[LARTC] RE: Load Balancing , MSN and SSL

Randy D. Wallace Jr. randywallacejr at gmail.com
Thu Jul 5 13:52:17 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> HI All , 
> 
> I am running a FC6 box with two internet links with load balance . Every
> thing is working fine expect the MSN connection that failed and
> reconnect every time and SSL connections .  I would link to know if with
> the nona howto I could fix that . 
> 
> I have been tried with no success to redirect that connection only to
> one link but its look like do not work . Here my configuration : 
> 
> #!/bin/bash 
> #
> # Script Baseado em
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> # 
> #
> #
> 
> 
> IF0=eth1
> 
> function interface_interna() {
>         VALOR_IP=0
>         while [ $VALOR_IP -lt 254 ] ; do
>            if [ $VALOR_IP -ne 33 ] ; then 
>                 P0_NET=192.168.${VALOR_IP}.0
>                 IP0=192.168.${VALOR_IP}.1 
>                 ip route add $P0_NET dev $IF0 src $IP0 table T1
>                 ip route add $P0_NET dev $IF0 src $IP0 table T2 
>            fi
>            VALOR_IP=$(expr $VALOR_IP + 1)
>         done 
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
> table T1
>         ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
> table T2
> }
> 
> 
> 
> IP1=xxx.xxx.xxx.18
> IF1=eth0
> P1_NET=xxx.xxx.xxx.16/30
> P1=xxx.xxx.xxx.17 
> 
> 
> IP2=192.168.254.250
> IF2=eth2
> P2_NET=192.168.254.248/29
> P2=192.168.254.254
> 
> 
> 
> ip route add $P1_NET dev $IF1 src $IP1 table T1
> ip route add default via $P1 table T1
> ip route add $P2_NET dev $IF2 src $IP2 table T2
> ip route add default via $P2 table T2
> 
> ip route add $P1_NET dev $IF1 src $IP1 
> ip route add $P2_NET dev $IF2 src $IP2
> 
> ip rule add from $IP1 table T1
> ip rule add from $IP2 table T2
> 
> ip route add $P0_NET     dev $IF0 table T1
> ip route add $P1_NET     dev $IF1 table T1
> ip route add $P2_NET     dev $IF2 table T1 
> ip route add 127.0.0.0/8 dev lo   table T1
> 
> ip route add $P0_NET     dev $IF0 table T2
> ip route add $P1_NET     dev $IF1 table T2
> ip route add $P2_NET     dev $IF2 table T2 
> ip route add 127.0.0.0/8 dev lo   table T2
> 
> interface_interna 
> 
> ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
> nexthop via $P2 dev $IF2 weight 1
> 
> #ROTAS DE BACKUP 
> 
> ip route add default via $P2 dev $IF2 metric 1 table T1 
> ip route add default via $P1 dev $IF1 metric 1 table T2
> 
> #ROTAS DE SERVICOS 
> 
> ip rule add fwmark 2 table 21 prio 20   
> ip rule add fwmark 3 table 22 prio 20
> 
> ip route add default via $P1 dev $IF1 table 21
> ip route add default via $P2 dev $IF2 table 22
> 
> ip route flush cache
> 
> Here the iptables mangles rules : 
> 
> ############# MSN Services ##################### 
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
> msnmessenger -j MARK  --set-mark 2 
> iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
> msnmessenger -j MARK  --set-mark 2 
> ############### SSL Services ########### 
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
> -j MARK  --set-mark 2

My experience with the layer7 module has been sketchy.  Have you checked to
make sure that the layer7 module is catching msnmessenger traffic?  It would
be a good idea to try

#iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \
- --log-prefix 'MSN Messenger Packet: '

and consult /var/log/messages and make sure that layer7 is seeing it.
If it's not, the packets for msn traffic will never get marked.

a much better solution would be to mark based on destination port, and let connection
tracking take care of the rest. for example:

#DNS Traffic
#iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2
#iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

hope this helps!

> 
> I add the rules from DNS and FTP too . 
> 
> But it's not seems to work . 
> 
> Any help will be appreciated . 
> 
> Saulo Silva
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E
pFsHeJgpBIGDG6oPHdhZpnc=
=TgHZ
-----END PGP SIGNATURE-----

More information about the LARTC mailing list