Tengo 3 NIC. NIC1 y NIC2 se utilizan para conexiones a Internet y una LAN se utiliza para conexiones de intranet.
Quiero equilibrar la carga para los ISP mediante tablas de IP. Como soy un novato, mi burdo intento se detalla en el siguiente código, obviamente sin éxito. Este código se compiló consultando muchos sitios web sobre el tema.
Nos gustaría utilizar de manera óptima la Internet entrante en LAN usando el método Round-Robin.
o
¿Es posible dividir los dos ISP, es decir, para los sistemas 1 a 5 (ISP1) y 5 a 10 (ISP2) utilizando tablas de enrutamiento?
Espero que alguien me ayude, lo cual se agradece mucho.
set -x
IPT="/sbin/iptables"
NIC1="enp4s5f0"
NIC2="enp4s5f1"
LAN="ens2"
ISP1="192.168.9.33"
ISP2="192.168.10.33"
#***************
# reset iptables
#_______________
## reset the default policies in the filter table.
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
## reset the default policies in the nat table.
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
## reset the default policies in the mangle table.
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
## flush all the rules in the filter and nat tables.
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
## erase all chains that's not default in filter and nat table.
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
#*********************
# enable IP forwarding
#_____________________
echo 1 > /proc/sys/net/ipv4/ip_forward
#****************
# rules
#________________
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -p icmp -j ACCEPT
$IPT -t nat -A PREROUTING -i NIC1 -p tcp --dport 80\
-m state --state NEW -m statistic --mode\
random --probability .33 -j DNAT --to-destination 10.1.1.1:1
$IPT -t nat -A PREROUTING -i NIC2 -p tcp --dport 80\
-m state --state NEW -m statistic --mode\
random --probability .33 -j DNAT --to-destination 10.1.1.1:2
$IPT -A FORWARD -i $NIC1 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NIC2 -o $LAN -j ACCEPT
# ifconfig -a
#********************************
# allow certain hosts full access
#________________________________
allowHost() {
$IPT -A FORWARD -i $LAN -s $1 -j ACCEPT
}
allowHost 192.168.2.10
allowHost 192.168.2.11
allowHost 192.168.2.12
allowHost 192.168.2.13
allowHost 192.168.2.14
allowHost 192.168.2.15
####Extra
$IPT -A FORWARD -d 8.8.8.8 -p tcp -m multiport --dports 53 -j ACCEPT
#********************
# block anything else
#____________________
$IPT -A FORWARD -j LOG -m limit --limit 10/minute --limit-burst 1 --log-prefix "Blocked:"
$IPT -A FORWARD -j DROP
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe iptable_nat
Respuesta1
ADVERTENCIA: LEA PRIMERO ANTES DE EJECUTAR
DESCARGO DE RESPONSABILIDAD: No probado
Requisitos previos:
Instale el paquete persistente iptables
sudo apt-get install iptables-persistent
Haga una copia de seguridad de sus reglas de iptables existentes:
sudo iptables-save > ~/iptables-export
Restaurar:
sudo iptables-restore < ~/iptables-export
Elimine las reglas anteriores de iptables:
sudo iptables -F && sudo iptables -t nat -F && sudo iptables -t mangle -F && sudo iptables -X && sudo iptables -t nat -X && sudo iptables -t mangle -X
Pasos:
Agregue una nueva "tabla de rutas" usando este comando desde su terminal para manejar los paquetes de una de las NIC:
sudo bash -c 'echo "1 rt2" >> /etc/iproute2/rt_tables'
Habilitar reenvío ipv4
sudo sysctl net.ipv4.ip_forward=1 sudo sysctl -p
Agregar filtro que permita "enmascarar"
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.90 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.90 sudo iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE sudo netfilter-persistent save sudo netfilter-persistent reload
Edite el
/etc/network/interfaces
archivo y agregue la configuración para la segunda NIC, pero por supuestohacer una copia del viejo,sudo cp /etc/network/interfaces /etc/network/interfaces.bkup
:iface enp4s5f1 inet static address <YOUR_NIC_ADD>/24 netmask 255.255.255.0 post-up ip route add 192.168.10.0/24 dev enp4s5f1 src 192.168.10.33 table rt2 post-up ip route add default via 192.168.10.1 dev enp4s5f1 table rt2 post-up ip rule add from 192.168.10.33/32 table rt2 post-up ip rule add to 192.168.10.33/32 table rt2
Reinicie el administrador de red:
sudo systemctl restart NetworkManager.service
Agregue reglas de iptable:
sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 5 --packet 0 -j DNAT --to-destination 192.168.2.26 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination 192.168.2.27 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.2.28 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.2.29 sudo iptables -t nat -A PREROUTING -i enp4s5f0 --to-destination 192.168.2.30
=======================================
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 5 --packet 0 -j DNAT --to-destination 192.168.2.21
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 4 --packet 0 -j DNAT --to-destination 192.168.2.22
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 3 --packet 0 -j DNAT --to-destination 192.168.2.23
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 2 --packet 0 -j DNAT --to-destination 192.168.2.24
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -j DNAT --to-destination 192.168.2.25
sudo netfilter-persistent save
sudo netfilter-persistent reload
Fuente:
https://scalingo.com/articles/2018/04/20/iptables.html
https://www.webair.com/community/simple-stateful-load-balancer-with-iptables-and-nat/
http://ipset.netfilter.org/iptables-extensions.man.html
https://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSLs
¿Cómo guardar reglas de iptables?
https://linuxconfig.org/how-to-restart-network-on-ubuntu-16-04-xenial-xerus-linux