多供应商 Linux nat 配置

tag-icon tag-icon linux-networking
多供应商 Linux nat 配置

我有一台 Linux 机器,用作路由器/防火墙,并连接了 2 个互联网提供商。我想使用它来实现负载分担和故障转移。我多年前就做过这样的事情,很简单 - 只需为 2 个连接添加 2 个路由表,然后使用 2 个具有所需权重的默认路由:

 ip route add default scope global nexthop via 1.2.3.4 dev dev100 weight 10

然后linux会随机将路由添加到缓存中,在链路之间划分连接。

但是现在我发现它不再适用于 Linux 3.16,并且不再有路由缓存,我所有的旧脚本都不再起作用,我无法建立连接。

我的配置是:

-------------
- ip route list table prov1
default via 217.147.175.129 dev eth1
46.164.150.48/29 dev eth2  scope link  src 46.164.150.51
127.0.0.0/8 dev lo  scope link
172.16.0.0/16 dev br0  scope link  src 172.16.1.1
217.147.175.128/25 dev eth1  scope link  src 217.147.175.165
-------------
- ip route list table prov2
default via 46.164.150.49 dev eth2
46.164.150.48/29 dev eth2  scope link  src 46.164.150.51
127.0.0.0/8 dev lo  scope link
172.16.0.0/16 dev br0  scope link  src 172.16.1.1
217.147.175.128/25 dev eth1  scope link  src 217.147.175.165
-------------
- ip route list table main
default
        nexthop via 217.147.175.129  dev eth1 weight 10
        nexthop via 46.164.150.49  dev eth2 weight 10
46.164.150.48/29 dev eth2  proto kernel  scope link  src 46.164.150.51
172.16.0.0/16 dev br0  proto kernel  scope link  src 172.16.1.1
176.37.229.77 via 217.147.175.129 dev eth1
195.12.244.0/22 via 217.147.175.129 dev eth1
213.248.127.0/24 via 217.147.175.129 dev eth1
217.147.175.128/25 dev eth1  proto kernel  scope link  src 217.147.175.165
239.0.0.0/8 dev br0  scope link
--------------
- ip route list table default
--------------------
- ip rule list
0:      from all lookup local
32756:  from all fwmark 0xb iif br0 lookup prov2
32757:  from all fwmark 0xa iif br0 lookup prov1
32758:  from 46.164.150.51 lookup prov2
32760:  from 217.147.175.165 lookup prov1
32766:  from all lookup main
32767:  from all lookup default

 cat /etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
10       prov1
11       prov2

但是使用此配置,主机本身一切正常,但此主机后面的 NAT 化 IP 不起作用。更具体地说 - 我从 NAT 化主机看到的内容如下:

vik@Pro:~ $ ping 193.193.193.100
PING 193.193.193.100 (193.193.193.100): 56 data bytes
64 bytes from 193.193.193.100: icmp_seq=0 ttl=59 time=3.737 ms
64 bytes from 193.193.193.100: icmp_seq=1 ttl=59 time=4.198 ms
64 bytes from 193.193.193.100: icmp_seq=2 ttl=59 time=3.934 ms
Request timeout for icmp_seq 3
64 bytes from 193.193.193.100: icmp_seq=4 ttl=60 time=3.650 ms
64 bytes from 193.193.193.100: icmp_seq=5 ttl=60 time=3.616 ms
Request timeout for icmp_seq 6
64 bytes from 193.193.193.100: icmp_seq=7 ttl=60 time=3.509 ms
64 bytes from 193.193.193.100: icmp_seq=8 ttl=60 time=3.417 ms
64 bytes from 193.193.193.100: icmp_seq=9 ttl=60 time=3.635 ms
Request timeout for icmp_seq 10

正如您所注意到的,很多数据包都丢失了。并且此 Linux 路由器后面的主机无法打开网页等 - 连接已断开:

$ telnet google.com 80
Trying 173.194.113.201...
Connected to google.com.
Escape character is '^]'.
get / http/1.0

Connection closed by foreign host.

我尝试查找一些手册,并找到了对 CONNMARK 数据包的建议:

iptables -t mangle -A PREROUTING -i eth1 --dst 217.147.175.165 -m state --state NEW,RELATED -j CONNMARK --set-mark 10
iptables -t mangle -A PREROUTING -i eth2 --dst 46.164.150.51   -m state --state NEW,RELATED -j CONNMARK --set-mark 11

iptables -t mangle -A PREROUTING -i br0 -m state --state ESTABLISHED -j CONNMARK --restore-mark

但它根本没有帮助。请帮忙 )

答案1

数据包丢失似乎是由于数据包返回与源路由不同而发生的。IP 路由是无状态的。我认为你可以按照这个关联将双 WAN 存档。

相关内容