Alternative Routes and Dead Gateway Detection for Linux
Miroslav Betak
betak na orga.sk
Středa Červen 7 08:40:03 CEST 2006
Dobry den
Pokusal som sa "rozchodit" Alternative Routes and Dead Gateway
Detection for Linux
Pouzil som pri tom patche Julian Anastasova vid:
http://www.ssi.bg/~ja/#routes
Popis:
http://www.ssi.bg/~ja/dgd-usage.txt
Postupoval som podla nano howto Christopha Simona:
http://www.ssi.bg/~ja/nano.txt
Loadbalancing aj NAT mi po aplikacii prislusnych patchov funguje perfektne.
Bohuzial mi nefunguje Dead Gateway Detection.
OS Debian 3.1 Sarge
kernel vanilla 2.6.10
patch routes-2.6.10-12.diff
iproute2 sucast Sarge
iptables sucast Sarge
konfiguracia:
Jeden linuxovy stroj s tromi ethernetovymi sietovymi kartami,
Pricom siete su nasledovne
10.0.0.0/8 - LAN
192.168.0.0/24 - WAN1
195.80.188.232/29 - WAN2
10.10.10.10 - IP addr LAN eth interface
192.168.0.57 - IP addr WAN1 eth interface
195.80.188.233 - IP addr WAN2 eth interface
192.168.0.254 - default gw WAN1
195.80.188.233 - default gw WAN2
sysctl -w net.ipv4.ip_forward=1
ip addr flush scope global
ip addr flush scope host
ip route flush table all
ip addr add 127.0.0.1/8 brd + dev lo
ip link set lo up
ip addr add 10.10.10.10/8 brd + dev eth2
ip link set eth2 up
ip rule add prio 50 table main
ip route del default table main
ip addr add 192.168.0.57/24 brd 192.168.0.255 dev eth0
ip link set eth0 up
ip addr add 195.80.188.235/29 brd 195.80.188.239 dev eth1
ip link set eth1 up
ip rule add prio 201 from 192.168.0.0/24 table 201
ip route add default via 192.168.0.254 dev eth0 src 192.168.0.57 proto
static table 201
ip route append prohibit default table 201 metric 1 proto static
ip rule add prio 202 from 195.80.188.232/29 table 202
ip route add default via 195.80.188.233 dev eth1 src 195.80.188.235
proto static table 202
ip route append prohibit default table 202 metric 1 proto static
ip rule add prio 222 table 222
ip route add default table 222 proto static nexthop via 192.168.0.254
dev eth0 nexthop via 195.80.188.233 dev eth1
arp -s 192.168.0.254 00:0F:24:AF:54:63
arp -s 195.80.188.233 00:04:DD:0C:5D:D1
iptables -F
iptables -t nat -F
iptables -t filter -F
iptables -t nat -X keep_state
iptables -t filter -X keep_state
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
test:~# ip addr sh
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:95:30:3c:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.57/24 brd 192.168.0.255 scope global eth0
inet6 fe80::240:95ff:fe30:3c70/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:26:26:ad:14 brd ff:ff:ff:ff:ff:ff
inet 195.80.188.235/29 brd 195.80.188.239 scope global eth1
inet6 fe80::2c0:26ff:fe26:ad14/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:33:91:f1:5b brd ff:ff:ff:ff:ff:ff
inet 10.10.10.10/8 brd 10.255.255.255 scope global eth2
inet6 fe80::240:33ff:fe91:f15b/64 scope link
valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
test:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
195.80.188.232 0.0.0.0 255.255.255.248 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth2
test:~# ip route sh
195.80.188.232/29 dev eth1 proto kernel scope link src 195.80.188.235
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.57
10.0.0.0/8 dev eth2 proto kernel scope link src 10.10.10.10
test:~# ip route sh table 201
default via 192.168.0.254 dev eth0 proto static src 192.168.0.57
prohibit default proto static metric 1
test:~# ip route sh table 202
default via 195.80.188.233 dev eth1 proto static src 195.80.188.235
prohibit default proto static metric 1
test:~# ip route sh table 222
default proto static
nexthop via 192.168.0.254 dev eth0 weight 1
nexthop via 195.80.188.233 dev eth1 weight 1
0: from all lookup local
50: from all lookup main
201: from 192.168.0.0/24 lookup 201
202: from 195.80.188.232/29 lookup 202
222: from all lookup 222
32766: from all lookup main
32767: from all lookup default
test:~# iptables -L -v
Chain INPUT (policy ACCEPT 68114 packets, 9271K bytes)
pkts bytes target prot opt in out source
destination
247K 44M keep_state all -- any any anywhere
anywhere
Chain FORWARD (policy ACCEPT 16437 packets, 3653K bytes)
pkts bytes target prot opt in out source
destination
38256 33M keep_state all -- any any anywhere
anywhere
Chain OUTPUT (policy ACCEPT 13909 packets, 2025K bytes)
pkts bytes target prot opt in out source
destination
217K 49M keep_state all -- any any anywhere
anywhere
Chain keep_state (3 references)
pkts bytes target prot opt in out source
destination
437K 117M ACCEPT all -- any any anywhere
anywhere
state RELATED,ESTABLISHED
64948 8849K RETURN all -- any any anywhere anywhere
test:~#
test:~# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 52326 packets, 7984K bytes)
pkts bytes target prot opt in out source
destination
42995 7184K keep_state all -- any any anywhere
anywhere
Chain POSTROUTING (policy ACCEPT 71 packets, 34145 bytes)
pkts bytes target prot opt in out source
destination
2076 135K MASQUERADE all -- any eth1 anywhere
anywhere
2707 185K MASQUERADE all -- any eth0 anywhere
anywhere
27 4479 keep_state all -- any any anywhere
anywhere
Chain OUTPUT (policy ACCEPT 5207 packets, 373K bytes)
pkts bytes target prot opt in out source
destination
4167 276K keep_state all -- any any anywhere
anywhere
Chain keep_state (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere
state RELATED,ESTABLISHED
47189 7465K RETURN all -- any any anywhere anywhere
test:~# iptables -L -v -t filter
Chain INPUT (policy ACCEPT 68118 packets, 9271K bytes)
pkts bytes target prot opt in out source
destination
247K 44M keep_state all -- any any anywhere
anywhere
Chain FORWARD (policy ACCEPT 16437 packets, 3653K bytes)
pkts bytes target prot opt in out source
destination
38256 33M keep_state all -- any any anywhere
anywhere
Chain OUTPUT (policy ACCEPT 13909 packets, 2025K bytes)
pkts bytes target prot opt in out source
destination
217K 49M keep_state all -- any any anywhere
anywhere
Chain keep_state (3 references)
pkts bytes target prot opt in out source
destination
438K 117M ACCEPT all -- any any anywhere
anywhere
state RELATED,ESTABLISHED
64952 8850K RETURN all -- any any anywhere anywhere
Dead gateway som simuloval vytiahnutim ethernetoveho patchcordu.
Stav na jednotlivych ethernetovych portoch som sledoval pomocou tcpdump .
Ale aj po vytiahnuti kabla som som videl SYN packety na porte z ktoreho
bol vytiahnuty kabel.
Podarilo sa niekomu danu konfiguraciu "rozbehat" k spokojnosti ?
Miro
Další informace o konferenci Linux