Traffic splitting su due linee
Si ha un firewall collegato a due router su due linee diverse.
VERIFICARE IL PACCHETTO BALANCE Inlab Software GmbH - Balance
Si vogliono utilizzare le due linee in ingresso ed in uscita, selezionando il tipo di traffico da instradare su una linea o sull'altra.
Schema:
________
+----------------+ /
| | |
+-------------+ Router 1 ADSL +---|
__ | | (192.168.1.254)| /
___/ \_ +------+---------+ +----------------+ |
_/ \__ | eth1 | /
/ \ | 192.168.1.253 | /
| 192.168.0.0/24-----+ Linux router | | Internet
\_ __/ | | |
\__ __/ | eth1:1 | |
| | | 192.168.11.253 | |
\___/ +------+---------+ +----------------+ \
| | | \
+-------------+ Provider 2 VDSL+---\
| 192.168.11.254 | \
+----------------+ \___________
Le interfacce ethernet possono essere fisicamente distinte, oppure fisicamente una sola, con due indirizzi ip (eth1 e eth1:1 vedi man interfaces)
I router fanno nat per conto loro.
Scopi:
- Default route tramite Router 2 via VDSL
- Solo traffico SMTP attraverso Router 1 via ADSL
- Consentire il traffico in entrata da entrambi i router
Installazione pacchetti e verifica configurazione di base
sudo aptitude install iproute
Disabilitare l'antispoof (potrebbe dare problemi in caso si usasse il nat fatto da iptables)
sudoedit /etc/sysctl.conf
... net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 ...
sudo sysctl -p
Verificare
cat /proc/sys/net/ipv4/conf/all/rp_filter 0
Verificare lo stato dell'ip_forward:
cat /proc/sys/net/ipv4/ip_forward 1
Creare le due Tabelle di routing aggiungendo alla fine:
sudoedit /etc/iproute2/rt_tables ... 1 VDSL 2 ADSL
Assicurarsi che la default route settata in /etc/network/interfaces sia UNICA e corrisponda a Router_2
route -n ... 0.0.0.0 192.168.11.254 0.0.0.0 UG 0 0 0 eth1
Configurazione del routing in ingresso
Bisogna fare in modo che i pacchetti che entrano attraverso un'interfaccia, vengano rispediti indietro attraverso la stessa interfaccia.
Questo viene fatto creando due tabelle di routing diverse.
Nel caso la connessione arrivi tramite Router_1 si userà la tabella di routing chiamata ADSL:
- si utilizzerà come ip sorgente di uscita il .1.253
ip route add 0.0.0.0 dev eth1 src 192.168.1.253 table ADSL
- si utilizzerà come gateway il .1.254.
ip route add default via 192.168.1.254 table ADSL
Nel caso la connessione arrivi tramite Router_2 si userà la tabella di routing chiamata VDSL:
- si utilizzerà come ip sorgente di uscita il .11.253
ip route add 0.0.0.0 dev eth1 src 192.168.11.253 table VDSL
- si utilizzerà come gateway il .11.254.
ip route add default via 192.168.11.254 table VDSL
(nel caso di una sola interfaccia fisica ed alias, si può utilizzare sempre eth1. In caso di interfacce fisiche diverse, usare i relativi nomi.)
Ora si deve decidere in quali casi utilizzare le due tabelle di routing.
Se la connessione arriva dall'ip .1.253 (cioè dal router ADSL), usa la tabella ADSL:
ip rule add from 192.168.1.253 table ADSL
Se la connessione arriva dall'ip .11.253 (cioè dal router VDSL), usa la tabella VDSL:
ip rule add from 192.168.11.253 table VDSL
In questo modo, ci si potrà, ad esempio, connettere in ssh da fuori su entrambe le linee.
Gestione con boot startup script
- Lo script deve essere eseguito subito dopo che il networking è stato avviato, cioè nel runlevel S e con sequenza 42
- Lo script deve essere fermato prima che venga fermato il networking, quindi con sequenza 33 e nei runlevel 0 e 6
- Creare l'init script
cat | sudo tee /etc/init.d/iproute > /dev/null << 'EOFile'
#!/bin/bash
### BEGIN INIT INFO
# Provides: iproute
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Provides iproute2 advanced routing at boot time
# Description: Provides iproute2 advanced routing at boot time
### END INIT INFO
# Install with
# sudo update-rc.d iproute start 42 S . stop 33 0 . stop 33 6 .
set +e
DESC="iproute"
CONFIG_DIR=/etc/iproute2
test -d $CONFIG_DIR || {
echo "$CONFIG_DIR missing, nothing to do."
exit 1
}
if [ ! -e $CONFIG_DIR/iproute2.sh ]
then
echo "$CONFIG_DIR/iproute2.sh missing, not starting $DESC"
exit 1
else
source $CONFIG_DIR/iproute2.sh
fi
case "$1" in
start)
start_iproute
;;
stop)
stop_iproute
;;
restart)
stop_iproute
start_iproute
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
EOFile
- Renderlo eseguibile
sudo chmod 755 /etc/init.d/iproute
- Installare l'init script
sudo update-rc.d iproute start 42 S . stop 33 0 . stop 33 6 .
- Creare il file con le funzioni start e stop:
cat | sudo tee /etc/iproute2/iproute2.sh > /dev/null << 'EOFile'
#!/bin/bash
set +e
IPTABLES=$(which iptables)
LAN0_IF="eth0"
TABLE1="RVM"
SUBNET1="192.168.253.0/24"
GATEWAY1="192.168.253.254"
IPADDRESS1="192.168.253.253"
INTERFACE1="eth1"
TABLE2="TLC"
SUBNET2="192.168.252.0/24"
GATEWAY2="192.168.252.254"
IPADDRESS2="192.168.252.253"
INTERFACE2="eth1"
start_iproute () {
echo "Setting up multiple routes ..."
# Be sure to disable rp_filter in
# sudoedit /etc/sysctl.conf
# net.ipv4.conf.default.rp_filter=0
# net.ipv4.conf.all.rp_filter=0
# sudo sysctl -p
# ---------------------------------------------------------------------
# Mark packets for forwarded smtp connections to be routed via $TABLE1
# Exempt VPN traffic from marking
# ------------------------------
#$IPTABLES -t mangle -A PREROUTING \
# -p tcp \
# -i $LAN0_IF --dport 25 -d ! 192.168.0.0/24 \
# -j LOG \
# --log-level debug \
# --log-prefix "Routed via $TABLE1: "
#$IPTABLES -t mangle -A PREROUTING \
# -p tcp \
# -i $LAN0_IF --dport 25 -d ! 192.168.0.0/24 \
# -j MARK --set-mark 1
# This does not work, because local processes bind always to the
# default interface. Try to use the "bind" option in the software
# you use.
#$IPTABLES -t mangle -A OUTPUT \
# -p tcp \
# --dport 25 \
# -j MARK --set-mark 1
# Be sure that $TABLE1 and VDSL tables are inside
# sudoedit /etc/iproute2/rt_tables
# 1 $TABLE1
# 2 $TABLE2
# Build the $TABLE1 routing table, the one that has default routing
# When using this table, use $IPADDRESS1 as source address
ip route add 0.0.0.0 dev $INTERFACE1 src $IPADDRESS1 table $TABLE1
# When using this table, your default gw is $GATEWAY1
ip route add default via $GATEWAY1 table $TABLE1
# Build the $TABLE2 routing table
# When using this table, use $IPADDRESS2 as source address
ip route add 0.0.0.0 dev $INTERFACE2 src $IPADDRESS2 table $TABLE2
#ip route add 0.0.0.0 dev $INTERFACE2 src 83.211.75.51 table $TABLE2
#ip route add 0.0.0.0 dev $INTERFACE2 src 83.211.75.52 table $TABLE2
# When using this table, your default gw is $GATEWAY2
ip route add default via $GATEWAY2 table $TABLE2
# This is the unconditional default route, that has already been set
# in /etc/network/interfaces
# and that must emain commented here only for reference
#ip route add 0.0.0.0 dev $INTERFACE2 src $IPADDRESS1
#ip route add default via $GATEWAY1
# Now we setup a load balancing default route. Be suer to not use a default
# route in /etc/network/interfaces
#ip route add default scope global \
# nexthop via $GATEWAY1 dev $INTERFACE1 weight 1 \
# nexthop via $GATEWAY2 dev $INTERFACE2 weight 1
# Now create the rules for selecting the routing tables to use
# If the packet is marked "1" use the $TABLE1 routing table
# uncomment here and in sections top
# WE DO NOT USE MARKING FOR NOW
#ip rule add fwmark 1 table $TABLE1
# Now setup which routing table to use for incoming packets from the
# respective ip address
# If the packet come from 94.84.39.243 use the $TABLE1 routing table
ip rule add from $SUBNET1 table $TABLE1
# If the packet come from 83.211.75.50 use the $TABLE2 routing table
ip rule add from $SUBNET2 table $TABLE2
#ip rule add from 83.211.75.51 table $TABLE2
#ip rule add from 83.211.75.52 table $TABLE2
# For other packets, use the default route
# Setup a failover route. Default $TABLE1, secondary $TABLE2
#ip route add default scope global \
# nexthop via $GATEWAY1 dev $INTERFACE1 weight 1 \
# nexthop via $GATEWAY2 dev $INTERFACE2
ip route flush cache
echo "Setting up multiple routes done."
}
stop_iproute () {
echo "Deleting multiple routes..."
ip route del 0.0.0.0 dev $INTERFACE1 src $IPADDRESS1 table $TABLE1
ip route del default via $GATEWAY1 table $TABLE1
ip route del 0.0.0.0 dev $INTERFACE2 src $IPADDRESS2 table $TABLE2
#ip route del 0.0.0.0 dev $INTERFACE2 src 83.211.75.51 table $TABLE2
#ip route del 0.0.0.0 dev $INTERFACE2 src 83.211.75.52 table $TABLE2
ip route del default via $GATEWAY2 table $TABLE2
# This is the default route, managed from /etc/network/interfaces
#ip route del 0.0.0.0 dev $INTERFACE1 src 192.168.110.253
#ip route del default via 192.168.110.1
# WE DO NOT USE MARKING FOR NOW
#ip rule del fwmark 1 table $TABLE1
ip rule del from $SUBNET1 table $TABLE1
ip rule del from $SUBNET2 table $TABLE2
# ---------------------------------------------------------------------
# Unmark packets for outgoing mail
# ------------------------------
# this is done in stop.firewall
#$IPTABLES -t mangle -D PREROUTING \
# -p tcp \
# -i $LAN0_IF --dport 25 \
# -j MARK --set-mark 1
ip route flush cache
echo "Deleting multiple routes done."
}
EOFile
- Questo è il file da modificare.
- Testare la funzionalità
sudo invoke-rc.d iproute restart|start|stop
Instradamento di particolare traffico attraverso l'altra linea
Tutto il traffico in uscita passa normalmente dalla linea VDSL.
Tutto il traffico forwardati in uscita passa normalmente dalla linea VDSL.
Possiamo far USCIRE ad esempio il solo traffico SMTP FORWARDATO tramite la linea ADSL.
Per far questo dobbiamo prima marcare i pacchetti smtp da forwardare tramite iptables:
iptables -t mangle -A PREROUTING \
-p tcp \
-i eth0 \
--dport \
-j MARK \
--set-mark 1
Una volta marcato il traffico, dobbiamo solo inserire uan regola che selezioni questi pacchetti per applicargli la tabella di routing ADSL:
ip rule add fwmark 1 table ADSL
Gestione con script iptables-init.d
- Creare il file /etc/iptables-initd/routes:
#!/bin/bash
if [ "$1" = "on" ]
then
echo "Setting up multiple routes ..."
# Be sure to disable rp_filter in /etc/sysctl.conf
# net.ipv4.conf.default.rp_filter=0
# net.ipv4.conf.all.rp_filter=0
# ---------------------------------------------------------------------
# Mark packets for forwarded smtp connections to be routed via ADSL
# Exempt VPN traffic from marking
# In any case, there is no smtp traffic to crosrv02, because postfix
# is forced to forward mail for men users via transport_map to the
# public ip fire.mendrisio.croalliance.com
# We need smtp to crosrv02 via VPN for notebook users
# ------------------------------
#$IPTABLES -t mangle -A PREROUTING \
# -p tcp \
# -i $LAN0_IF --dport 25 -d ! 192.168.10.0/24 \
# -j LOG \
# --log-level debug \
# --log-prefix "Routed via ADSL: "
$IPTABLES -t mangle -A PREROUTING \
-p tcp \
-i $LAN0_IF --dport 25 -d ! 192.168.10.0/24 \
-j MARK --set-mark 1
# This does not work, because local processes bind always to the
# default interface. Try to use the "bind" option in the software
# you use.
#$IPTABLES -t mangle -A OUTPUT \
# -p tcp \
# --dport 25 \
# -j MARK --set-mark 1
# Be sure that ADSL and VDSL tables are inside /etc/iproute2/rt_tables
# Build the VDSL routing table
# When using this table, use .11.253 as source address
ip route add 0.0.0.0 dev eth1 src 192.168.11.253 table VDSL
# When using this table, your default gw is .11.254
ip route add default via 192.168.11.254 table VDSL
# Build the ADSL routing table
# When using this table, use .1.253 as source address
ip route add 0.0.0.0 dev eth1 src 192.168.1.253 table ADSL
# When using this table, your default gw is .1.254
ip route add default via 192.168.1.254 table ADSL
# This is the unconditional default route, that has already been set
# in /etc/network/interfaces
#ip route add 0.0.0.0 dev eth1 src 192.168.11.253
#ip route add default via 192.168.11.254
# Now create the rules for selecting the roting tables to use
# If the packet is marked "1" use the ADSL routing table
ip rule add fwmark 1 table ADSL
# If the packet come from .11.253 use the VDSL routing table
ip rule add from 192.168.11.253 table VDSL
# If the packet come from .1.253 use the ADSL routing table
ip rule add from 192.168.1.253 table ADSL
# For other packets, use the default route
echo "Setting up multiple routes done."
elif [ "$1" = "off" ]
then
echo "Deleting multiple routes..."
ip route del 0.0.0.0 dev eth1 src 192.168.11.253 table VDSL
ip route del default via 192.168.11.254 table VDSL
ip route del 0.0.0.0 dev eth1 src 192.168.1.253 table ADSL
ip route del default via 192.168.1.254 table ADSL
#ip route del 0.0.0.0 dev eth1 src 192.168.1.253
#ip route del default via 192.168.1.1
ip rule del fwmark 1 table ADSL
ip rule del from 192.168.11.253 table VDSL
ip rule del from 192.168.1.253 table ADSL
# ---------------------------------------------------------------------
# Unmark packets for outgoing mail
# ------------------------------
# this is done in stop.firewall
#$IPTABLES -t mangle -D PREROUTING \
# -p tcp \
# -i $LAN0_IF --dport 25 \
# -j MARK --set-mark 1
echo "Deleting multiple routes done."
else
echo "Usage: $(basename) [on|off]"
exit 1
fi
Inserire in start.firewall, dopo il setup delle default policies:
if [ -e /etc/iptables-initd/routes ]
then
source /etc/iptables-initd/routes on
fi
Inserire in stop.firewall, alla fine:
if [ -e /etc/iptables-initd/routes ]
then
source /etc/iptables-initd/routes off
fi
Assicurarsi che in stop.firewall siano definiti:
LAN0_IF="eth0" WAN0_IF="eth1"
Todo
Trovare un modo per gestire anche il traffico generato in locale dal firewall stesso.
Riferimenti
- Configuring Multiple Default Routes in Linux « Darien Kindlund’s Blog
- Failover con 2 ISP via IPROUTE2 - Italian Beta Crew sito ufficiale
- http://www.i-synapse.it/products/opensource/izbalancing/download/izbalancing
- IDS Load Balancing HOWTO [LWN.net]
- IPROUTE2 Utility Suite Documentation
- IPROUTE2 Utility Suite Documentation
- LARTC More things about /proc / failover of default gateway
- LARTC: 4.2. Routing for multiple uplinks/providers
- Links Load balancing « To Linux and beyond !
- Linux firewalling: Introduzione a Iptables
- Linux Networking: Re: Kernel panic: Route cache, RCU, possibly FIB trie.
- Linux-Net Archive: Re: ARP Cache Timeout question
- Linux.com :: Using a Linux failover router
- Multi gateway routing with iptables and iproute2 « khax.net
- Net:Iproute2 - The Linux Foundation
- Routing multiple isps, failover isp - Traffpro
- Wifi.com.ar Router Firewall Balancer Software Appliance