我有Linux的作为一个路由器/防火墙,并有2个互联网提供商连接到。 我想使用它进行故障转移的负载共享。 我在很多年前做过这样的事情,而且非常简单 – 只需要为2个连接添加2个路由表,然后使用2个默认的路由和所需的权重:
ip route add default scope global nexthop via 1.2.3.4 dev dev100 weight 10 然后linux会随机添加路由到caching,分割链接之间的连接。
但是现在我发现它不再适用于linux 3.16,并且没有路由caching,所有我的旧脚本都不能工作,我无法build立连接。
我的configuration是:
------------- - ip route list table prov1 default via 217.147.175.129 dev eth1 46.164.150.48/29 dev eth2 scope link src 46.164.150.51 127.0.0.0/8 dev lo scope link 172.16.0.0/16 dev br0 scope link src 172.16.1.1 217.147.175.128/25 dev eth1 scope link src 217.147.175.165 ------------- - ip route list table prov2 default via 46.164.150.49 dev eth2 46.164.150.48/29 dev eth2 scope link src 46.164.150.51 127.0.0.0/8 dev lo scope link 172.16.0.0/16 dev br0 scope link src 172.16.1.1 217.147.175.128/25 dev eth1 scope link src 217.147.175.165 ------------- - ip route list table main default nexthop via 217.147.175.129 dev eth1 weight 10 nexthop via 46.164.150.49 dev eth2 weight 10 46.164.150.48/29 dev eth2 proto kernel scope link src 46.164.150.51 172.16.0.0/16 dev br0 proto kernel scope link src 172.16.1.1 176.37.229.77 via 217.147.175.129 dev eth1 195.12.244.0/22 via 217.147.175.129 dev eth1 213.248.127.0/24 via 217.147.175.129 dev eth1 217.147.175.128/25 dev eth1 proto kernel scope link src 217.147.175.165 239.0.0.0/8 dev br0 scope link -------------- - ip route list table default -------------------- - ip rule list 0: from all lookup local 32756: from all fwmark 0xb iif br0 lookup prov2 32757: from all fwmark 0xa iif br0 lookup prov1 32758: from 46.164.150.51 lookup prov2 32760: from 217.147.175.165 lookup prov1 32766: from all lookup main 32767: from all lookup default cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 10 prov1 11 prov2
但是使用这种configuration,主机本身一切工作正常,但不适用于这台主机后面的NAT。 更具体一点 – 我从NAT主机看到的东西:
vik@Pro:~ $ ping 193.193.193.100 PING 193.193.193.100 (193.193.193.100): 56 data bytes 64 bytes from 193.193.193.100: icmp_seq=0 ttl=59 time=3.737 ms 64 bytes from 193.193.193.100: icmp_seq=1 ttl=59 time=4.198 ms 64 bytes from 193.193.193.100: icmp_seq=2 ttl=59 time=3.934 ms Request timeout for icmp_seq 3 64 bytes from 193.193.193.100: icmp_seq=4 ttl=60 time=3.650 ms 64 bytes from 193.193.193.100: icmp_seq=5 ttl=60 time=3.616 ms Request timeout for icmp_seq 6 64 bytes from 193.193.193.100: icmp_seq=7 ttl=60 time=3.509 ms 64 bytes from 193.193.193.100: icmp_seq=8 ttl=60 time=3.417 ms 64 bytes from 193.193.193.100: icmp_seq=9 ttl=60 time=3.635 ms Request timeout for icmp_seq 10
你可以注意到,很多数据包丢失了。 而这个Linux路由器后面的主机无法打开网页等 – 连接只是丢弃:
$ telnet google.com 80 Trying 173.194.113.201... Connected to google.com. Escape character is '^]'. get / http/1.0 Connection closed by foreign host.
我试图find一些手册,并findCONNMARK数据包的build议,如:
iptables -t mangle -A PREROUTING -i eth1 --dst 217.147.175.165 -m state --state NEW,RELATED -j CONNMARK --set-mark 10 iptables -t mangle -A PREROUTING -i eth2 --dst 46.164.150.51 -m state --state NEW,RELATED -j CONNMARK --set-mark 11 iptables -t mangle -A PREROUTING -i br0 -m state --state ESTABLISHED -j CONNMARK --restore-mark
但它根本没有帮助。 请帮忙 )
看起来丢包是由于报文返回与源路由不一致造成的。 IP路由是无状态的。 我想你可以按照这个链接来归档双万。