首页 > Linux安全防护 > Links Load balancing

Links Load balancing

2016年11月8日

Links Load balancing

Links Load balancing


Add comments
Prerequisites :
Netfilter :
CONNMARK
nth (or statistic module for recent kernel)
condition (for failover, available in xtables addon)
Iproute2
System :
A linux gw and 2 internet links (what ever techno) :
Link 1 : BP 1500 – fraction 3
Link 2 : BP 500 – fraction 1
The ratio between the 2 link is 1/4 3/4.
Objective
The objective is to have a load-balancing failover between the two link at connection level. Setup is here for a nated LAN.
Algorithm and setup
Mark system
We build a mark system on PREROUTING using MARK and we use CONNMARK to restore the mark on prerouting. We use nth or condition module to build a pool :
mark 1 for LINK 1 outgoing
mark 2 for link 2 outgoing
In our exemple, we will use a counter of 4 to respect the link bandwith ratio:
1 : mark 1
2 : mark 2
3 : mark 1
4 : mark 1
This gives something looking like that:

iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 1 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 2 -j MARK –set-mark 2
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 3 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 4 -j MARK –set-mark 1
iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark
The syntax is different on recent kernel (at least 2.6.24 and over) where you need to use the statistic module:

iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 0 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 1 -j MARK –set-mark 2
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 2 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 3 -j MARK –set-mark 1
iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark
See the page connmark to understand CONNMARK usage.
Fail over
We will use the condition module which is available in xtables addon. The mark system is modified to have fail-over. Instead of one line, we have two lines for each item of the nth/statistic pool : exemple for item 1 :
-m condition -condition LINK1 UP -j mark 1
-m condition -condition LINK1 DOWN -j mark 2
Thus when link 1 is down packet get mark 2 and get out via LINK2 This gives :

iptables -N MARKING
iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -j MARKING

iptables -A MARKING -t mangle -m condition –condition link1_up \
-m nth –counter 1 –every 4 –packet 1 -j MARK –set-mark 1
iptables -A MARKING -t mangle -m condition ! –condition link1_up \
-m nth –counter 1 –every 4 –packet 1 -j MARK –set-mark 1

iptables -A MARKING -t mangle -m condition –condition link2_up
-m nth –counter 1 –every 4 –packet 2 -j MARK –set-mark 2
iptables -A MARKING -t mangle -m condition ! –condition link2_up
-m nth –counter 1 –every 4 –packet 2 -j MARK –set-mark 1

iptables -A MARKING -t mangle -m condition –condition link1_up \
-m nth –counter 1 –every 4 –packet 3 -j MARK –set-mark 1
iptables -A MARKING -t mangle -m condition ! –condition link1_up \
-m nth –counter 1 –every 4 –packet 3 -j MARK –set-mark 2

iptables -A MARKING -t mangle -m condition –condition link1_up \
-m nth –counter 1 –every 4 –packet 4 -j MARK –set-mark 1
iptables -A MARKING -t mangle -m condition ! –condition link1_up \
-m nth –counter 1 –every 4 –packet 4 -j MARK –set-mark 2

iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark
IProute
The objective is to:
Route packet with mark 1 to a table having default gw via LINK1
Route packet with mark 2 to a table having default gw via LINK1
The syntax is the following:

ip route add default via GW_LINK1 table LINK1
ip route add default via GW_LINK2 table LINK2
ip rule add fwmark 1 lookup table LINK1
ip rule add fwmark 2 lookup table LINK2
NAT
To have this working when need to translate internal IP at exit. Packets are dispatched:
the ones with mark 1 get IP of link 1.
the other with mark 2 get IP of link 2.
This gives:

iptables -A POSTROUTING -t nat -m mark –mark 1 -j SNAT IP_LINK1
iptables -A POSTROUTING -t nat -m mark –mark 2 -j SNAT IP_LINK2

分类: Linux安全防护 标签:
本文的评论功能被关闭了.