[LARTC] DNAT and Load Balancing

francesco messineo francesco.messineo at gmail.com
Fri Mar 2 19:34:34 CET 2007 

I solved this exact problem (with incoming connections on three
different adsl) markin packets on PREROUTING chain. Obviously with
three different routing tables.

# incoming connections for DNAT to DMZ need to be marked here in PREROUTING
iptables -t mangle -N mymark
iptables -t mangle -F mymark
# first of all RETURN for "local" interfaces
iptables -t mangle -A mymark -i $E0_IF -j RETURN
iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
iptables -t mangle -A mymark -i $VPN_IF -j RETURN
# then mark and save incoming connections from the external universe
iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
iptables -t mangle -A mymark -j CONNMARK --save-mark

#restore mark before ROUTING decision
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# non marked incoming connections need to be marked (DNAT to DMZ only)
iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark



On 3/2/07, Alex Samad <alex at samad.com.au> wrote:
> On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote:
> > On 3/2/07, Tom Lobato <tomlobato at gmail.com> wrote:
> > >
> > >
> > >    Hi all!
> > >
> > >
> > >    After that good thread "DGD patch not detecting dead gateway" I was
> > >able to set up a Load Balancing with ping based DGD (without Julian
> > >Anastasov patch). But now I'm facing a new problem and tried some
> > >options, with only partial solutions.
> > >
> > >    I made a script based on
> > >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> > >you Manish Kathuria), without Julian A. patch, and with routes/rules as
> > >described in nano.txt. It works fine, but...
> > >
> > >    The problem: I do DNAT for internet located people to access my LAN
> > >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> > >It appears that the connection from outside can enter, but when reply
> > >packets try to get back across nat machine, it falls into the round
> > >robin default route selection to define its gateway. Well, of course,
> > >this reply must leave the router via the same interface whose initial
> > >packets entered.
> > >
> > >
> > >    vnc initial
> > >request packet      reply that got
> > >            \                   wrong route
> > >             \                       ^
> > >              \                     /
> > >              V                  /
> > >              isp1 isp2 isp3
> > >               _|____|____|__
> > >              |                    |
> > >              |      dnat      |
> > >              |_____________|
> > >                        ^
> > >                         |
> > >                         |
> > >                        V
> > >              LAN estation, the
> > >                  vnc server
> > >
> > >
> > >
> > >    What I need is a way to force packets leave the router via the same
> > >interface whose its request entered this.
> > >    I'd like to hear opinions about the problem (and also solution =).
> > >Remember, I can't apply the DGD patch from J.A. because it only checks
> > >the first hop for dead detection.
> > >    I will apreciate any help.
> > >
> > >    Thank you,
> > >
> > >
> > >
> > >    Tom Lobato
> > >
> > >
> > >_______________________________________________
> > >LARTC mailing list
> > >LARTC at mailman.ds9a.nl
> > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >
> >
> > I had overlooked this. I had also faced a similar problem.  There are
> > two possible solutions, one is to apply Julian's patches because even
>
> This sounds exactly like my problem, until I appplied julian's patch, I would
> suggest giving it  a try
>
> > though you are not using the patches for DGD, they do help in making
> > NAT processing with multiple gateways work properly. The other option
> > is to mark the packets using CONNTRACK. There was a good discussion on
> > this topic some days back. You can check the thread using the
> > following links to the archives:
> >
> > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
> >
> > --
> > Manish Kathuria
> > Tux Technologies
> > http://www.tuxtechnologies.co.in/
> > _______________________________________________
> > LARTC mailing list
> > LARTC at mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFF6G04kZz88chpJ2MRAplNAKDrYspoCJYOEe3+3xMllBDP0vAuLQCgvBsM
> 3HkDStEOSQErTD2RarWObXs=
> =/G6Y
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

More information about the LARTC mailing list