iptables and load balance ethernet

john8675309 · 02-27-2006, 11:35 PM

Ok here is my issue. I just setup eth0 on one cable provider and eth2 on another cable provider. I am having good luck surfing between the 2 providers (load balance) but all my nat rules seem to be broken. sometimes they work and sometimes they don't. Has anyone had this issue before when load balancing outbound connections. Attached below are snippets of my rc.local and my rc.iptables in Slackware.

Thanks for any help I can get.

--John

Code:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
route del default
route del default
ip route add default equalize scope global nexthop via 207.177.124.1 dev 
eth0 weight 1 nexthop via 12.218.48.1 dev eth2 weight 1
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter

Code:

#!/bin/bash
###################################################
#                                                 #
#           ETH0 is the main network adapter      #
###################################################
iptables=/usr/sbin/iptables
echo "Starting iptables"
IP0=ip.of.eth0
IP1=ip.of.eth2

# Default_Policys
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT

$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P FORWARD ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
$iptables -t nat -F
$iptables -t mangle -F

# Flushing_All_Rules"
$iptables -F INPUT 
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat

# Blocking_pings
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all


# Allow_Established_Related_Connections
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP0
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source $IP1


$iptables -t nat -A PREROUTING -d $IP0 -p tcp --dport 80 -j DNAT --to-destination 192.168.17.2
$iptables -A FORWARD -d 192.168.17.2 -p tcp --dport 80 -j ACCEPT


$iptables -t nat -A PREROUTING -d $IP0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.17.48
$iptables -t filter -A FORWARD -d 192.168.17.2 -p tcp --dport 3389 -j ACCEPT

$iptables -t nat -A PREROUTING -d $IP0 -p tcp --dport 22 -j DNAT --to-destination 192.168.17.2
$iptables -A FORWARD -d 192.168.17.2 -p tcp --dport 22 -j ACCEPT

$iptables -t nat -A PREROUTING -d $IP0 -p tcp --dport 22 -j DNAT --to-destination 192.168.17.254:22
$iptables -A FORWARD -d 192.168.17.254 -p tcp --dport 22 -j ACCEPT


$iptables -t nat -A PREROUTING -d $IP0 -p tcp --dport 25 -j DNAT --to-destination 192.168.17.2
$iptables -A FORWARD -d 192.168.17.2 -p tcp --dport 25 -j ACCEPT

$iptables -t nat -A PREROUTING -d $IP0 -p tcp --dport 21 -j DNAT--to-destination 192.168.17.1
$iptables -A FORWARD -d 192.168.17.1 -p tcp --dport 21 -j ACCEPT


$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT


$iptables -A INPUT -p all -s 0/0 -i eth1 -j ACCEPT
$iptables -A OUTPUT -p all -d 0/0 -o eth1 -j ACCEPT

$iptables -A FORWARD -p tcp -i eth1 --dport 80 -j ACCEPT
$iptables -A FORWARD -p tcp -i eth1 --dport 443 -j ACCEPT
$iptables -t nat -A POSTROUTING -j ACCEPT


$iptables -A INPUT -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-IN:"
$iptables -A INPUT -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-IN:"
$iptables -A INPUT -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-IN:"
$iptables -A FORWARD -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-FWD:"
$iptables -A FORWARD -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-FWD:"
$iptables -A FORWARD -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-FWD:"

fotoguy · 02-28-2006, 06:47 PM

I cannot help you with the load balancing part of the script, but I have noticed a few errors in the script. You are setting the default policies then flushing the rules, this should be the other way around.

By setting the default policy to DROP and then flushing them you are then setting them to ACCEPT, all data packets will then be accepted and passed through without matching any other rules you have specified further down the script.

Plus you have doubled up on some of the rules:

$iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Then further down:

$iptables -A OUTPUT -p all -d 0/0 -o eth1 -j ACCEPT

Since you have already accepted the outgoing packets on all interfaces, the second rule isn't required. In your logging rules you don't have a logging rule for the icmp protocol.

john8675309 · 04-28-2006, 08:50 PM

I have been getting quite a few e-mails about this and if I have it resolved so sorry for bringing it up from the dead. I do have it working and here is a quick little howto on how I did it.

I followed the steps located in this HOWTO: http://www.shorewall.net/MultiISP.html but I did do a few things differently
(I definetly recommend shorewall)

I have 2 cable modems
Mediacom and Spencer Municipal Utilities

Spencer Municipal Utilities -> eth0
Mediacom -> eth1
Lan -> eth2

/etc/shorewall/providers

Code:

smu   1       1       main            eth0            smu.gateway.address track,balance    eth2
mediacom    2       2       main            eth1            mediacom.gateway.addresss  track,balance    eth2

/etc/shorewall/interfaces

Code:

net     eth0            detect          tcpflags,norfc1918,routefilter,nosmurfs,logmartians
net     eth1            detect          dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
loc     eth2            detect          tcpflags,detectnets,nosmurfs

/etc/shorewall/policy

Code:

#add this line
net        net            DROP

/etc/shorewall/params

Code:

ETH1_IP=$(find_first_interface_address eth1)

/etc/shorewall/masq

Code:

#INTERFACE       SUBNET            ADDRESS
eth0             $ETH1_IP          smu.interface.ip.address
eth1             smu.interface.ip.address          $ETH1_IP
eth0                    eth2            smu.interface.ip.address
eth1                    eth2            $ETH1_IP

/etc/shorewall/tcrules

Code:

#mark ssh packets to go throught SMU
1:P             eth2 0.0.0.0/0       tcp     22
#same for RDP
1:P             eth2 0.0.0.0/0       tcp     3389

That should be all that needs to be done. I had to also echo "nameserver public.name.server" > /etc/resolv.conf because mediacom does not have open name servers grrrr

Hope this helps
--John