我正在尝试对连接到同一台服务器的两个 PPTP 连接进行负载平衡。我使用以下脚本,但没有通过 PPTP 连接进行发送和接收。我做错了什么?有没有更好的方法来实现这一点?我也使用了命令nexthop模式ip route,但问题是到同一 IP 的多个连接通过同一个接口路由。
#!/bin/bash
VPNSERVER=x.x.x.x
# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
# Create a new table for physical interface
physip=$(ip addr show eth0 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
echo "Physical interface's IP: $physip"
ip route flush table 10
ip route add default via $physip dev eth0 table 10
ip rule add from $physip table 10
ip rule add fwmark 10 table 10
# Replace default gateway
ip route replace default via 127.0.0.1
# Do not mark packets going to pptp server
iptables -A OUTPUT -d $VPNSERVER -p gre -j ACCEPT
iptables -A OUTPUT -d $VPNSERVER -p tcp --dport 1723 -j ACCEPT
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
pppd unit 101 noauth refuse-eap refuse-pap refuse-chap \
refuse-mschap require-mschap-v2 name "user01" remotename \
vpnserver file /etc/ppp/options.pptp maxfail 1 updetach \
pty "pptp $VPNSERVER --localbind $physip --nolaunchpppd" &> /dev/null
pppd unit 102 noauth refuse-eap refuse-pap refuse-chap \
refuse-mschap require-mschap-v2 name "user01" remotename \
vpnserver file /etc/ppp/options.pptp maxfail 1 updetach \
pty "pptp $VPNSERVER --localbind $physip --nolaunchpppd" &> /dev/null
# Get interface IP addresses
ifip1=$(ip addr show ppp101 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
ifip2=$(ip addr show ppp102 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
# Create a unique routing table for each connection
ip route flush table 101
ip route add default dev ppp101 table 101
ip rule add from $ifip1 table 101
ip rule add fwmark 101 table 101
# Create a unique routing table for each connection
ip route flush table 102
ip route add default dev ppp102 table 102
ip rule add from $ifip2 table 102
ip rule add fwmark 102 table 102
# Load balance connections
iptables -t mangle -A OUTPUT -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 101
iptables -t mangle -A OUTPUT -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 102
iptables -t nat -A POSTROUTING -m mark --mark 101 -j SNAT --to-source $ifip1
iptables -t nat -A POSTROUTING -m mark --mark 102 -j SNAT --to-source $ifip2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
答案1
这是我最终使用的解决方案:
server=x.x.x.x
physip=$(ip addr show $dev | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
pppd unit 101 noauth refuse-eap refuse-pap refuse-chap \
refuse-mschap require-mschap-v2 name user01 remotename \
vpnserver file /etc/ppp/options.pptp persist maxfail 1 updetach \
pty "pptp $server --localbind $physip --nolaunchpppd" &> /dev/null
pppd unit 102 noauth refuse-eap refuse-pap refuse-chap \
refuse-mschap require-mschap-v2 name user01 remotename \
vpnserver file /etc/ppp/options.pptp persist maxfail 1 updetach \
pty "pptp $server --localbind $physip --nolaunchpppd" &> /dev/null
ifip1=$(ip addr show ppp101 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
ifip2=$(ip addr show ppp102 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
iptables -t nat -A POSTROUTING -o ppp101 -j SNAT --to-source $ifip1
iptables -t nat -A POSTROUTING -o ppp102 -j SNAT --to-source $ifip2
ip route flush cache
ip route replace default scope global nexthop dev ppp101 weight 1 nexthop dev ppp102 weight 1