Balanceamento de Links no Debian Squeeze
E ai galera, aqui eu vou abordar o balanceamento de links com 2 links.
O que vou utilizar:
- Nome do servidor: debian
- Interface local: eth0
- ip lan: 192.168.1.8/24
- Interface link1: eth1
- ip link1: 200.0.10.2/28
- gw link1: 200.0.10.1
- tabela: link1
- velocidade: 10MB
- Interface link2: eth2
- ip link2: 200.0.20.2/28
- gw link2: 200.0.20.1
- tabela: link2
- velocidade: 10MB
- Nome do cliente: centos
- Interface local: eth0
- ip lan: 192.168.1.7/24
- gw: 192.168.1.8
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialsqueeze_en para que não falte nenhum pacote ou configuração.
Vamos a configuração do arquivo interfaces do servidor Debian
#Interface de loopback
auto lo
iface lo inet loopback
#Interface da lan
auto eth0
iface eth0 inet static
address 192.168.1.8
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
#Interface do link1
auto eth1
iface eth1 inet static
address 200.0.10.2
netmask 255.255.255.240
network 200.0.10.0
broadcast 200.0.10.15
#Interface do link2
auto eth2
iface eth2 inet static
address 200.0.20.2
netmask 255.255.255.240
network 200.0.20.0
broadcast 200.0.20.15
Agora reinicie o servidor para ele carregar as novas configurações de rede.
reboot
Agora vamos testar os links com o ping, primeiro vamos testar o link1 vamos pingar no gw dele
ping -I eth1 200.0.10.1 -c 2 PING 200.0.10.1 (200.0.10.1) from 200.0.10.2 eth1: 56(84) bytes of data. 64 bytes from 200.0.10.1: icmp_req=1 ttl=64 time=0.234 ms 64 bytes from 200.0.10.1: icmp_req=2 ttl=64 time=0.189 ms --- 200.0.10.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.189/0.211/0.234/0.026 ms
Agora vamos testar o link2, vamos pingar o gw dele
ping -I eth2 200.0.20.1 -c 2 PING 200.0.20.1 (200.0.20.1) from 200.0.20.2 eth2: 56(84) bytes of data. 64 bytes from 200.0.20.1: icmp_req=1 ttl=64 time=3.48 ms 64 bytes from 200.0.20.1: icmp_req=2 ttl=64 time=0.200 ms --- 200.0.20.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.200/1.843/3.487/1.644 ms
Agora vamos criar uma tabela de roteamento para cada link
echo 10 link1 >> /etc/iproute2/rt_tables echo 20 link2 >> /etc/iproute2/rt_tables
Agora vamos adicionar a rota para a rede 200.0.10.0/28 na tabela de link1
ip route add 200.0.10.0/28 dev eth1 src 200.0.10.2 table link1
Agora vamos definir a rota padrão para o link1
ip route add default via 200.0.10.1 table link1
Agora vamos listar as regras da tabela do link1
ip route list table link1 200.0.10.0/28 dev eth1 scope link src 200.0.10.2 default via 200.0.10.1 dev eth1
Agora vamos adicionar a rota para a rede 200.0.20.0/24 na tabela de link2
ip route add 200.0.20.0/28 dev eth2 src 200.0.20.2 table link2
Agora vamos definir a rota padrão para o link2
ip route add default via 200.0.20.1 table link2
Agora vamos listar as regras da tabela do link2
ip route list table link2 200.0.20.0/28 dev eth2 scope link src 200.0.20.2 default via 200.0.20.1 dev eth2
Agora vamos mandar remover a rota padrão caso haja alguma
route del default
Agora devemos acrescentar as regras das rotas adicionadas que são 200.0.10.2 no link1 e 200.0.20.2 no link2
ip rule add from 200.0.10.2 table link1 ip rule add from 200.0.20.2 table link2
Agora vamos listar as rules
ip rule list 0: from all lookup local 32764: from 200.0.20.2 lookup link2 32765: from 200.0.10.2 lookup link1 32766: from all lookup main 32767: from all lookup default
Agora precisamos inserir regras para as nossas redes interna, link2 e lo passar pelo link1
ip route add 192.168.1.0/24 dev eth0 table link1 ip route add 200.0.20.0/28 dev eth2 table link1 ip route add 127.0.0.0/8 dev lo table link1
Agora precisamos inserir regras para as nossas redes interna, link1 e lo passar pelo link2
ip route add 192.168.1.0/24 dev eth0 table link2 ip route add 200.0.10.0/28 dev eth1 table link2 ip route add 127.0.0.0/8 dev lo table link2
Agora vamos listar a tabela de roteamento do link1
ip route list table link1 200.0.20.0/28 dev eth2 scope link 200.0.10.0/28 dev eth1 scope link src 200.0.10.2 192.168.1.0/24 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 200.0.10.1 dev eth1
Agora vamos listar a tabela de roteamento do link2
ip route list table link2 200.0.20.0/28 dev eth2 scope link src 200.0.20.2 200.0.10.0/28 dev eth1 scope link 192.168.1.0/24 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 200.0.20.1 dev eth2
Agora vamos fazer o balanceamento, aqui vou levar em consideração que os dois links são de 10MB. Aqui vamos especificar que o link é um para um, ou seja, 50% do tráfego será enviado para cada link.
ip route add default nexthop via 200.0.10.1 dev eth1 weight 1 nexthop via 200.0.20.1 dev eth2 weight 1
Agora vamos listar as rotas do nosso servidor
ip route list 200.0.20.0/28 dev eth2 proto kernel scope link src 200.0.20.2 200.0.10.0/28 dev eth1 proto kernel scope link src 200.0.10.2 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.8 default nexthop via 200.0.10.1 dev eth1 weight 1 nexthop via 200.0.20.1 dev eth2 weight 1
Agora precisamos habilitar o roteamento neste servidor
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
Agora vamos ativar o roteamento no kernel
sysctl -p net.ipv4.ip_forward = 1
Agora vamos mascarar os pacotes da nossa lan
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Agora no servidor Debian vamos deixar o tcpdump monitorando o protocolo icmp que vamos utilizar para testar pelo cliente CentOS
tcpdump -i any proto 'ICMP'
Agora no cliente CentOS vamos enviar 10 pings para o site do terra
ping www.terra.com.br -c 10 PING www.terra.com.br (200.154.56.80) 56(84) bytes of data. 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=1 ttl=53 time=20.0 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=2 ttl=53 time=19.2 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=3 ttl=53 time=18.9 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=4 ttl=53 time=19.2 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=5 ttl=53 time=19.0 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=6 ttl=53 time=18.9 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=7 ttl=53 time=20.3 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=8 ttl=53 time=19.0 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=9 ttl=53 time=18.5 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq=10 ttl=53 time=18.2 ms --- www.terra.com.br ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9031ms rtt min/avg/max/mdev = 18.231/19.163/20.386/0.610 ms
Agora vamos observar no servidor o que temos de pacotes
tcpdump -i any proto 'ICMP' 21:26:24.730134 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 1, length 64 21:26:24.749792 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 1, length 64 21:26:24.749819 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 1, length 64 21:26:25.732620 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 2, length 64 21:26:25.732646 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 2, length 64 21:26:25.751474 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 2, length 64 21:26:25.751491 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 2, length 64 21:26:26.734532 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 3, length 64 21:26:26.734562 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 3, length 64 21:26:26.753095 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 3, length 64 21:26:26.753111 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 3, length 64 21:26:27.731378 IP 192.168.1.8 > 192.168.1.8: ICMP host 192.168.1.1 unreachable, length 80 21:26:27.735341 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 4, length 64 21:26:27.735355 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 4, length 64 21:26:27.754180 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 4, length 64 21:26:27.754209 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 4, length 64 21:26:28.738548 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 5, length 64 21:26:28.738579 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 5, length 64 21:26:28.757161 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 5, length 64 21:26:28.757187 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 5, length 64 21:26:29.739691 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 6, length 64 21:26:29.739709 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 6, length 64 21:26:29.758295 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 6, length 64 21:26:29.758325 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 6, length 64 21:26:30.741639 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 7, length 64 21:26:30.741668 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 7, length 64 21:26:30.761568 IP 200.154.56.80 > 200.0.10.2: ICMP echo reply, id 48132, seq 7, length 64 21:26:30.761594 IP 200.154.56.80 > 192.168.1.7: ICMP echo reply, id 48132, seq 7, length 64 21:26:31.743249 IP 192.168.1.7 > 200.154.56.80: ICMP echo request, id 48132, seq 8, length 64 21:26:31.743273 IP 200.0.10.2 > 200.154.56.80: ICMP echo request, id 48132, seq 8, length 64
Note que os pacotes de icmp saíram pelo link1 200.0.10.2.
Agora no servidor Debian vamos mandar monitorar a porta 110
tcpdump -i any port 110 -n -vv [...]
Agora no cliente CentOS vamos mandar efetuar uma conexão na porta 110
telnet mail.douglasqsantos.com.br 110 Trying 186.233.144.40... Connected to mail.douglasqsantos.com.br. Escape character is '^]'. +OK <14404.1359329341@mail03.centralserver.com.br> user douglas@douglasqsantos.com.br +OK pass SENHA +OK list +OK 1 7866 2 2382 . retr 1 +OK [...]
Agora vamos ver no servidor o que foi gerado no tcpdump
tcpdump -i any port 110 -n -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
21:29:01.390300 IP (tos 0x10, ttl 64, id 17022, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.7.48906 > 186.233.144.40.110: Flags [S], cksum 0x56e5 (correct), seq 2115852259, win 14600, options [mss 1460,sackOK,TS val 4003229 ecr 0,nop,wscale 5], length 0
21:29:01.391302 IP (tos 0x10, ttl 63, id 17022, offset 0, flags [DF], proto TCP (6), length 60)
200.0.20.2.48906 > 186.233.144.40.110: Flags [S], cksum 0x3c92 (correct), seq 2115852259, win 14600, options [mss 1460,sackOK,TS val 4003229 ecr 0,nop,wscale 5], length 0
21:29:01.401329 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
186.233.144.40.110 > 200.0.20.2.48906: Flags [S.], cksum 0xbf88 (correct), seq 1426686398, ack 2115852260, win 5792, options [mss 1452,sackOK,TS val 3754944718 ecr 4003229,nop,wscale 7], length 0
21:29:01.401354 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto TCP (6), length 60)
186.233.144.40.110 > 192.168.1.7.48906: Flags [S.], cksum 0xd9db (correct), seq 1426686398, ack 2115852260, win 5792, options [mss 1452,sackOK,TS val 3754944718 ecr 4003229,nop,wscale 7], length 0
21:29:01.401704 IP (tos 0x10, ttl 64, id 17023, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.7.48906 > 186.233.144.40.110: Flags [.], cksum 0x1d6b (correct), seq 1, ack 1, win 457, options [nop,nop,TS val 4003241 ecr 3754944718], length 0
21:29:01.401717 IP (tos 0x10, ttl 63, id 17023, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.48906 > 186.233.144.40.110: Flags [.], cksum 0x0318 (correct), seq 1, ack 1, win 457, options [nop,nop,TS val 4003241 ecr 3754944718], length 0
21:29:01.410518 IP (tos 0x0, ttl 56, id 26984, offset 0, flags [DF], proto TCP (6), length 104)
186.233.144.40.110 > 200.0.20.2.48906: Flags [P.], cksum 0xb4a2 (correct), seq 1:53, ack 1, win 46, options [nop,nop,TS val 3754944727 ecr 4003241], length 52
21:29:01.410553 IP (tos 0x0, ttl 55, id 26984, offset 0, flags [DF], proto TCP (6), length 104)
186.233.144.40.110 > 192.168.1.7.48906: Flags [P.], cksum 0xcef5 (correct), seq 1:53, ack 1, win 46, options [nop,nop,TS val 3754944727 ecr 4003241], length 52
21:29:01.410911 IP (tos 0x10, ttl 64, id 17024, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.7.48906 > 186.233.144.40.110: Flags [.], cksum 0x1d25 (correct), seq 1, ack 53, win 457, options [nop,nop,TS val 4003250 ecr 3754944727], length 0
[...]
Note que agora os pacotes saíram pelo link2 200.0.20.2
O nosso balanceamento com 2 links está funcionando
Agora precisamos criar um script para efetuar o balanceamento na inicialização do sistema
vim /etc/init.d/rc.lb
#!/bin/sh
#Autor: Douglas Q. dos Santos
#Data: 13/01/2013
#--------------------------------------------------------------------------
#Licença: http://creativecommons.org/licenses/by-sa/3.0/legalcode
#
#--------------------------------------------------------------------------
### BEGIN INIT INFO
# Provides: rc.lb
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Balanceamento de Links
### END INIT INFO
### CORES UTILIZADAS NO SCRIPT ###
GREY="\033[01;30m"
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
BLUE="\033[01;34m"
PURPLE="\033[01;35m"
CYAN="\033[01;36m"
WHITE="\033[01;37m"
CLOSE="\033[m"
# VARIAVEIS UTILIZADAS NO SCRIPT
IP="/sbin/ip"
ROUTE="/sbin/route"
IPTABLES="/sbin/iptables"
LO="127.0.0.0/8"
LAN="192.168.1.0/24"
INT_LAN="eth0"
LINK1="200.0.10.0/28"
IP_LINK1="200.0.10.2"
GW_LINK1="200.0.10.1"
INT_LINK1="eth1"
PESO_LINK1="1"
LINK2="200.0.20.0/28"
IP_LINK2="200.0.20.2"
GW_LINK2="200.0.20.1"
INT_LINK2="eth2"
PESO_LINK2="1"
case $1 in
start)
echo "${GREEN}[ INICIANDO O BALANCEAMENTO ]${CLOSE}"
# ADICIONANDO A REDE DO LINK1 NA TABELA LINK1
${IP} route add ${LINK1} dev ${INT_LINK1} src ${IP_LINK1} table link1
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK1} table link1
# ADICIONANDO A REDE DO LINK2 NA TABELA LINK2
${IP} route add ${LINK2} dev ${INT_LINK2} src ${IP_LINK2} table link2
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK2} table link2
# ADICIONANDO AS REGRAS DAS ROTAS ADICIONADAS
${IP} rule add from ${IP_LINK1} table link1
${IP} rule add from ${IP_LINK2} table link2
# ADICIONANDO ROTAS ENTRE LINKS, LAN E LO
${IP} route add ${LAN} dev ${INT_LAN} table link1
${IP} route add ${LINK2} dev ${INT_LINK2} table link1
${IP} route add ${LO} dev lo table link1
${IP} route add ${LAN} dev ${INT_LAN} table link2
${IP} route add ${LINK1} dev ${INT_LINK1} table link2
${IP} route add ${LO} dev lo table link2
# CRIANDO O BALANCEAMENTO ENTRE DOIS LINKS
${IP} route add default nexthop via ${GW_LINK1} dev ${INT_LINK1} weight ${PESO_LINK1} nexthop via ${GW_LINK2} dev ${INT_LINK2} weight ${PESO_LINK2}
# MASCARANDO A REDE
${IPTABLES} -t nat -A POSTROUTING -s ${LAN} -j MASQUERADE
echo "${GREEN}[ BALANCEAMENTO INICIADO ]${CLOSE}"
;;
stop)
echo "${RED}[ PARANDO BALANCEAMENTO ]${CLOSE}";
${ROUTE} del default
${IP} route flush table link1
${IP} route flush table link2
${IP} rule del from ${IP_LINK1} table link1
${IP} rule del from ${IP_LINK2} table link2
echo "${RED}[ BALANCEAMENTO PARADO ] ${CLOSE}";
;;
restart)
$0 stop
$0 start
;;
*)
echo "${RED}Opcoes Validas:(start|stop|restart)${CLOSE}"
;;
esac
Agora vamos dar permissão de execução para o script
chmod +x /etc/init.d/rc.lb
Agora vamos inserir o script na inicialização do sistema
insserv -f -v rc.lb
Agora podemos parar o balanceamento da seguinte forma
/etc/init.d/rc.lb stop [ PARANDO BALANCEAMENTO ] [ BALANCEAMENTO PARADO ]
Agora podemos iniciar o balanceamento da seguinte forma
/etc/init.d/rc.lb start [ INICIANDO O BALANCEAMENTO ] [ BALANCEAMENTO INICIADO ]
Marcação de pacotes para definir link de saída
Então galera, algumas pessoas me perguntão sobre a tal marcação de pacotes para saída por um determinado link utilizando balanceamento de link, então vocês vão notar bem simples.
Depois que já temos o balanceamento de link precisamos definir o que queremos mandar por qual link, isso nós podemos definir por ip de origem, protocolo, porta etc.
Vou pegar como exemplo 2 portas a porta 80 e a porta 587, que seria a saída web e a saída de email.
Vamos marcar os pacotes com o iptables utilizando a tabela manble.
iptables -t mangle -A PREROUTING -m tcp -p tcp -s 192.168.1.0/24 --dport 80 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m tcp -p tcp -s 192.168.1.0/24 --dport 587 -j MARK --set-mark 2
Agora vamos listar as nossas regras da table mangle
iptables -t mangle -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 11 packets, 812 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:80 MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:587 MARK set 0x2
Note que agora temos a flags nos pacotes de porta 80 sendo 1 e flags nos pacotes de porta 587 sendo 2.
Agora precisamos avisar o iproute que os pacotes com a flag 1 vão para o link 1 e os pacotes com a flag 2 vão para o link 2, com isso vamos definir que os pacotes da porta 80 vão para o link 1 e os pacotes da porta 587 vão para o link2.
Vamos criar as regras
ip rule add fwmark 1 table link1 ip rule add fwmark 2 table link2
Agora vamos listar as regras do iproute
ip rule show 0: from all lookup local 32760: from 200.0.20.2 lookup link2 32761: from 200.0.10.2 lookup link1 32762: from all fwmark 0x2 lookup link2 32763: from all fwmark 0x1 lookup link1 32766: from all lookup main 32767: from all lookup default
Agora vamos limpar o cache das regras de roteamento
ip route flush cache
Vamos monitorar a porta 80 aqui no servidor
tcpdump -i any -n -v port 80 [...]
Agora vamos testar com o cliente Debian
Vamos atualizar os repositórios
aptitude update Hit http://ftp.br.debian.org wheezy Release.gpg Hit http://ftp.br.debian.org wheezy-proposed-updates Release.gpg Hit http://ftp.br.debian.org wheezy Release Hit http://ftp.br.debian.org wheezy-proposed-updates Release Hit http://ftp.br.debian.org wheezy/main Sources Hit http://ftp.br.debian.org wheezy/contrib Sources Hit http://ftp.br.debian.org wheezy/non-free Sources Hit http://ftp.br.debian.org wheezy/main amd64 Packages Hit http://ftp.br.debian.org wheezy/contrib amd64 Packages Hit http://ftp.br.debian.org wheezy/non-free amd64 Packages Hit http://ftp.br.debian.org wheezy/contrib Translation-en Hit http://ftp.br.debian.org wheezy/main Translation-pt_BR Hit http://ftp.br.debian.org wheezy/main Translation-pt Hit http://ftp.br.debian.org wheezy/main Translation-en Hit http://ftp.br.debian.org wheezy/non-free Translation-en Hit http://ftp.br.debian.org wheezy-proposed-updates/main Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/main amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib Translation-en/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/main Translation-en/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free Translation-en/DiffIndex Hit http://security.debian.org wheezy/updates Release.gpg Hit http://security.debian.org wheezy/updates Release Hit http://security.debian.org wheezy/updates/main Sources Hit http://security.debian.org wheezy/updates/contrib Sources Hit http://security.debian.org wheezy/updates/non-free Sources Hit http://security.debian.org wheezy/updates/main amd64 Packages Hit http://security.debian.org wheezy/updates/contrib amd64 Packages Hit http://security.debian.org wheezy/updates/non-free amd64 Packages Hit http://security.debian.org wheezy/updates/contrib Translation-en Hit http://security.debian.org wheezy/updates/main Translation-en Hit http://security.debian.org wheezy/updates/non-free Translation-en
Agora vamos analisar a saída do tcpdump
tcpdump -i any -n -v port 80
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:34:35.442253 IP (tos 0x0, ttl 64, id 64715, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.22.43022 > 200.236.31.3.80: Flags [S], cksum 0xd631 (correct), seq 3923346505, win 14600, options [mss 1460,sackOK,TS val 1603714 ecr 0,nop,wscale 3], length 0
14:34:35.442299 IP (tos 0x0, ttl 63, id 64715, offset 0, flags [DF], proto TCP (6), length 60)
200.0.10.2.43022 > 200.236.31.3.80: Flags [S], cksum 0xc5ed (correct), seq 3923346505, win 14600, options [mss 1460,sackOK,TS val 1603714 ecr 0,nop,wscale 3], length 0
14:34:35.449200 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
200.236.31.3.80 > 200.0.10.2.43022: Flags [S.], cksum 0x38c6 (correct), seq 3677618798, ack 3923346506, win 26844, options [mss 1452,sackOK,TS val 87587434 ecr 1603714,nop,wscale 8], length 0
14:34:35.449242 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
200.236.31.3.80 > 192.168.1.22.43022: Flags [S.], cksum 0x490a (correct), seq 3677618798, ack 3923346506, win 26844, options [mss 1452,sackOK,TS val 87587434 ecr 1603714,nop,wscale 8], length 0
14:34:35.449688 IP (tos 0x0, ttl 64, id 64716, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.43022 > 200.236.31.3.80: Flags [.], cksum 0xd988 (correct), ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 0
14:34:35.449708 IP (tos 0x0, ttl 63, id 64716, offset 0, flags [DF], proto TCP (6), length 52)
200.0.10.2.43022 > 200.236.31.3.80: Flags [.], cksum 0xc944 (correct), ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 0
14:34:35.450139 IP (tos 0x0, ttl 64, id 64717, offset 0, flags [DF], proto TCP (6), length 269)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0xd61b (correct), seq 1:218, ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 217
14:34:35.450157 IP (tos 0x0, ttl 63, id 64717, offset 0, flags [DF], proto TCP (6), length 269)
200.0.10.2.43022 > 200.236.31.3.80: Flags [P.], cksum 0xc5d7 (correct), seq 1:218, ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 217
14:34:35.458226 IP (tos 0x0, ttl 57, id 30724, offset 0, flags [DF], proto TCP (6), length 52)
200.236.31.3.80 > 200.0.10.2.43022: Flags [.], cksum 0xcf1d (correct), ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 0
14:34:35.458257 IP (tos 0x0, ttl 56, id 30724, offset 0, flags [DF], proto TCP (6), length 52)
200.236.31.3.80 > 192.168.1.22.43022: Flags [.], cksum 0xdf61 (correct), ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 0
14:34:35.458992 IP (tos 0x0, ttl 57, id 30725, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 200.0.10.2.43022: Flags [P.], cksum 0x1132 (correct), seq 1:172, ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 171
14:34:35.459011 IP (tos 0x0, ttl 56, id 30725, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 192.168.1.22.43022: Flags [P.], cksum 0x2176 (correct), seq 1:172, ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 171
14:34:35.459292 IP (tos 0x0, ttl 64, id 64718, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.43022 > 200.236.31.3.80: Flags [.], cksum 0xd77b (correct), ack 172, win 1959, options [nop,nop,TS val 1603718 ecr 87587435], length 0
14:34:35.459309 IP (tos 0x0, ttl 63, id 64718, offset 0, flags [DF], proto TCP (6), length 52)
200.0.10.2.43022 > 200.236.31.3.80: Flags [.], cksum 0xc737 (correct), ack 172, win 1959, options [nop,nop,TS val 1603718 ecr 87587435], length 0
14:34:35.459896 IP (tos 0x0, ttl 64, id 64719, offset 0, flags [DF], proto TCP (6), length 286)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0xfdf3 (correct), seq 218:452, ack 172, win 1959, options [nop,nop,TS val 1603719 ecr 87587435], length 234
14:34:35.459917 IP (tos 0x0, ttl 63, id 64719, offset 0, flags [DF], proto TCP (6), length 286)
200.0.10.2.43022 > 200.236.31.3.80: Flags [P.], cksum 0xedaf (correct), seq 218:452, ack 172, win 1959, options [nop,nop,TS val 1603719 ecr 87587435], length 234
14:34:35.468337 IP (tos 0x0, ttl 57, id 30726, offset 0, flags [DF], proto TCP (6), length 222)
200.236.31.3.80 > 200.0.10.2.43022: Flags [P.], cksum 0xbe82 (correct), seq 172:342, ack 452, win 114, options [nop,nop,TS val 87587436 ecr 1603719], length 170
14:34:35.468369 IP (tos 0x0, ttl 56, id 30726, offset 0, flags [DF], proto TCP (6), length 222)
200.236.31.3.80 > 192.168.1.22.43022: Flags [P.], cksum 0xcec6 (correct), seq 172:342, ack 452, win 114, options [nop,nop,TS val 87587436 ecr 1603719], length 170
14:34:35.469012 IP (tos 0x0, ttl 64, id 64720, offset 0, flags [DF], proto TCP (6), length 281)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0xf84a (correct), seq 452:681, ack 342, win 2093, options [nop,nop,TS val 1603721 ecr 87587436], length 229
14:34:35.469033 IP (tos 0x0, ttl 63, id 64720, offset 0, flags [DF], proto TCP (6), length 281)
200.0.10.2.43022 > 200.236.31.3.80: Flags [P.], cksum 0xe806 (correct), seq 452:681, ack 342, win 2093, options [nop,nop,TS val 1603721 ecr 87587436], length 229
14:34:35.480415 IP (tos 0x0, ttl 57, id 30727, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 200.0.10.2.43022: Flags [P.], cksum 0xc510 (correct), seq 342:514, ack 681, win 118, options [nop,nop,TS val 87587437 ecr 1603721], length 172
14:34:35.480442 IP (tos 0x0, ttl 56, id 30727, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 192.168.1.22.43022: Flags [P.], cksum 0xd554 (correct), seq 342:514, ack 681, win 118, options [nop,nop,TS val 87587437 ecr 1603721], length 172
14:34:35.490315 IP (tos 0x0, ttl 64, id 64721, offset 0, flags [DF], proto TCP (6), length 298)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0x5cd4 (correct), seq 681:927, ack 514, win 2227, options [nop,nop,TS val 1603726 ecr 87587437], length 246
14:34:35.490351 IP (tos 0x0, ttl 63, id 64721, offset 0, flags [DF], proto TCP (6), length 298)
Note que agora todas as saídas para a porta 80 saíram pelo link1.
Agora vamos testar a porta 587
Vamos monitorar a porta 587 no servidor
tcpdump -i any -n -v port 587
Agora no cliente vamos abrir uma conexão com o gmail.
telnet smtp.gmail.com 587 Trying 74.125.137.108... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP v22sm112112273yhn.12 - gsmtp ehlo mx.google.com 250-mx.google.com at your service, [177.16.190.184] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 CHUNKING quit 221 2.0.0 closing connection v22sm112112273yhn.12 - gsmtp Connection closed by foreign host.
Agora vamos análisar os logs do tcpdump
tcpdump -i any -n -v port 587
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:37:21.324860 IP (tos 0x10, ttl 64, id 7918, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.22.56064 > 74.125.137.108.587: Flags [S], cksum 0x148a (correct), seq 1752499311, win 14600, options [mss 1460,sackOK,TS val 1645185 ecr 0,nop,wscale 3], length 0
14:37:21.325283 IP (tos 0x10, ttl 63, id 7918, offset 0, flags [DF], proto TCP (6), length 60)
200.0.20.2.56064 > 74.125.137.108.587: Flags [S], cksum 0xfa45 (correct), seq 1752499311, win 14600, options [mss 1460,sackOK,TS val 1645185 ecr 0,nop,wscale 3], length 0
14:37:21.469869 IP (tos 0x0, ttl 43, id 38060, offset 0, flags [none], proto TCP (6), length 60)
74.125.137.108.587 > 200.0.20.2.56064: Flags [S.], cksum 0x6150 (correct), seq 1680258992, ack 1752499312, win 42540, options [mss 1430,sackOK,TS val 987682085 ecr 1645185,nop,wscale 6], length 0
14:37:21.469928 IP (tos 0x0, ttl 42, id 38060, offset 0, flags [none], proto TCP (6), length 60)
74.125.137.108.587 > 192.168.1.22.56064: Flags [S.], cksum 0x7b94 (correct), seq 1680258992, ack 1752499312, win 42540, options [mss 1430,sackOK,TS val 987682085 ecr 1645185,nop,wscale 6], length 0
14:37:21.470429 IP (tos 0x10, ttl 64, id 7919, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x4929 (correct), ack 1, win 1825, options [nop,nop,TS val 1645221 ecr 987682085], length 0
14:37:21.470452 IP (tos 0x10, ttl 63, id 7919, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x2ee5 (correct), ack 1, win 1825, options [nop,nop,TS val 1645221 ecr 987682085], length 0
14:37:21.615668 IP (tos 0x0, ttl 44, id 38061, offset 0, flags [none], proto TCP (6), length 106)
74.125.137.108.587 > 200.0.20.2.56064: Flags [P.], cksum 0x1524 (correct), seq 1:55, ack 1, win 665, options [nop,nop,TS val 987682231 ecr 1645221], length 54
14:37:21.615713 IP (tos 0x0, ttl 43, id 38061, offset 0, flags [none], proto TCP (6), length 106)
74.125.137.108.587 > 192.168.1.22.56064: Flags [P.], cksum 0x2f68 (correct), seq 1:55, ack 1, win 665, options [nop,nop,TS val 987682231 ecr 1645221], length 54
14:37:21.616245 IP (tos 0x10, ttl 64, id 7920, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x483d (correct), ack 55, win 1825, options [nop,nop,TS val 1645257 ecr 987682231], length 0
14:37:21.616268 IP (tos 0x10, ttl 63, id 7920, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x2df9 (correct), ack 55, win 1825, options [nop,nop,TS val 1645257 ecr 987682231], length 0
14:37:27.637712 IP (tos 0x10, ttl 64, id 7921, offset 0, flags [DF], proto TCP (6), length 72)
192.168.1.22.56064 > 74.125.137.108.587: Flags [P.], cksum 0xe9b4 (correct), seq 1:21, ack 55, win 1825, options [nop,nop,TS val 1646763 ecr 987682231], length 20
14:37:27.637757 IP (tos 0x10, ttl 63, id 7921, offset 0, flags [DF], proto TCP (6), length 72)
200.0.20.2.56064 > 74.125.137.108.587: Flags [P.], cksum 0xcf70 (correct), seq 1:21, ack 55, win 1825, options [nop,nop,TS val 1646763 ecr 987682231], length 20
14:37:27.781158 IP (tos 0x0, ttl 44, id 38062, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 200.0.20.2.56064: Flags [.], cksum 0x1475 (correct), ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 0
14:37:27.781205 IP (tos 0x0, ttl 43, id 38062, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 192.168.1.22.56064: Flags [.], cksum 0x2eb9 (correct), ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 0
14:37:27.781648 IP (tos 0x0, ttl 44, id 38063, offset 0, flags [none], proto TCP (6), length 191)
74.125.137.108.587 > 200.0.20.2.56064: Flags [P.], cksum 0x2633 (correct), seq 55:194, ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 139
14:37:27.781664 IP (tos 0x0, ttl 43, id 38063, offset 0, flags [none], proto TCP (6), length 191)
74.125.137.108.587 > 192.168.1.22.56064: Flags [P.], cksum 0x4077 (correct), seq 55:194, ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 139
14:37:27.781967 IP (tos 0x10, ttl 64, id 7922, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x28fc (correct), ack 194, win 1959, options [nop,nop,TS val 1646799 ecr 987688397], length 0
14:37:27.781985 IP (tos 0x10, ttl 63, id 7922, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x0eb8 (correct), ack 194, win 1959, options [nop,nop,TS val 1646799 ecr 987688397], length 0
14:37:29.557360 IP (tos 0x10, ttl 64, id 7923, offset 0, flags [DF], proto TCP (6), length 58)
192.168.1.22.56064 > 74.125.137.108.587: Flags [P.], cksum 0x3f3e (correct), seq 21:27, ack 194, win 1959, options [nop,nop,TS val 1647243 ecr 987688397], length 6
14:37:29.557413 IP (tos 0x10, ttl 63, id 7923, offset 0, flags [DF], proto TCP (6), length 58)
200.0.20.2.56064 > 74.125.137.108.587: Flags [P.], cksum 0x24fa (correct), seq 21:27, ack 194, win 1959, options [nop,nop,TS val 1647243 ecr 987688397], length 6
14:37:29.702451 IP (tos 0x0, ttl 44, id 38064, offset 0, flags [none], proto TCP (6), length 111)
74.125.137.108.587 > 200.0.20.2.56064: Flags [P.], cksum 0x50ba (correct), seq 194:253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 59
14:37:29.702491 IP (tos 0x0, ttl 43, id 38064, offset 0, flags [none], proto TCP (6), length 111)
74.125.137.108.587 > 192.168.1.22.56064: Flags [P.], cksum 0x6afe (correct), seq 194:253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 59
14:37:29.703023 IP (tos 0x0, ttl 43, id 38065, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 200.0.20.2.56064: Flags [F.], cksum 0x0a48 (correct), seq 253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 0
14:37:29.703039 IP (tos 0x0, ttl 42, id 38065, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 192.168.1.22.56064: Flags [F.], cksum 0x248c (correct), seq 253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 0
14:37:29.703108 IP (tos 0x10, ttl 64, id 7924, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x1f5b (correct), ack 253, win 1959, options [nop,nop,TS val 1647279 ecr 987690317], length 0
14:37:29.703125 IP (tos 0x10, ttl 63, id 7924, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x0517 (correct), ack 253, win 1959, options [nop,nop,TS val 1647279 ecr 987690317], length 0
14:37:29.703566 IP (tos 0x10, ttl 64, id 7925, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [F.], cksum 0x1f58 (correct), seq 27, ack 254, win 1959, options [nop,nop,TS val 1647280 ecr 987690317], length 0
14:37:29.703584 IP (tos 0x10, ttl 63, id 7925, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [F.], cksum 0x0514 (correct), seq 27, ack 254, win 1959, options [nop,nop,TS val 1647280 ecr 987690317], length 0
14:37:29.848099 IP (tos 0x0, ttl 43, id 38066, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 200.0.20.2.56064: Flags [.], cksum 0x0990 (correct), ack 28, win 665, options [nop,nop,TS val 987690463 ecr 1647280], length 0
14:37:29.848141 IP (tos 0x0, ttl 42, id 38066, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 192.168.1.22.56064: Flags [.], cksum 0x23d4 (correct), ack 28, win 665, options [nop,nop,TS val 987690463 ecr 1647280], length 0
Agora note que a saída para a porta 587 foram pelo link2.
Tudo funcionando :D
Agora vamos ajustar o nosso script para ele trabalhar com o balanceamento de link porém com a marcação de pacotes para definirmos o link que ele vai sair.
vim /etc/init.d/rc.lb
#!/bin/sh
#Autor: Douglas Q. dos Santos
#Data: 30/09/2013
#--------------------------------------------------------------------------
#Licença: http://creativecommons.org/licenses/by-sa/3.0/legalcode
#
#--------------------------------------------------------------------------
### BEGIN INIT INFO
# Provides: rc.lb
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Balanceamento de Links
### END INIT INFO
### CORES UTILIZADAS NO SCRIPT ###
GREY="\033[01;30m"
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
BLUE="\033[01;34m"
PURPLE="\033[01;35m"
CYAN="\033[01;36m"
WHITE="\033[01;37m"
CLOSE="\033[m"
# VARIAVEIS UTILIZADAS NO SCRIPT
IP="/sbin/ip"
ROUTE="/sbin/route"
IPTABLES="/sbin/iptables"
PORTS_LINK1="/etc/iproute2/ports_link1"
PORTS_LINK2="/etc/iproute2/ports_link2"
LO="127.0.0.0/8"
LAN="192.168.1.0/24"
INT_LAN="eth0"
LINK1="200.0.10.0/28"
IP_LINK1="200.0.10.2"
GW_LINK1="200.0.10.1"
INT_LINK1="eth1"
PESO_LINK1="1"
LINK2="200.0.20.0/28"
IP_LINK2="200.0.20.2"
GW_LINK2="200.0.20.1"
INT_LINK2="eth2"
PESO_LINK2="1"
case $1 in
start)
echo "${GREEN}[ INICIANDO O BALANCEAMENTO ]${CLOSE}"
# ADICIONANDO A REDE DO LINK1 NA TABELA LINK1
${IP} route add ${LINK1} dev ${INT_LINK1} src ${IP_LINK1} table link1
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK1} table link1
# ADICIONANDO A REDE DO LINK2 NA TABELA LINK2
${IP} route add ${LINK2} dev ${INT_LINK2} src ${IP_LINK2} table link2
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK2} table link2
# ADICIONANDO AS REGRAS DAS ROTAS ADICIONADAS
${IP} rule add from ${IP_LINK1} table link1
${IP} rule add from ${IP_LINK2} table link2
# ADICIONANDO ROTAS ENTRE LINKS, LAN E LO
${IP} route add ${LAN} dev ${INT_LAN} table link1
${IP} route add ${LINK2} dev ${INT_LINK2} table link1
${IP} route add ${LO} dev lo table link1
${IP} route add ${LAN} dev ${INT_LAN} table link2
${IP} route add ${LINK1} dev ${INT_LINK1} table link2
${IP} route add ${LO} dev lo table link2
# CRIANDO O BALANCEAMENTO ENTRE DOIS LINKS
${IP} route add default nexthop via ${GW_LINK1} dev ${INT_LINK1} weight ${PESO_LINK1} nexthop via ${GW_LINK2} dev ${INT_LINK2} weight ${PESO_LINK2}
# MARCANDO OS PACOTES QUE VÃO SAIR PELO LINK1
for PORT in $(cat ${PORTS_LINK1}); do
${IPTABLES} -t mangle -A PREROUTING -p tcp -s ${LAN} --dport ${PORT} -j MARK --set-mark 1 -m comment --comment "LINK 1"
done
# MARCANDO OS PACOTES QUE VÃO SAIR PELO LINK2
for PORT in $(cat ${PORTS_LINK2}); do
${IPTABLES} -t mangle -A PREROUTING -p tcp -s ${LAN} --dport ${PORT} -j MARK --set-mark 2 -m comment --comment "LINK 2"
done
# ADICIONANDO REGRAS NO IPROUTE PARA RECONHECER AS MARCACOES FEITAS PELA TABLE MANGLE
${IP} rule add fwmark 1 table link1
${IP} rule add fwmark 2 table link2
# MASCARANDO A REDE
${IPTABLES} -t nat -A POSTROUTING -s ${LAN} -j MASQUERADE
echo "${GREEN}[ BALANCEAMENTO INICIADO ]${CLOSE}"
;;
stop)
echo "${RED}[ PARANDO BALANCEAMENTO ]${CLOSE}";
${ROUTE} del default
${IP} route flush table link1
${IP} route flush table link2
${IP} rule del from ${IP_LINK1} table link1
${IP} rule del from ${IP_LINK2} table link2
${IPTABLES} -t mangle -F
${IP} rule add fwmark 1 table link1
${IP} rule add fwmark 2 table link2
echo "${RED}[ BALANCEAMENTO PARADO ] ${CLOSE}";
;;
restart)
$0 stop
$0 start
;;
*)
echo "${RED}Opcoes Validas:(start|stop|restart)${CLOSE}"
;;
esac
Agora vamos criar os arquivo que vão armazenar quais portas vão sair por quais links.
Vamos criar o arquivo que vai controlar quais portas vão sair pelo link1
vim /etc/iproute2/ports_link1 80 443 20 21
Vamos criar o arquivo que vai controlar quais portas vão sair pelo link2
cat /etc/iproute2/ports_link2 25 110 143 587 993 995
Agora vamos para o script de balanceamento
/etc/init.d/rc.lb stop [ PARANDO BALANCEAMENTO ] [ BALANCEAMENTO PARADO ]
Agora vamos listar as regras do iproute
ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
Agora vamos listar as regras da table mangle
iptables -t mangle -L -n -v Chain PREROUTING (policy ACCEPT 147 packets, 11496 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 147 packets, 11496 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 73 packets, 7540 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 73 packets, 7540 bytes) pkts bytes target prot opt in out source destination
Agora vamos subir o nosso balanceamento
/etc/init.d/rc.lb start [ INICIANDO O BALANCEAMENTO ] [ BALANCEAMENTO INICIADO ]
Agora vamos listas as regras do iproute
ip rule show 0: from all lookup local 32762: from all fwmark 0x2 lookup link2 32763: from all fwmark 0x1 lookup link1 32764: from 200.0.20.2 lookup link2 32765: from 200.0.10.2 lookup link1 32766: from all lookup main 32767: from all lookup default
Agora vamos analisar as regras da table mangle
iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 130 packets, 10960 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:80 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:443 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:20 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:21 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:25 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:110 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:143 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:587 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:993 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:995 /* LINK 2 */ MARK set 0x2
Chain INPUT (policy ACCEPT 130 packets, 10960 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 59 packets, 6316 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 59 packets, 6316 bytes)
pkts bytes target prot opt in out source destination
Note que temos as marcações da porta 80 e 443 para sair pelo link 1 e as portas 25,110,143,587,993 e 995 vão sair pelo link2.