful firewall settings in your =
script?</FONT>=20
<BR><BR><FONT face=3DVerdana size=3D1>According to nano.txt</FONT> =
<BR><FONT=20
face=3DVerdana size=3D1>http://www.ssi.bg/~ja/nano.txt</FONT> =
<BR><BR><FONT=20
face=3DVerdana size=3D1>"At least for netfilter (not sure for =
ipfwadm/ipchains), the=20
firewall<BR>must be stateful. This can be done by:<BR><BR> =
=20
iptables -t filter -N =
keep_state<BR> =20
iptables -t filter -A=20
keep_state -m state --state RELATED,ESTABLISHED \<BR> =
=20
=
=20
-j ACCEPT<BR> =
=20
iptables -t filter -A keep_state -j RETURN<BR><BR> =
=20
iptables -t nat -N =
keep_state<BR> =20
iptables -t nat -A =
keep_state=20
-m state --state RELATED,ESTABLISHED \<BR> =
=20
=
=20
-j ACCEPT<BR> =
=20
iptables -t nat -A keep_state -j RETURN<BR><BR>and calling this at the =
beginning=20
of the script:<BR><BR> =
=20
iptables -t nat -A PREROUTING -j keep_state<BR> =
=20
iptables -t nat -A POSTROUTING -j=20
keep_state<BR> =
iptables=20
-t nat -A OUTPUT -j keep_state<BR> =
=20
iptables -t filter -A INPUT -j keep_state<BR> =
=20
iptables -t filter -A FORWARD -j=20
keep_state<BR> =
iptables=20
-t filter -A OUTPUT -j keep_state<BR>"<SPAN =
class=3D156272101-25032004><FONT=20
face=3DArial color=3D#0000ff size=3D2> </FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DVerdana size=3D1><SPAN=20
class=3D156272101-25032004></SPAN></FONT> </DIV>
<DIV><FONT face=3DVerdana size=3D1><SPAN =
class=3D156272101-25032004>
<DIV><FONT face=3DVerdana size=3D1><SPAN =
class=3D359054400-25032004><FONT face=3DArial=20
color=3D#0000ff size=3D2>/sbin/iptables-save</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DVerdana size=3D1><SPAN=20
class=3D359054400-25032004></SPAN></FONT> </DIV>
<DIV><FONT face=3DVerdana size=3D1><SPAN =
class=3D359054400-25032004><FONT face=3DArial=20
color=3D#0000ff size=3D2># Generated by iptables-save v1.2.7a on Wed Mar =
24 15:54:00=20
2004<BR>*nat<BR>:PREROUTING ACCEPT [9983:812849]<BR>:POSTROUTING ACCEPT=20
[0:0]<BR>:OUTPUT ACCEPT [3:174]<BR>:keep_state - [0:0]<BR>-A PREROUTING =
-j=20
keep_state <BR>-A POSTROUTING -o ppp+ -j MASQUERADE <BR>-A POSTROUTING =
-j=20
keep_state <BR>-A OUTPUT -j keep_state <BR>-A keep_state -m state =
--state=20
RELATED,ESTABLISHED -j ACCEPT <BR>-A keep_state -j RETURN =
<BR>COMMIT<BR>#=20
Completed on Wed Mar 24 15:54:00 2004<BR># Generated by iptables-save =
v1.2.7a on=20
Wed Mar 24 15:54:00 2004<BR>*filter<BR>:INPUT ACCEPT =
[1020:161876]<BR>:FORWARD=20
DROP [0:0]<BR>:OUTPUT ACCEPT [425:33288]<BR>:keep_state - [0:0]<BR>-A =
INPUT -i=20
lo -m state --state NEW,ESTABLISHED -j ACCEPT <BR>-A INPUT -i ppp+ -m =
state=20
--state INVALID -j DROP <BR>-A INPUT -i ppp+ -m state --state =
ESTABLISHED -j=20
ACCEPT <BR>-A INPUT -i ppp+ -p tcp -j DROP <BR>-A INPUT -i ppp+ -p udp =
-j DROP=20
<BR>-A INPUT -i ppp+ -p icmp -j DROP <BR>-A INPUT -j keep_state <BR>-A =
FORWARD=20
-i ppp+ -o eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT <BR>-A =
FORWARD -i=20
eth+ -o ppp+ -j ACCEPT <BR>-A FORWARD -j keep_state <BR>-A OUTPUT -o lo =
-m state=20
--state NEW,ESTABLISHED -j ACCEPT <BR>-A OUTPUT -o ppp+ -m state --state =
NEW,ESTABLISHED -j ACCEPT <BR>-A OUTPUT -j keep_state <BR>-A keep_state =
-m state=20
--state RELATED,ESTABLISHED -j ACCEPT <BR>-A keep_state -j RETURN=20
<BR>COMMIT<BR># Completed on Wed Mar 24 15:54:00=20
2004</FONT> </SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D359054400-25032004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D359054400-25032004>The=20
link you reference (<FONT face=3DVerdana color=3D#000000=20
size=3D1>http://www.ssi.bg/~ja/nano.txt</FONT>) suggests several patches =
to be=20
applied to the kernel for the routing described to be possible. I =
would=20
like to do this, but it is a company box and they want a "standard" =
installation=20
which basically means no patching for me. The box is running the =
most up=20
to date kernel for a RedHat 9.0 install. Thanks for any=20
input.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D359054400-25032004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D359054400-25032004>-Chris</SPAN></FONT></DIV></SPAN></FONT></DIV>=
</BODY></HTML>
------=_NextPart_000_0002_01C411BC.39C6A4E0--