[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ip route load distribute

To: <luci-discuss@luci.org>
Subject: Re: ip route load distribute
From: "Danny Sauer" <cloudmaster@cloudmaster.com>
Date: Tue, 6 Jan 2004 13:13:41 -0600 (CST)
Importance: Normal
In-Reply-To: <200401061946.i06Jkv219279@web5.valuenet.net>
Organization: Linux Users of Central Illinois
References: <200401061946.i06Jkv219279@web5.valuenet.net>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

> Instead of doing this the "hard way", have you thought about installing
> Shorewall and checking out their multi-homed guidelines?
[...]

I've actually solved all of those problems previously (that last link
solved half of the problem last night), but this one remains.  Shorewall's
a nice product, but I just don't like the idea of someone else "setting
up" my firewall, or using still another layer of abstraction.  Call it
arrogance, but I think my scripts work better (except for this particular
obtuse case, which *will* be solved one way or another) than anyone else's
could ever hope to. :)

> Summary: It's a routing issue, not an iptables issue. See LARTC 4.2.1.
>
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
>
> Is *that* what you're looking for? :=)

That was what I thought I was looking for - but it's only part of the
solution.  That part takes care of the non-DNATed connections (which I got
working last night based on that particular page), but the DNATed
connections still won't work for me because of the order in which routing
decisions are made as the packets traverse the tables, so it seems.

Just now, I tried using the conntrack and marking abilities of iptables,
and I think it might be able to get me where I'm trying to go:

iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT \
  --ctorigdst 10.1.1.4 -j MARK --set-mark 0x04
ip rule add fwmark 04 table xlink4

where table xlink4 has the gateway and source specified to match what the
incoming DNAT, and 10.1.1.4 is the "real" external IP that's being DNATed
inside.  I figured that, since the mangle table comes before routing
decisions, I could mark the packet and then use that mark to determine
which route to use.  It's still not working, but I may be using conntrack
incorrectly, or something.  I need to match a reply packet whose
translated source will be one of the external IPs, but the source
translation doesn't appear to happen soon enough....  I think.

Thanks, though.  I may give the shorewall folks a ring. :)

--Danny, who needs to get out of the "press esc-w-q" habit when he's using
a webmail client that resets the form on "escape" :(



-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

Follow-Ups:
- Re: ip route load distribute
  - From: "Danny Sauer" <cloudmaster@cloudmaster.com>

References:
- Re: ip route load distribute
  - From: mike808@users.sourceforge.net

Prev by Date: Antec Sonata PC Case on Sale
Next by Date: Re: Antec Sonata PC Case on Sale
Prev by thread: Re: ip route load distribute
Next by thread: Re: ip route load distribute
Index(es):
- Date
- Thread