|
|
Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)
- Subject: Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)
- From: Danail Petrov <danail.petrov@xxxxxxxxxxx>
- Date: Fri, 13 Oct 2006 10:13:25 +0300
- Delivered-to: lug-bg-list@xxxxxxxxxxxxxxxxxx
- Delivered-to: lug-bg@xxxxxxxxxxxxxxxxxx
- Organization: Evolink Jsc
Хм , тук ме хвана напълно неподготвен. PF съм ползвал последно преди
около 4-5 години на OpenBSD 2.8 :-) Честно казано нямам никаква
представа по какъв начин става балансирането дали е per-packet or
per-destination , също така като гледам , май става въпрос за баланс
само на изход (Round Robin) . Което ще рече че ако изкарваш на изход
мрежа , за която другия доставчик незнае (или най-малкото прави проверка
[rp_filter в линукс (reverse packet forwarding) / rx verify в cisco ] за
мрежите който ще рутира навън) то това може да ти бъде проблема. Направи
си пробите с tcptraceroute или с някакъв друг tool , пусни 1 tcpdump и
разгледай трафика който ти се връща/отива.
Поздрави,
Данаил Петров
Alexander Iliev wrote:
Danail Petrov wrote:
Как балансираш трафика ? на вход ? на изход ?
по какъв начин си организирал балансирането ? какъв рутинг протокол
използваш? дай повече информация,
така зададен въпроса се съмнявам някой да успее да те насочи към каквото
и да е било :)
Ок, извинявам се, че не съм дал достатъчна информация... :)
Трафика го балансирам през PF с route-to правила. Давам направо
конфигурацията:
====
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#######################################
# MACRO DEFINITIONS #
#######################################
########### interfaces
# external interface
ext_if1 = "rl0"
ext_if2 = "dc0"
ext_ifs = "{" $ext_if1 $ext_if2 "}"
ppp_if = "tun0"
# internal interface
int_if = "fxp0"
# vpn interface
vpn_if = "tun1"
########### known ip addresses and ports
ext_gw1 = "W.X.Y.Z"
ext_gw2 = "Z.Y.X.W"
#######################################
# TABLE DEFINITIONS #
#######################################
# non-routable networks
table <rfc1918> persist { 10/8, 172.16/12, 192.168/16 }
table <spamd> persist
table <spamd-my> persist file "/etc/pf/spamd.table"
table <spamd-white> persist
table <bruteforce> persist
table <single-route> persist file "/etc/pf/single-route.table"
#######################################
# OPTIONS #
#######################################
###### set logging on for ext_if1
set block-policy return
set loginterface $ext_if1
set loginterface $ext_if2
scrub in
#######################################
# TRAFFIC SHAPING #
#######################################
altq on $ext_if1 priq bandwidth 4320Kb queue { q_std_out1, q_pri_out1 }
queue q_std_out1 priority 1 priq(default)
queue q_pri_out1 priority 7
altq on $ext_if2 priq bandwidth 8000Kb queue { q_std_out2, q_pri_out2 }
queue q_std_out2 priority 1 priq(default)
queue q_pri_out2 priority 7
#######################################
# NAT #
#######################################
###### nat local network
nat pass on $ext_if1 \
from $int_if:network to <single-route> -> ($ext_if1)
nat pass on $ext_if1 \
from $int_if:network to !$int_if:network -> ($ext_if1)
nat pass on $ext_if2 \
from $int_if:network to !$int_if:network -> ($ext_if2)
###### handle active mode ftp connections
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp \
from $int_if:network to !$int_if:network port 21 -> 127.0.0.1 port 8021
###### redirect spammers to local spamd
rdr pass on $ext_if1 proto tcp \
from <spamd> to ($ext_if1) port smtp -> 127.0.0.1 port spamd
rdr pass on $ext_if1 proto tcp \
from <spamd-my> to ($ext_if1) port smtp -> 127.0.0.1 port spamd
#######################################
# FILTERING - OUTBOUND TRAFFIC #
#######################################
###### deny all by default
block log all
###### allow loopback
pass quick on lo0
###### ftp-proxy anchor
anchor "ftp-proxy/*"
###### reject all packets from and to private networks on ext_if1
block in quick on $ext_ifs from <rfc1918> to any
block out quick on $ext_ifs from any to <rfc1918>
###### allow traffic from local network
pass in on $int_if from $int_if:network to any keep state
###### outgoing traffic load balancing
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $int_if:network to !$int_if:network flags S/SA \
modulate state
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $int_if:network to !$int_if:network \
keep state
###### override load balancing for single-route table
pass in on $int_if route-to \
($ext_if1 $ext_gw1) round-robin \
proto tcp from $int_if:network to <single-route> flags S/SA \
modulate state
pass in on $int_if route-to \
($ext_if1 $ext_gw1) round-robin \
proto { udp, icmp } from $int_if:network to <single-route> keep state
###### allow traffic from localhost to local network
pass out on $int_if from ($int_if) to $int_if:network keep state
###### allow outgoing traffic keeping state and prioritizing tcp ack packets
pass out on $ext_if1 proto tcp all flags S/SA keep state \
queue (q_std_out1, q_pri_out1)
pass out on $ext_if2 proto tcp all flags S/SA keep state \
queue (q_std_out2, q_pri_out2)
pass out on $ext_ifs proto { udp, icmp } all keep state
###### route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
###### $ext_if2 and $ext_gw2 (again outgoing traffic load balancing)
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
###### allow icmp
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
proto icmp from any to ($ext_if1) keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
proto icmp from any to ($ext_if2) keep state
###### allow ssh to this machine, limiting connection rate
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
proto tcp to ($ext_if1) port ssh keep state \
(max-src-conn 15, max-src-conn-rate 5/2, \
overload <bruteforce> flush global)
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
proto tcp to ($ext_if2) port ssh keep state \
(max-src-conn 15, max-src-conn-rate 5/2, \
overload <bruteforce> flush global)
###### allow smtp traffic
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
proto tcp from any to ($ext_if1) port smtp \
label "mail" keep state \
(max-src-conn 15, max-src-conn-rate 10/5, \
overload <bruteforce> flush global)
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
proto tcp from any to ($ext_if2) port smtp \
label "mail" keep state \
(max-src-conn 15, max-src-conn-rate 10/5, \
overload <bruteforce> flush global)
###### allow domain query
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
proto { tcp udp } from any \
to ($ext_if1) port domain keep state \
label "dns"
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
proto { tcp udp } from any \
to ($ext_if2) port domain keep state \
label "dns"
====
Има доста кусури, но в момента ме интересува по проблема с ICQ-то дали
ще може да се измисли нещо, другите неща са ми (повече или по-малко)
ясни. :)
Таблицата single-route я направих с цел да прекарвам трафика към
login.icq.com винаги през единия интерфейс, но или нещо съм оплескал
или проблема е другаде - т.е. резултата е както преди да я сложа тая
таблица.
Поздрави,
--
Danail Petrov
Network Administrator
Evolink, Sofia
+359(2)9691650
www.evolink.com
icq uin 989677
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|
|
|