Linux-Bulgaria.ORG

навигация

начало

пощенски списък

архив на групата

По Дата

Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)

Subject: Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)
From: Alexander Iliev <sasoiliev@xxxxxxxxx>
Date: Fri, 13 Oct 2006 09:56:06 +0300
Delivered-to: lug-bg-list@xxxxxxxxxxxxxxxxxx
Delivered-to: lug-bg@xxxxxxxxxxxxxxxxxx

Danail Petrov wrote:
> Как балансираш трафика ? на вход ? на изход ?
> по какъв начин си организирал балансирането ? какъв рутинг протокол
> използваш? дай повече информация,
> така зададен въпроса се съмнявам някой да успее да те насочи към каквото
> и да е било :)

Ок, извинявам се, че не съм дал достатъчна информация... :)

Трафика го балансирам през PF с route-to правила. Давам направо
конфигурацията:

====
#	$OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#######################################
#  MACRO DEFINITIONS                  #
#######################################

########### interfaces

# external interface
ext_if1		= "rl0"
ext_if2		= "dc0"
ext_ifs		= "{" $ext_if1 $ext_if2 "}"

ppp_if		= "tun0"

# internal interface
int_if 		= "fxp0"

# vpn interface
vpn_if		= "tun1"

########### known ip addresses and ports

ext_gw1		= "W.X.Y.Z"
ext_gw2		= "Z.Y.X.W"

#######################################
#  TABLE DEFINITIONS                  #
#######################################

# non-routable networks
table <rfc1918>		persist { 10/8, 172.16/12, 192.168/16 }

table <spamd>		persist
table <spamd-my>	persist file "/etc/pf/spamd.table"
table <spamd-white>	persist

table <bruteforce>	persist

table <single-route>	persist file "/etc/pf/single-route.table"

#######################################
#  OPTIONS                            #
#######################################

###### set logging on for ext_if1
set block-policy return
set loginterface $ext_if1
set loginterface $ext_if2

scrub in

#######################################
#  TRAFFIC SHAPING                    #
#######################################

altq on $ext_if1 priq bandwidth 4320Kb queue { q_std_out1, q_pri_out1 }
  queue q_std_out1 priority 1 priq(default)
  queue q_pri_out1 priority 7

altq on $ext_if2 priq bandwidth 8000Kb queue { q_std_out2, q_pri_out2 }
  queue q_std_out2 priority 1 priq(default)
  queue q_pri_out2 priority 7

#######################################
#  NAT                                #
#######################################

###### nat local network
nat pass on $ext_if1 \
	from $int_if:network to <single-route> -> ($ext_if1)
nat pass on $ext_if1 \
	from $int_if:network to !$int_if:network -> ($ext_if1)
nat pass on $ext_if2 \
	from $int_if:network to !$int_if:network -> ($ext_if2)

###### handle active mode ftp connections
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp \
	from $int_if:network to !$int_if:network port 21 -> 127.0.0.1 port 8021

###### redirect spammers to local spamd
rdr pass on $ext_if1 proto tcp \
	from <spamd> to ($ext_if1) port smtp -> 127.0.0.1 port spamd
rdr pass on $ext_if1 proto tcp \
	from <spamd-my> to ($ext_if1) port smtp -> 127.0.0.1 port spamd

#######################################
#  FILTERING - OUTBOUND TRAFFIC       #
#######################################

###### deny all by default
block log all

###### allow loopback
pass quick on lo0

###### ftp-proxy anchor
anchor "ftp-proxy/*"

###### reject all packets from and to private networks on ext_if1
block in  quick on $ext_ifs from <rfc1918> to any
block out quick on $ext_ifs from any to <rfc1918>

###### allow traffic from local network
pass in  on $int_if from $int_if:network to any keep state

###### outgoing traffic load balancing
pass in  on $int_if route-to \
	{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
	proto tcp from $int_if:network to !$int_if:network flags S/SA \
	modulate state
pass in on $int_if route-to \
	{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
	proto { udp, icmp } from $int_if:network to !$int_if:network \
	keep state

###### override load balancing for single-route table
pass in  on $int_if route-to \
	($ext_if1 $ext_gw1) round-robin \
	proto tcp from $int_if:network to <single-route> flags S/SA \
	modulate state
pass in  on $int_if route-to \
	($ext_if1 $ext_gw1) round-robin \
	proto { udp, icmp } from $int_if:network to <single-route> keep state

###### allow traffic from localhost to local network
pass out on $int_if from ($int_if) to $int_if:network keep state

###### allow outgoing traffic keeping state and prioritizing tcp ack packets
pass out on $ext_if1 proto tcp all flags S/SA keep state \
	queue (q_std_out1, q_pri_out1)
pass out on $ext_if2 proto tcp all flags S/SA keep state \
	queue (q_std_out2, q_pri_out2)
pass out on $ext_ifs proto { udp, icmp } all keep state

###### route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
###### $ext_if2 and $ext_gw2 (again outgoing traffic load balancing)
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any


###### allow icmp
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
	proto icmp from any to ($ext_if1) keep state
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
	proto icmp from any to ($ext_if2) keep state

###### allow ssh to this machine, limiting connection rate
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
	proto tcp to ($ext_if1) port ssh keep state \
	(max-src-conn 15, max-src-conn-rate 5/2, \
	 overload <bruteforce> flush global)
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
	proto tcp to ($ext_if2) port ssh keep state \
	(max-src-conn 15, max-src-conn-rate 5/2, \
	 overload <bruteforce> flush global)

###### allow smtp traffic
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
	proto tcp from any to ($ext_if1) port smtp \
	label "mail" keep state \
	(max-src-conn 15, max-src-conn-rate 10/5, \
	 overload <bruteforce> flush global)
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
	proto tcp from any to ($ext_if2) port smtp \
	label "mail" keep state \
	(max-src-conn 15, max-src-conn-rate 10/5, \
	 overload <bruteforce> flush global)

###### allow domain query
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
	proto { tcp udp } from any \
	to ($ext_if1) port domain keep state \
	label "dns"
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
	proto { tcp udp } from any \
	to ($ext_if2) port domain keep state \
	label "dns"

====

Има доста кусури, но в момента ме интересува по проблема с ICQ-то дали
ще може да се измисли нещо, другите неща са ми (повече или по-малко)
ясни. :)

Таблицата single-route я направих с цел да прекарвам трафика към
login.icq.com винаги през единия интерфейс, но или нещо съм оплескал
или проблема е другаде - т.е. резултата е както преди да я сложа тая
таблица.

Поздрави,
-- 
Александър Илиев

Във връзка с:
- Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)
  - Изпратено от: Danail Petrov <danail.petrov@xxxxxxxxxxx>

Относно:
- lug-bg: ICQ + load balancing на изходящия трафик
  - Изпратено от: Alexander Iliev <sasoiliev@xxxxxxxxx>
- Re: lug-bg: ICQ + load balancing на изходящия трафик
  - Изпратено от: Danail Petrov <danail.petrov@xxxxxxxxxxx>

Предишно по дата: Re: lug-bg: ICQ + load balancing на изходящия трафик
Следващо по дата: Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)
Предишно по тема: Re: lug-bg: ICQ + load balancing на изходящия трафик
Следващо по тема: Re: lug-bg: ICQ + load balancing на изходящия трафик (дълго)
Индекс:
- По дата
- По тема

наши приятели

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

Linux-Bulgaria.ORG

Hosted by "Internet Group" Ltd. - Stara Zagora