Всем привет, по матерьялам статей:
http://www.ssi.bg/~ja/nano.txt
http://lartc.org/howto/lartc.rpdb.multiple-links.html
http://linux.icf.bofh.ru/OTHER/7/mc_route.txt.html
http://www.samag.com/documents/s=1824/sam0201h/0201h.htm
Попытался настроить мультипл-гейтвей для баланса нагрузки интернет канала.
Получился следующий скрипт:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SNAT --to 62.118.13.67
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/24 -j SNAT --to 80.240.100.147
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
ip link set lo up
ip addr flush dev lo
ip addr add 127.0.0.1/8 brd + dev lo
ip link set eth0 up
ip addr flush dev eth0
ip addr add 192.168.0.15/24 brd + dev eth0
ip link set eth1 up
ip addr flush dev eth1
ip addr add 62.118.13.67/28 brd + dev eth1
ip link set eth2 up
ip addr flush dev eth2
ip addr add 80.240.100.147/29 brd + dev eth2
ip rule add prio 50 table main
ip rule add prio 201 from 62.118.13.64/28 table 201
ip rule add prio 202 from 80.240.100.144/29 table 202
ip rule add prio 222 table 222
ip route del default table main
ip route add default via 62.118.13.65 dev eth1 src 62.118.13.67 proto static table 201
ip route append prohibit default table 201 metric 1 proto static
ip route add default via 80.240.100.145 dev eth2 src 80.240.100.147 proto static table 202
ip route append prohibit default table 202 metric 1 proto static
ip route add default table 222 proto static \
nexthop via 62.118.13.65 dev eth1 \
nexthop via 80.240.100.145 dev eth2
В результате имею:
[root@feudor ~]# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
keep_state all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
keep_state all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain keep_state (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
RETURN all -- anywhere anywhere
[root@feudor ~]# iptables --list --table nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:62.118.13.67
SNAT all -- 192.168.0.0/24 anywhere to:80.240.100.147
keep_state all -- anywhere anywhere
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain keep_state (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
RETURN all -- anywhere anywhere
[root@feudor ~]# iptables --list --table filter
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
keep_state all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
keep_state all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain keep_state (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
RETURN all -- anywhere anywhere
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:84:3c:2f:23 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.15/24 brd 192.168.0.255 scope global eth0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:84:3c:60:69 brd ff:ff:ff:ff:ff:ff
inet 62.118.13.67/28 brd 62.118.13.79 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:84:3c:2f:6f brd ff:ff:ff:ff:ff:ff
inet 80.240.100.147/29 brd 80.240.100.151 scope global eth2
[root@feudor ~]# ip rule
0: from all lookup local
50: from all lookup main
201: from 62.118.13.64/28 lookup 201
202: from 80.240.100.144/29 lookup 202
222: from all lookup 222
32766: from all lookup main
32767: from all lookup default
[root@feudor ~]# ip route list tab local
broadcast 192.168.0.255 dev eth0 proto kernel scope link src 192.168.0.15
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 62.118.13.79 dev eth1 proto kernel scope link src 62.118.13.67
local 192.168.0.15 dev eth0 proto kernel scope host src 192.168.0.15
local 80.240.100.147 dev eth2 proto kernel scope host src 80.240.100.147
broadcast 192.168.0.0 dev eth0 proto kernel scope link src 192.168.0.15
broadcast 80.240.100.144 dev eth2 proto kernel scope link src 80.240.100.147
broadcast 80.240.100.151 dev eth2 proto kernel scope link src 80.240.100.147
broadcast 62.118.13.64 dev eth1 proto kernel scope link src 62.118.13.67
local 62.118.13.67 dev eth1 proto kernel scope host src 62.118.13.67
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
[root@feudor ~]# ip route list tab main
80.240.100.144/29 dev eth2 proto kernel scope link src 80.240.100.147
62.118.13.64/28 dev eth1 proto kernel scope link src 62.118.13.67
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.15
[root@feudor ~]# ip route list tab 201
default via 62.118.13.65 dev eth1 proto static src 62.118.13.67
prohibit default proto static metric 1
[root@feudor ~]# ip route list tab 202
default via 80.240.100.145 dev eth2 proto static src 80.240.100.147
prohibit default proto static metric 1
[root@feudor ~]# ip route list tab 222
default proto static
nexthop via 62.118.13.65 dev eth1 weight 1
nexthop via 80.240.100.145 dev eth2 weight 1
А теперь проблемма:
[root@feudor ~]# ip route get 129.42.16.103
129.42.16.103 via 80.240.100.145 dev eth2 src 62.118.13.67
cache mtu 1500 advmss 1460 metric 10 64
src неправильный, что с этим делать не знаю :(
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on
25-Июл-05, 15:57 (MSK)
