Linux – How to load-balance traffic across two independent NAT devices using Linux kernel

iproute2iptableslinuxlinux-networking

I have a network with several Linux workstations/servers on it, and two Internet connections, each with a consumer-grade NAT router in front of it. So for concreteness, let's say the devices are:

192.0.2.0/26  network
192.0.2.1     router A
192.0.2.62    router B
192.0.2.10    host X
192.0.2.11    host Y

Here's a diagram, similar to one in the LARTC HOWTO:

                                                             ________
                                           +------------+        /
                                           |            |       |
         +-----------+-[NAT router A]------+ Provider 1 +-------
        _|                                 |            |     /
    ___/  \_         +--------------+      +------------+    |
  _/        \__      | Linux host   |                      /
 /             \     |              |                      |
| Local network -----+  if1         |                      |     Internet
 \_           __/    |              |                      |
   \__     __/       |              |                      \
      \___/          +--------------+     +------------+    |
        |                                 |            |     \
        +---------------[NAT router B]----+ Provider 2 +-------
                                          |            |       |
                                          +------------+        \________

If a new TCP connection comes in via one or the other router, return traffic needs to go out via that router. Otherwise the return SYN packet will be improperly NATted (if even passed out at all), and the connection will effectively be blackholed. I could set up mutually exclusive port-forwarding sets on the two routers if that would help, but I'd rather keep them the same (or at least in some cases overlapping) if possible.

For new outgoing connections, I want to allocate traffic by range using the main routing table, but for certain traffic I might want to randomly balance new connections across the two routers.

I suspect what I'm asking about is doable using iptables and ip, or perhaps either of those tools alone. However, the HOWTOs and other answers I've found seem to all address a single router (running Linux), or host, with multiple interfaces… not policy among multiple routers attached to the same interface.

Edit: I've found one other question, also unanswered, that's asking about the same situation (note 192.168.0.0/23 as the local network), but focuses on policy for outgoing traffic; my question here is specifically about policy for incoming traffic. (Both NAT devices have a "port forward by port-range to host" function.)

Best Answer

Yes, it's possible to do this using iptables and ip together. In my case all the Linux boxes at issue run Debian Stable, so I wrote a custom script for /etc/network/if-up.d.

# First set up two routing-tables
ip route add to default table 11 via 192.0.2.1  dev $IFACE
ip route add to default table 33 via 192.0.2.62 dev $IFACE

# ... and rules to use them.
ip rule add priority 99 table 11 fwmark 11
ip rule add priority 99 table 33 fwmark 33

# Copy connmark to fwmark for applicable outgoing packets.
iptables -t mangle -A OUTPUT ! -d 192.0.2.0/26 \
  -m addrtype --dst-type UNICAST -j CONNMARK --restore-mark

# Set connmark for applicable incoming packets.
iptables -A INPUT -i $IFACE ! -s 192.0.2.0/26 \
  -m addrtype --src-type UNICAST \
  -m mac --mac-source 00:00:5E:00:53:05 \
  -j CONNMARK --set-mark 11
iptables -A INPUT -i $IFACE ! -s 192.0.2.0/26 \
  -m addrtype --src-type UNICAST \
  -m mac --mac-source 00:00:5E:00:53:07 \
  -j CONNMARK --set-mark 33

Note that it's defined in that order so that the whole thing takes effect with the last two commands. 00:00:5E:00:53:05 and 00:00:5E:00:53:07 would be the on-link addresses of the two NAT devices.

Route tables

First edit the /etc/iproute2/rt_tables to add a map between route table numbers and ISP names

...
10 ISP1
20 ISP2
...

So table 10 and 20 is for ISP1 and ISP2, respectively. I need to populate these tables with routes from main table with this code snippet (which I have taken from hxxp://linux-ip.net/html/adv-multi-internet.html)

ip route show table main | grep -Ev '^default' \
   | while read ROUTE ; do
     ip route add table ISP1 $ROUTE
done

And add default gateway to ISP1 through that ISP1's gateway:

ip route add default via 192.168.1.2 table ISP1

Do the same for ISP2

So now I have 2 route tables, 1 for each ISP.

Iptables

OK now I use iptables to evenly distribute packets to each route tables. More info on how this work can be found here (http://www.diegolima.org/wordpress/?p=36) and here (http://home.regit.org/?page_id=7)

# iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
# iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
# iptables -t mangle -A PREROUTING -j MARK --set-mark 10
# iptables -t mangle -A PREROUTING -m statistic --mode random --probability 0.5 -j MARK --set-mark 20
# iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

NAT

Well NAT is easy:

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

Linux Routing – Route Return Traffic to Correct Gateway Depending on Service

If I am understanding your intentions correctly, you want your webserver to normally use ISP-2 as its default gateway for outgoing traffic, with the exception of its responses to external web requests, which must transit via ISP-1 instead. Here is a sketch of a solution using policy routing:

echo "101 webtraffic" >> /etc/iproute2/rt_tables

ip route add default table webtraffic via $ISP1_GW_LAN_IP
ip rule add fwmark 1 table webtraffic
iptables -t mangle -A OUTPUT -d \! $LAN_NET_PREFIX \
                             -p tcp -m tcp --sport 443 \
                             -j MARK --set-mark 1

where:

LAN_NET_PREFIX is your LAN's network prefix (e.g. 192.168.100.0/24), and
ISP1_GW_LAN_IP is the LAN IP address of your gateway to ISP-1 (e.g. 192.168.100.100).

The first ip command sets the default route on the webtraffic table to your ISP-1 gateway, and the second ensures that packets marked 1 are routed using the webtraffic table. Finally, the iptables rule marks the appropriate outgoing packets, ensuring that their next hop will be towards ISP-1.

Here is an alternate solution that uses an experimental iptables module, the ROUTE target:

iptables -t mangle -A POSTROUTING -d \! $LAN_NET_PREFIX \
                                  -p tcp -m tcp --sport 443 \
                                  -j ROUTE --gw $ISP1_GW_LAN_IP

This rule would override the routing decision for outgoing web response packets, sending them to your ISP-1 gateway, instead of to the default ISP-2. All other traffic, including web responses to clients on your LAN, would not be affected. As has been pointed out in the comments, the ROUTE target is very likely not to be implemented on any system that has not explicitly patched it into the kernel, since it is experimental.

Best Answer

Related Solutions

Linux – Load Balancing and NAT-ing Multiple ISP Connections

Route tables

Iptables

NAT

Linux Routing – Route Return Traffic to Correct Gateway Depending on Service

Related Topic