Balanceamento de Links no Debian Wheezy
E ai galera, aqui eu vou abordar o balanceamento de links com 2 links.
O que vou utilizar:
- Nome do servidor: debian
- Interface local: eth0
- ip lan: 192.168.1.20
- Interface link1: eth1
- ip link1: 200.0.10.2/28
- gw link1: 200.0.10.1
- tabela: link1
- velocidade: 10MB
- Interface link2: eth2
- ip link2: 200.0.20.2/28
- gw link2: 200.0.20.1
- tabela: link2
- velocidade: 10MB
- Nome do cliente: debian01
- Interface local: eth0
- ip lan: 192.168.1.22/24
- gw: 192.168.1.20
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.
Vamos a configuração do arquivo interfaces do servidor Debian
vim /etc/network/interfaces
#Interface de loopback
auto lo
iface lo inet loopback
#Interface da lan
auto eth0
iface eth0 inet static
address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
#Interface do link1
auto eth1
iface eth1 inet static
address 200.0.10.2
netmask 255.255.255.240
network 200.0.10.0
broadcast 200.0.10.15
#Interface do link2
auto eth2
iface eth2 inet static
address 200.0.20.2
netmask 255.255.255.240
network 200.0.20.0
broadcast 200.0.20.15
Agora reinicie o servidor para ele carregar as novas configurações de rede.
reboot
Agora vamos testar os links com o ping, primeiro vamos testar o link1 vamos pingar no gw dele
ping -I eth1 200.0.10.1 -c 2 PING 200.0.10.1 (200.0.10.1) from 200.0.10.2 eth1: 56(84) bytes of data. 64 bytes from 200.0.10.1: icmp_req=1 ttl=64 time=0.610 ms 64 bytes from 200.0.10.1: icmp_req=2 ttl=64 time=0.245 ms --- 200.0.10.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.245/0.427/0.610/0.183 ms
Agora vamos testar o link2, vamos pingar o gw dele
ping -I eth2 200.0.20.1 -c 2 PING 200.0.20.1 (200.0.20.1) from 200.0.20.2 eth2: 56(84) bytes of data. 64 bytes from 200.0.20.1: icmp_req=1 ttl=64 time=0.001 ms 64 bytes from 200.0.20.1: icmp_req=2 ttl=64 time=0.288 ms --- 200.0.20.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.001/0.144/0.288/0.144 ms
Agora vamos criar uma tabela de roteamento para cada link
echo 10 link1 >> /etc/iproute2/rt_tables echo 20 link2 >> /etc/iproute2/rt_tables
Agora vamos adicionar a rota para a rede 200.0.10.0/28 na tabela de link1
ip route add 200.0.10.0/28 dev eth1 src 200.0.10.2 table link1
Agora vamos definir a rota padrão para o link1
ip route add default via 200.0.10.1 table link1
Agora vamos listar as regras da tabela do link1
ip route list table link1 200.0.10.0/28 dev eth1 scope link src 200.0.10.2 default via 200.0.10.1 dev eth1
Agora vamos adicionar a rota para a rede 200.0.20.0/24 na tabela de link2
ip route add 200.0.20.0/28 dev eth2 src 200.0.20.2 table link2
Agora vamos definir a rota padrão para o link2
ip route add default via 200.0.20.1 table link2
Agora vamos listar as regras da tabela do link2
ip route list table link2 200.0.20.0/28 dev eth2 scope link src 200.0.20.2 default via 200.0.20.1 dev eth2
Agora vamos mandar remover a rota padrão caso haja alguma
route del default
Agora devemos acrescentar as regras das rotas adicionadas que são 200.0.10.2 no link1 e 200.0.20.2 no link2
ip rule add from 200.0.10.2 table link1 ip rule add from 200.0.20.2 table link2
Agora vamos listar as rules
ip rule list 0: from all lookup local 32764: from 200.0.20.2 lookup link2 32765: from 200.0.10.2 lookup link1 32766: from all lookup main 32767: from all lookup default
Agora precisamos inserir regras para as nossas redes interna, link2 e lo passar pelo link1
ip route add 192.168.1.0/24 dev eth0 table link1 ip route add 200.0.20.0/28 dev eth2 table link1 ip route add 127.0.0.0/8 dev lo table link1
Agora precisamos inserir regras para as nossas redes interna, link1 e lo passar pelo link2
ip route add 192.168.1.0/24 dev eth0 table link2 ip route add 200.0.10.0/28 dev eth1 table link2 ip route add 127.0.0.0/8 dev lo table link2
Agora vamos listar a tabela de roteamento do link1
ip route list table link1 default via 200.0.10.1 dev eth1 127.0.0.0/8 dev lo scope link 192.168.1.0/24 dev eth0 scope link 200.0.10.0/28 dev eth1 scope link src 200.0.10.2 200.0.20.0/28 dev eth2 scope link
Agora vamos listar a tabela de roteamento do link2
ip route list table link2 default via 200.0.20.1 dev eth2 127.0.0.0/8 dev lo scope link 192.168.1.0/24 dev eth0 scope link 200.0.10.0/28 dev eth1 scope link 200.0.20.0/28 dev eth2 scope link src 200.0.20.2
Agora vamos fazer o balanceamento, aqui vou levar em consideração que os dois links são de 10MB. Aqui vamos especificar que o link é um para um, ou seja, 50% do tráfego será enviado para cada link.
ip route add default nexthop via 200.0.10.1 dev eth1 weight 1 nexthop via 200.0.20.1 dev eth2 weight 1
Agora vamos listar as rotas do nosso servidor
ip route list default nexthop via 200.0.10.1 dev eth1 weight 1 nexthop via 200.0.20.1 dev eth2 weight 1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.20 200.0.10.0/28 dev eth1 proto kernel scope link src 200.0.10.2 200.0.20.0/28 dev eth2 proto kernel scope link src 200.0.20.2
Agora precisamos habilitar o roteamento neste servidor
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
Agora vamos ativar o roteamento no kernel
sysctl -p net.ipv4.ip_forward = 1
Agora vamos mascarar os pacotes da nossa lan
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Agora no servidor Debian vamos deixar o tcpdump monitorando o protocolo icmp que vamos utilizar para testar pelo cliente CentOS
tcpdump -i any -n proto 'ICMP'
Agora no cliente debian01 vamos enviar 10 pings para o site do terra
ping www.terra.com.br -c 10 PING www.terra.com.br (200.154.56.80) 56(84) bytes of data. 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=1 ttl=53 time=16.1 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=2 ttl=53 time=16.4 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=3 ttl=53 time=16.5 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=4 ttl=53 time=17.0 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=5 ttl=53 time=22.9 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=6 ttl=53 time=24.1 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=7 ttl=53 time=16.3 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=8 ttl=53 time=25.3 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=9 ttl=53 time=17.6 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_req=10 ttl=53 time=17.7 ms --- www.terra.com.br ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9014ms rtt min/avg/max/mdev = 16.184/19.039/25.356/3.428 ms
Agora vamos observar no servidor o que temos de pacotes
tcpdump -i any -n proto 'ICMP' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 13:05:35.496522 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 1, length 64 13:05:35.496564 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 1, length 64 13:05:35.512683 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 1, length 64 13:05:35.512717 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 1, length 64 13:05:36.498137 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 2, length 64 13:05:36.498175 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 2, length 64 13:05:36.514789 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 2, length 64 13:05:36.514821 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 2, length 64 13:05:37.498306 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 3, length 64 13:05:37.498346 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 3, length 64 13:05:37.516860 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 3, length 64 13:05:37.516887 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 3, length 64 13:05:38.500846 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 4, length 64 13:05:38.500884 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 4, length 64 13:05:38.519245 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 4, length 64 13:05:38.519276 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 4, length 64 13:05:39.502357 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 5, length 64 13:05:39.502396 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 5, length 64 13:05:39.519362 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 5, length 64 13:05:39.519393 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 5, length 64 13:05:40.504417 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 6, length 64 13:05:40.504455 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 6, length 64 13:05:40.520456 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 6, length 64 13:05:40.520482 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 6, length 64 13:05:41.506237 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 7, length 64 13:05:41.506276 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 7, length 64 13:05:41.537471 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 7, length 64 13:05:41.537529 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 7, length 64 13:05:42.507740 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 8, length 64 13:05:42.507777 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 8, length 64 13:05:42.524718 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 8, length 64 13:05:42.524743 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 8, length 64 13:05:43.508439 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 9, length 64 13:05:43.508467 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 9, length 64 13:05:43.528061 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 9, length 64 13:05:43.528086 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 9, length 64 13:05:44.510342 IP 192.168.1.22 > 200.154.56.80: ICMP echo request, id 2475, seq 10, length 64 13:05:44.510379 IP 200.0.20.2 > 200.154.56.80: ICMP echo request, id 2475, seq 10, length 64 13:05:44.526252 IP 200.154.56.80 > 200.0.20.2: ICMP echo reply, id 2475, seq 10, length 64 13:05:44.526284 IP 200.154.56.80 > 192.168.1.22: ICMP echo reply, id 2475, seq 10, length 64
Note que os pacotes de icmp saíram pelo link1 200.0.10.2.
Agora no servidor Debian vamos mandar monitorar a porta 80
tcpdump -i any port 80 -n -vv [...]
Agora no cliente Debian vamos mandar atualizar os repositórios
aptitude update Hit http://ftp.br.debian.org wheezy Release.gpg Hit http://ftp.br.debian.org wheezy-proposed-updates Release.gpg Hit http://ftp.br.debian.org wheezy Release Hit http://ftp.br.debian.org wheezy-proposed-updates Release Hit http://ftp.br.debian.org wheezy/main Sources Hit http://ftp.br.debian.org wheezy/contrib Sources Hit http://ftp.br.debian.org wheezy/non-free Sources Hit http://ftp.br.debian.org wheezy/main amd64 Packages Hit http://ftp.br.debian.org wheezy/contrib amd64 Packages Hit http://ftp.br.debian.org wheezy/non-free amd64 Packages Hit http://ftp.br.debian.org wheezy/contrib Translation-en Hit http://ftp.br.debian.org wheezy/main Translation-pt_BR Hit http://ftp.br.debian.org wheezy/main Translation-pt Hit http://ftp.br.debian.org wheezy/main Translation-en Hit http://ftp.br.debian.org wheezy/non-free Translation-en Hit http://ftp.br.debian.org wheezy-proposed-updates/main Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/main amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib Translation-en/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/main Translation-en/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free Translation-en/DiffIndex Hit http://security.debian.org wheezy/updates Release.gpg Hit http://security.debian.org wheezy/updates Release Hit http://security.debian.org wheezy/updates/main Sources Hit http://security.debian.org wheezy/updates/contrib Sources Hit http://security.debian.org wheezy/updates/non-free Sources Hit http://security.debian.org wheezy/updates/main amd64 Packages Hit http://security.debian.org wheezy/updates/contrib amd64 Packages Hit http://security.debian.org wheezy/updates/non-free amd64 Packages Hit http://security.debian.org wheezy/updates/contrib Translation-en Hit http://security.debian.org wheezy/updates/main Translation-en Hit http://security.debian.org wheezy/updates/non-free Translation-en
Agora vamos ver no servidor o que foi gerado no tcpdump
tcpdump -i any port 80 -n -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
13:57:34.493664 IP (tos 0x0, ttl 64, id 18920, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.22.34370 > 128.31.0.36.80: Flags [S], cksum 0x55a6 (correct), seq 983283319, win 14600, options [mss 1460,sackOK,TS val 1048479 ecr 0,nop,wscale 3], length 0
13:57:34.493704 IP (tos 0x0, ttl 63, id 18920, offset 0, flags [DF], proto TCP (6), length 60)
200.0.20.2.34370 > 128.31.0.36.80: Flags [S], cksum 0x3b62 (correct), seq 983283319, win 14600, options [mss 1460,sackOK,TS val 1048479 ecr 0,nop,wscale 3], length 0
13:57:34.495855 IP (tos 0x0, ttl 64, id 61793, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.22.43017 > 200.236.31.3.80: Flags [S], cksum 0x75eb (correct), seq 949489345, win 14600, options [mss 1460,sackOK,TS val 1048480 ecr 0,nop,wscale 3], length 0
13:57:34.495871 IP (tos 0x0, ttl 63, id 61793, offset 0, flags [DF], proto TCP (6), length 60)
200.0.10.2.43017 > 200.236.31.3.80: Flags [S], cksum 0x65a7 (correct), seq 949489345, win 14600, options [mss 1460,sackOK,TS val 1048480 ecr 0,nop,wscale 3], length 0
13:57:34.502910 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
200.236.31.3.80 > 200.0.10.2.43017: Flags [S.], cksum 0x6460 (correct), seq 978025221, ack 949489346, win 26844, options [mss 1452,sackOK,TS val 87365343 ecr 1048480,nop,wscale 8], length 0
13:57:34.502936 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
200.236.31.3.80 > 192.168.1.22.43017: Flags [S.], cksum 0x74a4 (correct), seq 978025221, ack 949489346, win 26844, options [mss 1452,sackOK,TS val 87365343 ecr 1048480,nop,wscale 8], length 0
13:57:34.503244 IP (tos 0x0, ttl 64, id 61794, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.43017 > 200.236.31.3.80: Flags [.], cksum 0x0523 (correct), seq 1, ack 1, win 1825, options [nop,nop,TS val 1048482 ecr 87365343], length 0
13:57:34.503259 IP (tos 0x0, ttl 63, id 61794, offset 0, flags [DF], proto TCP (6), length 52)
200.0.10.2.43017 > 200.236.31.3.80: Flags [.], cksum 0xf4de (correct), seq 1, ack 1, win 1825, options [nop,nop,TS val 1048482 ecr 87365343], length 0
13:57:34.503569 IP (tos 0x0, ttl 64, id 61795, offset 0, flags [DF], proto TCP (6), length 269)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0x01b6 (correct), seq 1:218, ack 1, win 1825, options [nop,nop,TS val 1048482 ecr 87365343], length 217
13:57:34.503583 IP (tos 0x0, ttl 63, id 61795, offset 0, flags [DF], proto TCP (6), length 269)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0xf171 (correct), seq 1:218, ack 1, win 1825, options [nop,nop,TS val 1048482 ecr 87365343], length 217
13:57:34.512097 IP (tos 0x0, ttl 57, id 28134, offset 0, flags [DF], proto TCP (6), length 52)
200.236.31.3.80 > 200.0.10.2.43017: Flags [.], cksum 0xfab7 (correct), seq 1, ack 218, win 110, options [nop,nop,TS val 87365344 ecr 1048482], length 0
13:57:34.512117 IP (tos 0x0, ttl 56, id 28134, offset 0, flags [DF], proto TCP (6), length 52)
200.236.31.3.80 > 192.168.1.22.43017: Flags [.], cksum 0x0afc (correct), seq 1, ack 218, win 110, options [nop,nop,TS val 87365344 ecr 1048482], length 0
13:57:34.512481 IP (tos 0x0, ttl 57, id 28135, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0x39cc (correct), seq 1:172, ack 218, win 110, options [nop,nop,TS val 87365344 ecr 1048482], length 171
13:57:34.512499 IP (tos 0x0, ttl 56, id 28135, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0x4a10 (correct), seq 1:172, ack 218, win 110, options [nop,nop,TS val 87365344 ecr 1048482], length 171
13:57:34.512850 IP (tos 0x0, ttl 64, id 61796, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.43017 > 200.236.31.3.80: Flags [.], cksum 0x0316 (correct), seq 218, ack 172, win 1959, options [nop,nop,TS val 1048484 ecr 87365344], length 0
13:57:34.512870 IP (tos 0x0, ttl 63, id 61796, offset 0, flags [DF], proto TCP (6), length 52)
200.0.10.2.43017 > 200.236.31.3.80: Flags [.], cksum 0xf2d1 (correct), seq 218, ack 172, win 1959, options [nop,nop,TS val 1048484 ecr 87365344], length 0
13:57:34.514658 IP (tos 0x0, ttl 64, id 61797, offset 0, flags [DF], proto TCP (6), length 286)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0x298e (correct), seq 218:452, ack 172, win 1959, options [nop,nop,TS val 1048485 ecr 87365344], length 234
13:57:34.514681 IP (tos 0x0, ttl 63, id 61797, offset 0, flags [DF], proto TCP (6), length 286)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0x194a (correct), seq 218:452, ack 172, win 1959, options [nop,nop,TS val 1048485 ecr 87365344], length 234
13:57:34.523193 IP (tos 0x0, ttl 57, id 28136, offset 0, flags [DF], proto TCP (6), length 222)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0xe71c (correct), seq 172:342, ack 452, win 114, options [nop,nop,TS val 87365345 ecr 1048485], length 170
13:57:34.523219 IP (tos 0x0, ttl 56, id 28136, offset 0, flags [DF], proto TCP (6), length 222)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0xf760 (correct), seq 172:342, ack 452, win 114, options [nop,nop,TS val 87365345 ecr 1048485], length 170
13:57:34.524944 IP (tos 0x0, ttl 64, id 61798, offset 0, flags [DF], proto TCP (6), length 281)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0x23e5 (correct), seq 452:681, ack 342, win 2093, options [nop,nop,TS val 1048487 ecr 87365345], length 229
13:57:34.524967 IP (tos 0x0, ttl 63, id 61798, offset 0, flags [DF], proto TCP (6), length 281)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0x13a1 (correct), seq 452:681, ack 342, win 2093, options [nop,nop,TS val 1048487 ecr 87365345], length 229
13:57:34.533381 IP (tos 0x0, ttl 57, id 28137, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0xedaa (correct), seq 342:514, ack 681, win 118, options [nop,nop,TS val 87365346 ecr 1048487], length 172
13:57:34.533405 IP (tos 0x0, ttl 56, id 28137, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0xfdee (correct), seq 342:514, ack 681, win 118, options [nop,nop,TS val 87365346 ecr 1048487], length 172
13:57:34.548469 IP (tos 0x0, ttl 64, id 61799, offset 0, flags [DF], proto TCP (6), length 298)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0x886d (correct), seq 681:927, ack 514, win 2227, options [nop,nop,TS val 1048493 ecr 87365346], length 246
13:57:34.548493 IP (tos 0x0, ttl 63, id 61799, offset 0, flags [DF], proto TCP (6), length 298)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0x7829 (correct), seq 681:927, ack 514, win 2227, options [nop,nop,TS val 1048493 ecr 87365346], length 246
13:57:34.557949 IP (tos 0x0, ttl 57, id 28138, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0xb146 (correct), seq 514:686, ack 927, win 122, options [nop,nop,TS val 87365348 ecr 1048493], length 172
13:57:34.557962 IP (tos 0x0, ttl 56, id 28138, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0xc18a (correct), seq 514:686, ack 927, win 122, options [nop,nop,TS val 87365348 ecr 1048493], length 172
13:57:34.559932 IP (tos 0x0, ttl 64, id 61800, offset 0, flags [DF], proto TCP (6), length 281)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0x9c01 (correct), seq 927:1156, ack 686, win 2361, options [nop,nop,TS val 1048496 ecr 87365348], length 229
13:57:34.559946 IP (tos 0x0, ttl 63, id 61800, offset 0, flags [DF], proto TCP (6), length 281)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0x8bbd (correct), seq 927:1156, ack 686, win 2361, options [nop,nop,TS val 1048496 ecr 87365348], length 229
13:57:34.568227 IP (tos 0x0, ttl 57, id 28139, offset 0, flags [DF], proto TCP (6), length 225)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0x65bf (correct), seq 686:859, ack 1156, win 126, options [nop,nop,TS val 87365349 ecr 1048496], length 173
13:57:34.568243 IP (tos 0x0, ttl 56, id 28139, offset 0, flags [DF], proto TCP (6), length 225)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0x7603 (correct), seq 686:859, ack 1156, win 126, options [nop,nop,TS val 87365349 ecr 1048496], length 173
13:57:34.568573 IP (tos 0x0, ttl 64, id 61801, offset 0, flags [DF], proto TCP (6), length 284)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0xfc32 (correct), seq 1156:1388, ack 859, win 2495, options [nop,nop,TS val 1048498 ecr 87365349], length 232
13:57:34.568584 IP (tos 0x0, ttl 63, id 61801, offset 0, flags [DF], proto TCP (6), length 284)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0xebee (correct), seq 1156:1388, ack 859, win 2495, options [nop,nop,TS val 1048498 ecr 87365349], length 232
13:57:34.577411 IP (tos 0x0, ttl 57, id 28140, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0xceb7 (correct), seq 859:1030, ack 1388, win 130, options [nop,nop,TS val 87365350 ecr 1048498], length 171
13:57:34.577427 IP (tos 0x0, ttl 56, id 28140, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0xdefb (correct), seq 859:1030, ack 1388, win 130, options [nop,nop,TS val 87365350 ecr 1048498], length 171
13:57:34.577815 IP (tos 0x0, ttl 64, id 61802, offset 0, flags [DF], proto TCP (6), length 285)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0xf0f6 (correct), seq 1388:1621, ack 1030, win 2629, options [nop,nop,TS val 1048501 ecr 87365350], length 233
13:57:34.577836 IP (tos 0x0, ttl 63, id 61802, offset 0, flags [DF], proto TCP (6), length 285)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0xe0b2 (correct), seq 1388:1621, ack 1030, win 2629, options [nop,nop,TS val 1048501 ecr 87365350], length 233
13:57:34.587325 IP (tos 0x0, ttl 57, id 28141, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 200.0.10.2.43017: Flags [P.], cksum 0xd901 (correct), seq 1030:1202, ack 1621, win 135, options [nop,nop,TS val 87365351 ecr 1048501], length 172
13:57:34.587338 IP (tos 0x0, ttl 56, id 28141, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 192.168.1.22.43017: Flags [P.], cksum 0xe945 (correct), seq 1030:1202, ack 1621, win 135, options [nop,nop,TS val 87365351 ecr 1048501], length 172
13:57:34.588148 IP (tos 0x0, ttl 64, id 61803, offset 0, flags [DF], proto TCP (6), length 288)
192.168.1.22.43017 > 200.236.31.3.80: Flags [P.], cksum 0xa19c (correct), seq 1621:1857, ack 1202, win 2763, options [nop,nop,TS val 1048503 ecr 87365351], length 236
13:57:34.588170 IP (tos 0x0, ttl 63, id 61803, offset 0, flags [DF], proto TCP (6), length 288)
200.0.10.2.43017 > 200.236.31.3.80: Flags [P.], cksum 0x9158 (correct), seq 1621:1857, ack 1202, win 2763, options [nop,nop,TS val 1048503 ecr 87365351], length 236
Note que agora temos pacotes pelo link 1 e pelo link2
O nosso balanceamento com 2 links está funcionando
Agora precisamos criar um script para efetuar o balanceamento na inicialização do sistema
vim /etc/init.d/rc.lb
#!/bin/sh
#Autor: Douglas Q. dos Santos
#Data: 13/01/2013
#--------------------------------------------------------------------------
#Licença: http://creativecommons.org/licenses/by-sa/3.0/legalcode
#
#--------------------------------------------------------------------------
### BEGIN INIT INFO
# Provides: rc.lb
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Balanceamento de Links
### END INIT INFO
### CORES UTILIZADAS NO SCRIPT ###
GREY="\033[01;30m"
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
BLUE="\033[01;34m"
PURPLE="\033[01;35m"
CYAN="\033[01;36m"
WHITE="\033[01;37m"
CLOSE="\033[m"
# VARIAVEIS UTILIZADAS NO SCRIPT
IP="/sbin/ip"
ROUTE="/sbin/route"
IPTABLES="/sbin/iptables"
LO="127.0.0.0/8"
LAN="192.168.1.0/24"
INT_LAN="eth0"
LINK1="200.0.10.0/28"
IP_LINK1="200.0.10.2"
GW_LINK1="200.0.10.1"
INT_LINK1="eth1"
PESO_LINK1="1"
LINK2="200.0.20.0/28"
IP_LINK2="200.0.20.2"
GW_LINK2="200.0.20.1"
INT_LINK2="eth2"
PESO_LINK2="1"
case $1 in
start)
echo "${GREEN}[ INICIANDO O BALANCEAMENTO ]${CLOSE}"
# ADICIONANDO A REDE DO LINK1 NA TABELA LINK1
${IP} route add ${LINK1} dev ${INT_LINK1} src ${IP_LINK1} table link1
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK1} table link1
# ADICIONANDO A REDE DO LINK2 NA TABELA LINK2
${IP} route add ${LINK2} dev ${INT_LINK2} src ${IP_LINK2} table link2
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK2} table link2
# ADICIONANDO AS REGRAS DAS ROTAS ADICIONADAS
${IP} rule add from ${IP_LINK1} table link1
${IP} rule add from ${IP_LINK2} table link2
# ADICIONANDO ROTAS ENTRE LINKS, LAN E LO
${IP} route add ${LAN} dev ${INT_LAN} table link1
${IP} route add ${LINK2} dev ${INT_LINK2} table link1
${IP} route add ${LO} dev lo table link1
${IP} route add ${LAN} dev ${INT_LAN} table link2
${IP} route add ${LINK1} dev ${INT_LINK1} table link2
${IP} route add ${LO} dev lo table link2
# CRIANDO O BALANCEAMENTO ENTRE DOIS LINKS
${IP} route add default nexthop via ${GW_LINK1} dev ${INT_LINK1} weight ${PESO_LINK1} nexthop via ${GW_LINK2} dev ${INT_LINK2} weight ${PESO_LINK2}
# MASCARANDO A REDE
${IPTABLES} -t nat -A POSTROUTING -s ${LAN} -j MASQUERADE
echo "${GREEN}[ BALANCEAMENTO INICIADO ]${CLOSE}"
;;
stop)
echo "${RED}[ PARANDO BALANCEAMENTO ]${CLOSE}";
${ROUTE} del default
${IP} route flush table link1
${IP} route flush table link2
${IP} rule del from ${IP_LINK1} table link1
${IP} rule del from ${IP_LINK2} table link2
echo "${RED}[ BALANCEAMENTO PARADO ] ${CLOSE}";
;;
restart)
$0 stop
$0 start
;;
*)
echo "${RED}Opcoes Validas:(start|stop|restart)${CLOSE}"
;;
esac
Agora vamos dar permissão de execução para o script
chmod +x /etc/init.d/rc.lb
Agora vamos inserir o script na inicialização do sistema
insserv -f -v rc.lb
Agora podemos parar o balanceamento da seguinte forma
/etc/init.d/rc.lb stop [ PARANDO BALANCEAMENTO ] [ BALANCEAMENTO PARADO ]
Agora podemos iniciar o balanceamento da seguinte forma
/etc/init.d/rc.lb start [ INICIANDO O BALANCEAMENTO ] [ BALANCEAMENTO INICIADO ]
Marcação de pacotes para definir link de saída
Então galera, algumas pessoas me perguntão sobre a tal marcação de pacotes para saída por um determinado link utilizando balanceamento de link, então vocês vão notar bem simples.
Depois que já temos o balanceamento de link precisamos definir o que queremos mandar por qual link, isso nós podemos definir por ip de origem, protocolo, porta etc.
Vou pegar como exemplo 2 portas a porta 80 e a porta 587, que seria a saída web e a saída de email.
Vamos marcar os pacotes com o iptables utilizando a tabela manble.
iptables -t mangle -A PREROUTING -m tcp -p tcp -s 192.168.1.0/24 --dport 80 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m tcp -p tcp -s 192.168.1.0/24 --dport 587 -j MARK --set-mark 2
Agora vamos listar as nossas regras da table mangle
iptables -t mangle -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 11 packets, 812 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:80 MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:587 MARK set 0x2
Note que agora temos a flags nos pacotes de porta 80 sendo 1 e flags nos pacotes de porta 587 sendo 2.
Agora precisamos avisar o iproute que os pacotes com a flag 1 vão para o link 1 e os pacotes com a flag 2 vão para o link 2, com isso vamos definir que os pacotes da porta 80 vão para o link 1 e os pacotes da porta 587 vão para o link2.
Vamos criar as regras
ip rule add fwmark 1 table link1 ip rule add fwmark 2 table link2
Agora vamos listar as regras do iproute
ip rule show 0: from all lookup local 32760: from 200.0.20.2 lookup link2 32761: from 200.0.10.2 lookup link1 32762: from all fwmark 0x2 lookup link2 32763: from all fwmark 0x1 lookup link1 32766: from all lookup main 32767: from all lookup default
Agora vamos limpar o cache das regras de roteamento
ip route flush cache
Vamos monitorar a porta 80 aqui no servidor
tcpdump -i any -n -v port 80 [...]
Agora vamos testar com o cliente Debian
Vamos atualizar os repositórios
aptitude update Hit http://ftp.br.debian.org wheezy Release.gpg Hit http://ftp.br.debian.org wheezy-proposed-updates Release.gpg Hit http://ftp.br.debian.org wheezy Release Hit http://ftp.br.debian.org wheezy-proposed-updates Release Hit http://ftp.br.debian.org wheezy/main Sources Hit http://ftp.br.debian.org wheezy/contrib Sources Hit http://ftp.br.debian.org wheezy/non-free Sources Hit http://ftp.br.debian.org wheezy/main amd64 Packages Hit http://ftp.br.debian.org wheezy/contrib amd64 Packages Hit http://ftp.br.debian.org wheezy/non-free amd64 Packages Hit http://ftp.br.debian.org wheezy/contrib Translation-en Hit http://ftp.br.debian.org wheezy/main Translation-pt_BR Hit http://ftp.br.debian.org wheezy/main Translation-pt Hit http://ftp.br.debian.org wheezy/main Translation-en Hit http://ftp.br.debian.org wheezy/non-free Translation-en Hit http://ftp.br.debian.org wheezy-proposed-updates/main Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free Sources/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/main amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free amd64 Packages/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/contrib Translation-en/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/main Translation-en/DiffIndex Hit http://ftp.br.debian.org wheezy-proposed-updates/non-free Translation-en/DiffIndex Hit http://security.debian.org wheezy/updates Release.gpg Hit http://security.debian.org wheezy/updates Release Hit http://security.debian.org wheezy/updates/main Sources Hit http://security.debian.org wheezy/updates/contrib Sources Hit http://security.debian.org wheezy/updates/non-free Sources Hit http://security.debian.org wheezy/updates/main amd64 Packages Hit http://security.debian.org wheezy/updates/contrib amd64 Packages Hit http://security.debian.org wheezy/updates/non-free amd64 Packages Hit http://security.debian.org wheezy/updates/contrib Translation-en Hit http://security.debian.org wheezy/updates/main Translation-en Hit http://security.debian.org wheezy/updates/non-free Translation-en
Agora vamos analisar a saída do tcpdump
tcpdump -i any -n -v port 80
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:34:35.442253 IP (tos 0x0, ttl 64, id 64715, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.22.43022 > 200.236.31.3.80: Flags [S], cksum 0xd631 (correct), seq 3923346505, win 14600, options [mss 1460,sackOK,TS val 1603714 ecr 0,nop,wscale 3], length 0
14:34:35.442299 IP (tos 0x0, ttl 63, id 64715, offset 0, flags [DF], proto TCP (6), length 60)
200.0.10.2.43022 > 200.236.31.3.80: Flags [S], cksum 0xc5ed (correct), seq 3923346505, win 14600, options [mss 1460,sackOK,TS val 1603714 ecr 0,nop,wscale 3], length 0
14:34:35.449200 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
200.236.31.3.80 > 200.0.10.2.43022: Flags [S.], cksum 0x38c6 (correct), seq 3677618798, ack 3923346506, win 26844, options [mss 1452,sackOK,TS val 87587434 ecr 1603714,nop,wscale 8], length 0
14:34:35.449242 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
200.236.31.3.80 > 192.168.1.22.43022: Flags [S.], cksum 0x490a (correct), seq 3677618798, ack 3923346506, win 26844, options [mss 1452,sackOK,TS val 87587434 ecr 1603714,nop,wscale 8], length 0
14:34:35.449688 IP (tos 0x0, ttl 64, id 64716, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.43022 > 200.236.31.3.80: Flags [.], cksum 0xd988 (correct), ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 0
14:34:35.449708 IP (tos 0x0, ttl 63, id 64716, offset 0, flags [DF], proto TCP (6), length 52)
200.0.10.2.43022 > 200.236.31.3.80: Flags [.], cksum 0xc944 (correct), ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 0
14:34:35.450139 IP (tos 0x0, ttl 64, id 64717, offset 0, flags [DF], proto TCP (6), length 269)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0xd61b (correct), seq 1:218, ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 217
14:34:35.450157 IP (tos 0x0, ttl 63, id 64717, offset 0, flags [DF], proto TCP (6), length 269)
200.0.10.2.43022 > 200.236.31.3.80: Flags [P.], cksum 0xc5d7 (correct), seq 1:218, ack 1, win 1825, options [nop,nop,TS val 1603716 ecr 87587434], length 217
14:34:35.458226 IP (tos 0x0, ttl 57, id 30724, offset 0, flags [DF], proto TCP (6), length 52)
200.236.31.3.80 > 200.0.10.2.43022: Flags [.], cksum 0xcf1d (correct), ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 0
14:34:35.458257 IP (tos 0x0, ttl 56, id 30724, offset 0, flags [DF], proto TCP (6), length 52)
200.236.31.3.80 > 192.168.1.22.43022: Flags [.], cksum 0xdf61 (correct), ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 0
14:34:35.458992 IP (tos 0x0, ttl 57, id 30725, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 200.0.10.2.43022: Flags [P.], cksum 0x1132 (correct), seq 1:172, ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 171
14:34:35.459011 IP (tos 0x0, ttl 56, id 30725, offset 0, flags [DF], proto TCP (6), length 223)
200.236.31.3.80 > 192.168.1.22.43022: Flags [P.], cksum 0x2176 (correct), seq 1:172, ack 218, win 110, options [nop,nop,TS val 87587435 ecr 1603716], length 171
14:34:35.459292 IP (tos 0x0, ttl 64, id 64718, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.43022 > 200.236.31.3.80: Flags [.], cksum 0xd77b (correct), ack 172, win 1959, options [nop,nop,TS val 1603718 ecr 87587435], length 0
14:34:35.459309 IP (tos 0x0, ttl 63, id 64718, offset 0, flags [DF], proto TCP (6), length 52)
200.0.10.2.43022 > 200.236.31.3.80: Flags [.], cksum 0xc737 (correct), ack 172, win 1959, options [nop,nop,TS val 1603718 ecr 87587435], length 0
14:34:35.459896 IP (tos 0x0, ttl 64, id 64719, offset 0, flags [DF], proto TCP (6), length 286)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0xfdf3 (correct), seq 218:452, ack 172, win 1959, options [nop,nop,TS val 1603719 ecr 87587435], length 234
14:34:35.459917 IP (tos 0x0, ttl 63, id 64719, offset 0, flags [DF], proto TCP (6), length 286)
200.0.10.2.43022 > 200.236.31.3.80: Flags [P.], cksum 0xedaf (correct), seq 218:452, ack 172, win 1959, options [nop,nop,TS val 1603719 ecr 87587435], length 234
14:34:35.468337 IP (tos 0x0, ttl 57, id 30726, offset 0, flags [DF], proto TCP (6), length 222)
200.236.31.3.80 > 200.0.10.2.43022: Flags [P.], cksum 0xbe82 (correct), seq 172:342, ack 452, win 114, options [nop,nop,TS val 87587436 ecr 1603719], length 170
14:34:35.468369 IP (tos 0x0, ttl 56, id 30726, offset 0, flags [DF], proto TCP (6), length 222)
200.236.31.3.80 > 192.168.1.22.43022: Flags [P.], cksum 0xcec6 (correct), seq 172:342, ack 452, win 114, options [nop,nop,TS val 87587436 ecr 1603719], length 170
14:34:35.469012 IP (tos 0x0, ttl 64, id 64720, offset 0, flags [DF], proto TCP (6), length 281)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0xf84a (correct), seq 452:681, ack 342, win 2093, options [nop,nop,TS val 1603721 ecr 87587436], length 229
14:34:35.469033 IP (tos 0x0, ttl 63, id 64720, offset 0, flags [DF], proto TCP (6), length 281)
200.0.10.2.43022 > 200.236.31.3.80: Flags [P.], cksum 0xe806 (correct), seq 452:681, ack 342, win 2093, options [nop,nop,TS val 1603721 ecr 87587436], length 229
14:34:35.480415 IP (tos 0x0, ttl 57, id 30727, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 200.0.10.2.43022: Flags [P.], cksum 0xc510 (correct), seq 342:514, ack 681, win 118, options [nop,nop,TS val 87587437 ecr 1603721], length 172
14:34:35.480442 IP (tos 0x0, ttl 56, id 30727, offset 0, flags [DF], proto TCP (6), length 224)
200.236.31.3.80 > 192.168.1.22.43022: Flags [P.], cksum 0xd554 (correct), seq 342:514, ack 681, win 118, options [nop,nop,TS val 87587437 ecr 1603721], length 172
14:34:35.490315 IP (tos 0x0, ttl 64, id 64721, offset 0, flags [DF], proto TCP (6), length 298)
192.168.1.22.43022 > 200.236.31.3.80: Flags [P.], cksum 0x5cd4 (correct), seq 681:927, ack 514, win 2227, options [nop,nop,TS val 1603726 ecr 87587437], length 246
14:34:35.490351 IP (tos 0x0, ttl 63, id 64721, offset 0, flags [DF], proto TCP (6), length 298)
Note que agora todas as saídas para a porta 80 saíram pelo link1.
Agora vamos testar a porta 587
Vamos monitorar a porta 587 no servidor
tcpdump -i any -n -v port 587
Agora no cliente vamos abrir uma conexão com o gmail.
telnet smtp.gmail.com 587 Trying 74.125.137.108... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP v22sm112112273yhn.12 - gsmtp ehlo mx.google.com 250-mx.google.com at your service, [177.16.190.184] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 CHUNKING quit 221 2.0.0 closing connection v22sm112112273yhn.12 - gsmtp Connection closed by foreign host.
Agora vamos análisar os logs do tcpdump
tcpdump -i any -n -v port 587
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:37:21.324860 IP (tos 0x10, ttl 64, id 7918, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.22.56064 > 74.125.137.108.587: Flags [S], cksum 0x148a (correct), seq 1752499311, win 14600, options [mss 1460,sackOK,TS val 1645185 ecr 0,nop,wscale 3], length 0
14:37:21.325283 IP (tos 0x10, ttl 63, id 7918, offset 0, flags [DF], proto TCP (6), length 60)
200.0.20.2.56064 > 74.125.137.108.587: Flags [S], cksum 0xfa45 (correct), seq 1752499311, win 14600, options [mss 1460,sackOK,TS val 1645185 ecr 0,nop,wscale 3], length 0
14:37:21.469869 IP (tos 0x0, ttl 43, id 38060, offset 0, flags [none], proto TCP (6), length 60)
74.125.137.108.587 > 200.0.20.2.56064: Flags [S.], cksum 0x6150 (correct), seq 1680258992, ack 1752499312, win 42540, options [mss 1430,sackOK,TS val 987682085 ecr 1645185,nop,wscale 6], length 0
14:37:21.469928 IP (tos 0x0, ttl 42, id 38060, offset 0, flags [none], proto TCP (6), length 60)
74.125.137.108.587 > 192.168.1.22.56064: Flags [S.], cksum 0x7b94 (correct), seq 1680258992, ack 1752499312, win 42540, options [mss 1430,sackOK,TS val 987682085 ecr 1645185,nop,wscale 6], length 0
14:37:21.470429 IP (tos 0x10, ttl 64, id 7919, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x4929 (correct), ack 1, win 1825, options [nop,nop,TS val 1645221 ecr 987682085], length 0
14:37:21.470452 IP (tos 0x10, ttl 63, id 7919, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x2ee5 (correct), ack 1, win 1825, options [nop,nop,TS val 1645221 ecr 987682085], length 0
14:37:21.615668 IP (tos 0x0, ttl 44, id 38061, offset 0, flags [none], proto TCP (6), length 106)
74.125.137.108.587 > 200.0.20.2.56064: Flags [P.], cksum 0x1524 (correct), seq 1:55, ack 1, win 665, options [nop,nop,TS val 987682231 ecr 1645221], length 54
14:37:21.615713 IP (tos 0x0, ttl 43, id 38061, offset 0, flags [none], proto TCP (6), length 106)
74.125.137.108.587 > 192.168.1.22.56064: Flags [P.], cksum 0x2f68 (correct), seq 1:55, ack 1, win 665, options [nop,nop,TS val 987682231 ecr 1645221], length 54
14:37:21.616245 IP (tos 0x10, ttl 64, id 7920, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x483d (correct), ack 55, win 1825, options [nop,nop,TS val 1645257 ecr 987682231], length 0
14:37:21.616268 IP (tos 0x10, ttl 63, id 7920, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x2df9 (correct), ack 55, win 1825, options [nop,nop,TS val 1645257 ecr 987682231], length 0
14:37:27.637712 IP (tos 0x10, ttl 64, id 7921, offset 0, flags [DF], proto TCP (6), length 72)
192.168.1.22.56064 > 74.125.137.108.587: Flags [P.], cksum 0xe9b4 (correct), seq 1:21, ack 55, win 1825, options [nop,nop,TS val 1646763 ecr 987682231], length 20
14:37:27.637757 IP (tos 0x10, ttl 63, id 7921, offset 0, flags [DF], proto TCP (6), length 72)
200.0.20.2.56064 > 74.125.137.108.587: Flags [P.], cksum 0xcf70 (correct), seq 1:21, ack 55, win 1825, options [nop,nop,TS val 1646763 ecr 987682231], length 20
14:37:27.781158 IP (tos 0x0, ttl 44, id 38062, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 200.0.20.2.56064: Flags [.], cksum 0x1475 (correct), ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 0
14:37:27.781205 IP (tos 0x0, ttl 43, id 38062, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 192.168.1.22.56064: Flags [.], cksum 0x2eb9 (correct), ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 0
14:37:27.781648 IP (tos 0x0, ttl 44, id 38063, offset 0, flags [none], proto TCP (6), length 191)
74.125.137.108.587 > 200.0.20.2.56064: Flags [P.], cksum 0x2633 (correct), seq 55:194, ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 139
14:37:27.781664 IP (tos 0x0, ttl 43, id 38063, offset 0, flags [none], proto TCP (6), length 191)
74.125.137.108.587 > 192.168.1.22.56064: Flags [P.], cksum 0x4077 (correct), seq 55:194, ack 21, win 665, options [nop,nop,TS val 987688397 ecr 1646763], length 139
14:37:27.781967 IP (tos 0x10, ttl 64, id 7922, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x28fc (correct), ack 194, win 1959, options [nop,nop,TS val 1646799 ecr 987688397], length 0
14:37:27.781985 IP (tos 0x10, ttl 63, id 7922, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x0eb8 (correct), ack 194, win 1959, options [nop,nop,TS val 1646799 ecr 987688397], length 0
14:37:29.557360 IP (tos 0x10, ttl 64, id 7923, offset 0, flags [DF], proto TCP (6), length 58)
192.168.1.22.56064 > 74.125.137.108.587: Flags [P.], cksum 0x3f3e (correct), seq 21:27, ack 194, win 1959, options [nop,nop,TS val 1647243 ecr 987688397], length 6
14:37:29.557413 IP (tos 0x10, ttl 63, id 7923, offset 0, flags [DF], proto TCP (6), length 58)
200.0.20.2.56064 > 74.125.137.108.587: Flags [P.], cksum 0x24fa (correct), seq 21:27, ack 194, win 1959, options [nop,nop,TS val 1647243 ecr 987688397], length 6
14:37:29.702451 IP (tos 0x0, ttl 44, id 38064, offset 0, flags [none], proto TCP (6), length 111)
74.125.137.108.587 > 200.0.20.2.56064: Flags [P.], cksum 0x50ba (correct), seq 194:253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 59
14:37:29.702491 IP (tos 0x0, ttl 43, id 38064, offset 0, flags [none], proto TCP (6), length 111)
74.125.137.108.587 > 192.168.1.22.56064: Flags [P.], cksum 0x6afe (correct), seq 194:253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 59
14:37:29.703023 IP (tos 0x0, ttl 43, id 38065, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 200.0.20.2.56064: Flags [F.], cksum 0x0a48 (correct), seq 253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 0
14:37:29.703039 IP (tos 0x0, ttl 42, id 38065, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 192.168.1.22.56064: Flags [F.], cksum 0x248c (correct), seq 253, ack 27, win 665, options [nop,nop,TS val 987690317 ecr 1647243], length 0
14:37:29.703108 IP (tos 0x10, ttl 64, id 7924, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [.], cksum 0x1f5b (correct), ack 253, win 1959, options [nop,nop,TS val 1647279 ecr 987690317], length 0
14:37:29.703125 IP (tos 0x10, ttl 63, id 7924, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [.], cksum 0x0517 (correct), ack 253, win 1959, options [nop,nop,TS val 1647279 ecr 987690317], length 0
14:37:29.703566 IP (tos 0x10, ttl 64, id 7925, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.22.56064 > 74.125.137.108.587: Flags [F.], cksum 0x1f58 (correct), seq 27, ack 254, win 1959, options [nop,nop,TS val 1647280 ecr 987690317], length 0
14:37:29.703584 IP (tos 0x10, ttl 63, id 7925, offset 0, flags [DF], proto TCP (6), length 52)
200.0.20.2.56064 > 74.125.137.108.587: Flags [F.], cksum 0x0514 (correct), seq 27, ack 254, win 1959, options [nop,nop,TS val 1647280 ecr 987690317], length 0
14:37:29.848099 IP (tos 0x0, ttl 43, id 38066, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 200.0.20.2.56064: Flags [.], cksum 0x0990 (correct), ack 28, win 665, options [nop,nop,TS val 987690463 ecr 1647280], length 0
14:37:29.848141 IP (tos 0x0, ttl 42, id 38066, offset 0, flags [none], proto TCP (6), length 52)
74.125.137.108.587 > 192.168.1.22.56064: Flags [.], cksum 0x23d4 (correct), ack 28, win 665, options [nop,nop,TS val 987690463 ecr 1647280], length 0
Agora note que a saída para a porta 587 foram pelo link2.
Tudo funcionando :D
Agora vamos ajustar o nosso script para ele trabalhar com o balanceamento de link porém com a marcação de pacotes para definirmos o link que ele vai sair.
vim /etc/init.d/rc.lb
#!/bin/sh
#Autor: Douglas Q. dos Santos
#Data: 30/09/2013
#--------------------------------------------------------------------------
#Licença: http://creativecommons.org/licenses/by-sa/3.0/legalcode
#
#--------------------------------------------------------------------------
### BEGIN INIT INFO
# Provides: rc.lb
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Balanceamento de Links
### END INIT INFO
### CORES UTILIZADAS NO SCRIPT ###
GREY="\033[01;30m"
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
BLUE="\033[01;34m"
PURPLE="\033[01;35m"
CYAN="\033[01;36m"
WHITE="\033[01;37m"
CLOSE="\033[m"
# VARIAVEIS UTILIZADAS NO SCRIPT
IP="/sbin/ip"
ROUTE="/sbin/route"
IPTABLES="/sbin/iptables"
PORTS_LINK1="/etc/iproute2/ports_link1"
PORTS_LINK2="/etc/iproute2/ports_link2"
LO="127.0.0.0/8"
LAN="192.168.1.0/24"
INT_LAN="eth0"
LINK1="200.0.10.0/28"
IP_LINK1="200.0.10.2"
GW_LINK1="200.0.10.1"
INT_LINK1="eth1"
PESO_LINK1="1"
LINK2="200.0.20.0/28"
IP_LINK2="200.0.20.2"
GW_LINK2="200.0.20.1"
INT_LINK2="eth2"
PESO_LINK2="1"
case $1 in
start)
echo "${GREEN}[ INICIANDO O BALANCEAMENTO ]${CLOSE}"
# ADICIONANDO A REDE DO LINK1 NA TABELA LINK1
${IP} route add ${LINK1} dev ${INT_LINK1} src ${IP_LINK1} table link1
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK1} table link1
# ADICIONANDO A REDE DO LINK2 NA TABELA LINK2
${IP} route add ${LINK2} dev ${INT_LINK2} src ${IP_LINK2} table link2
# ADICIONANDO A ROTA DEFAULT DO LINK1
${IP} route add default via ${GW_LINK2} table link2
# ADICIONANDO AS REGRAS DAS ROTAS ADICIONADAS
${IP} rule add from ${IP_LINK1} table link1
${IP} rule add from ${IP_LINK2} table link2
# ADICIONANDO ROTAS ENTRE LINKS, LAN E LO
${IP} route add ${LAN} dev ${INT_LAN} table link1
${IP} route add ${LINK2} dev ${INT_LINK2} table link1
${IP} route add ${LO} dev lo table link1
${IP} route add ${LAN} dev ${INT_LAN} table link2
${IP} route add ${LINK1} dev ${INT_LINK1} table link2
${IP} route add ${LO} dev lo table link2
# CRIANDO O BALANCEAMENTO ENTRE DOIS LINKS
${IP} route add default nexthop via ${GW_LINK1} dev ${INT_LINK1} weight ${PESO_LINK1} nexthop via ${GW_LINK2} dev ${INT_LINK2} weight ${PESO_LINK2}
# MARCANDO OS PACOTES QUE VÃO SAIR PELO LINK1
for PORT in $(cat ${PORTS_LINK1}); do
${IPTABLES} -t mangle -A PREROUTING -p tcp -s ${LAN} --dport ${PORT} -j MARK --set-mark 1 -m comment --comment "LINK 1"
${IPTABLES} -t mangle -A OUTPUT -p tcp -s ${LAN} --dport ${PORT} -j MARK --set-mark 1 -m comment --comment "LINK 1"
done
# MARCANDO OS PACOTES QUE VÃO SAIR PELO LINK2
for PORT in $(cat ${PORTS_LINK2}); do
${IPTABLES} -t mangle -A PREROUTING -p tcp -s ${LAN} --dport ${PORT} -j MARK --set-mark 2 -m comment --comment "LINK 2"
${IPTABLES} -t mangle -A OUTPUT -p tcp -s ${LAN} --dport ${PORT} -j MARK --set-mark 2 -m comment --comment "LINK 2"
done
# ADICIONANDO REGRAS NO IPROUTE PARA RECONHECER AS MARCACOES FEITAS PELA TABLE MANGLE
${IP} rule add fwmark 1 table link1
${IP} rule add fwmark 2 table link2
# MASCARANDO A REDE
${IPTABLES} -t nat -A POSTROUTING -s ${LAN} -j MASQUERADE
echo "${GREEN}[ BALANCEAMENTO INICIADO ]${CLOSE}"
;;
stop)
echo "${RED}[ PARANDO BALANCEAMENTO ]${CLOSE}";
${ROUTE} del default
${IP} route flush table link1
${IP} route flush table link2
${IP} rule del from ${IP_LINK1} table link1
${IP} rule del from ${IP_LINK2} table link2
${IPTABLES} -t mangle -F
${IP} rule add fwmark 1 table link1
${IP} rule add fwmark 2 table link2
echo "${RED}[ BALANCEAMENTO PARADO ] ${CLOSE}";
;;
restart)
$0 stop
$0 start
;;
*)
echo "${RED}Opcoes Validas:(start|stop|restart)${CLOSE}"
;;
esac
Agora vamos criar os arquivo que vão armazenar quais portas vão sair por quais links.
Vamos criar o arquivo que vai controlar quais portas vão sair pelo link1
vim /etc/iproute2/ports_link1 80 443 20 21
Vamos criar o arquivo que vai controlar quais portas vão sair pelo link2
cat /etc/iproute2/ports_link2 25 110 143 587 993 995
Agora vamos para o script de balanceamento
/etc/init.d/rc.lb stop [ PARANDO BALANCEAMENTO ] [ BALANCEAMENTO PARADO ]
Agora vamos listar as regras do iproute
ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
Agora vamos listar as regras da table mangle
iptables -t mangle -L -n -v Chain PREROUTING (policy ACCEPT 147 packets, 11496 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 147 packets, 11496 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 73 packets, 7540 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 73 packets, 7540 bytes) pkts bytes target prot opt in out source destination
Agora vamos subir o nosso balanceamento
/etc/init.d/rc.lb start [ INICIANDO O BALANCEAMENTO ] [ BALANCEAMENTO INICIADO ]
Agora vamos listas as regras do iproute
ip rule show 0: from all lookup local 32762: from all fwmark 0x2 lookup link2 32763: from all fwmark 0x1 lookup link1 32764: from 200.0.20.2 lookup link2 32765: from 200.0.10.2 lookup link1 32766: from all lookup main 32767: from all lookup default
Agora vamos analisar as regras da table mangle
iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 130 packets, 10960 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:80 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:443 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:20 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:21 /* LINK 1 */ MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:25 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:110 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:143 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:587 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:993 /* LINK 2 */ MARK set 0x2
0 0 MARK tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:995 /* LINK 2 */ MARK set 0x2
Chain INPUT (policy ACCEPT 130 packets, 10960 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 59 packets, 6316 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 59 packets, 6316 bytes)
pkts bytes target prot opt in out source destination
Note que temos as marcações da porta 80 e 443 para sair pelo link 1 e as portas 25,110,143,587,993 e 995 vão sair pelo link2.