[CentOS] Routing issue

Wed Oct 3 12:46:14 UTC 2012
Manish Kathuria <mkathuria at tuxtechnologies.co.in>

> The routes-x.y-z.diff is a unified patch containing different parts
> which include support for Dead Gateway Detection as well.  However,
> since that is limited to the first hop, it is preferable to have a
> userspace script as you are doing. I also use a script to check the
> accessibility of a remote popular site from each of the ISPs and based
> upon the response the links are treated alive or dead and the default
> gateway is changed. However, the routing problem as described by you
> will only be solved after applying this patch (routes-x.y-z.diff).
> As for marking the incoming packets to ensure that they go out from
> the same interface they came from, you could do something like the
> following:
> Using iptables mark the incoming traffic from external interfaces
> /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> /sbin/iptables -t mangle -A PREROUTING -i eth1 -j MARK  --set-mark 1
> /sbin/iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --save-mark
> /sbin/iptables -t mangle -A PREROUTING -i eth2 -j MARK  --set-mark 2
> /sbin/iptables -t mangle -A PREROUTING -i eth2 -j CONNMARK --save-mark
> Add the following rules to your existing ones for policy routing
> /sbin/ip rule add fwmark 1 table T1
> /sbin/ip rule add fwmark 2 table T2
> Hi Manish,
> Thanks for the info. The one question I have is about
> /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> I thought the OUTPUT chain was only for packets originating locally. I am
> only concerned
> with clients behind my Linux router, do I still need this?
> Yes you are right but in case if you have any services running on the
> linux router itself (for example sshd) and  accessible from the
> internet, it would help.
> Hi Manish,
> The above rules appear to be for clients coming into the router from
> external. They
> don't solve the problem for clients inside the router going out thru the
> load balanced
> interfaces.
> I have done much googling and testing without much luck. At this point in
> time I would
> be satisfied with just being able to have a client inside the router do FTP
> over just one
> of the outbound interfaces without any load balancing for FTP. I have this
> working but only
> for active mode FTP by using the following:
> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 20:21 -j MARK
> --set-mark 1
> But it doesn't work for passive because you don't know what ports are going
> to be used.
> Regards,
> --
> Stephen Clark

I was under the impression that you are running a FTP server inside
and were facing problems with the incoming traffic for the same. If
you are primarily concerned with the outgoing traffic through two ISP
links, please follow the following steps:

1. Refer to http://www.ssi.bg/~ja/nano.txt  for creating your rules.
2. Recompile the kernel after applying Julian Anistov's routes patch
(the URL is there in the earlier messages).
3. Make a script to check the status of the links and change the
default gateway accordingly. Let me know if you need a script.
4. Make sure that your firewall (iptables) is stateful and allows
related and established connections and the NAT and connection
tracking modules (nf_conntrack, nf_conntrack_ftp, nf_nat and
nf_nat_ftp) are loaded.

I have followed this approach at a number of places without any
problems related to FTP or other protocols. The only issue I faced was
that the patch failed for all the CentOS 5.x kernels I tried (perhaps
due to some conflict with an existing patch). But its working
perfectly for the kernels in CentOS 6 and 6.1.