Dual WAN Load Balancing And FailOver with CentOs / Fedora / RedHat , Linux
This article presents a straightforward approach to Dual WAN Load Balancing and Failover with Linux (using multiple independent internet connections on one system). While the examples provided are for multiple ethernet connections, they could easily apply to a mixed ethernet/wireless system with some minor changes.
Note: Load balancing doesn’t increase connection speed for a single connection. Its benefits are realized over multiple connections like in an office environment. The benefits of fail-over are however realized even in a single user environment.
For fail over the best approach is to use a user space script to monitor connections and dynamically change routing information.
The Setup
In this example, I have a 5Mbps Cable connection via ROL on eth0, and a 2Mbps ADSL2 connection via Dhiraagu on eth1. And my local Connection On eth2
- eth1 – IP 172.16.0.100 / Gateway 172.16.0.1
- eth2 – IP 10.1.0.100 / Gateway 10.1.0.1
- eth2 – IP 192.168.0.1
Configuration
First, we need to add two lines to /etc/iproute2/rt_tables
First, we need to add two lines to /etc/iproute2/rt_tables
1 ROL
2 DHIRAAGU
And then set up the routing for those tables.
ip route add 172.16.0.0/24 dev eth0 src 172.16.0.100 table ROL
ip route add default via 172.16.0.1 table ROL
ip route add 10.1.0.0/24 dev eth1 src 10.1.0.100 table DHIRAAGU
ip route add default via 10.1.0.1 table DHIRAAGU
ip rule add from 172.16.0.100 table ROL
ip rule add from 10.1.0.100 table DHIRAAGU
Traffic evenly Divided upon both interfaces.
ip route add default scope global nexthop via 172.16.0.1 dev eth0 weight 1 nexthop via 10.1.0.1 dev eth1 weight 1
In addition to the normal setup here, we can weight the interfaces differently, to favour one over the other (useful in my case cause in my scenario ROL bandwidth is higher then Dhiraagu ).
ip route add default scope global nexthop via
172.16.0.1
dev eth1 weight 2 nexthop via
10.1.0.1
dev eth2 weight 3
In the case of IP-bound services (Site’s Like Bankofmaldives , which does not allow simultaneous connections from different IPs), a static route is simple to configure:
ip route add 123.176.23.68 via 172.16.0.1
If one of your ISP blocks DNS queries from non-subscribers, then you will need to make sure that your primary DNS server is ISP-agnostic. Google Public DNS is a great solution for this. Add the following entries to /etc/resolv.conf:
nameserver 8.8.8.8
nameserver 8.8.4.4
To setup fail-over
Download the script which checks for and provides fail-over over dual Wan connections and save it to /usr/sbin directory (or any other directory which is mounted available while loading the OS).
Change the file permissions to 755:
chmod 755 /usr/sbin/gwping
And
nano
/usr/sbin/gwping
Change the flowing
IP Address or domain name to ping. The script relies on the domain being pingable and always available
TESTIP=www.google.com
TESTIP=www.google.com
Ping timeout in seconds
TIMEOUT=2
TIMEOUT=2
External interfaces
EXTIF1=eth0
EXTIF2=eth1
EXTIF1=eth0
EXTIF2=eth1
IP address of external interfaces. This is not the gateway address.
IP1=172.16.0.100
IP2=10.1.0.100
IP1=172.16.0.100
IP2=10.1.0.100
Gateway IP addresses. This is the first (hop) gateway, could be your router IP
address if it has been configured as the gateway
address if it has been configured as the gateway
GW1=172.16.0.1
GW2=10.1.0.1
GW2=10.1.0.1
# Relative weights of routes.
W1=1
W2=4
W2=4
Broadband providers name; use your own names here.
NAME1=ROL
NAME2=DHIRAAGU
NAME1=ROL
NAME2=DHIRAAGU
No of repeats of success or failure before changing status of connection
SUCCESSREPEATCOUNT=4
FAILUREREPEATCOUNT=1
Add the following line to the end of /etc/rc.local file:
nohup /usr/sbin/gwping
SUCCESSREPEATCOUNT=4
FAILUREREPEATCOUNT=1
Add the following line to the end of /etc/rc.local file:
nohup /usr/sbin/gwping
How To Block IP Adresses Using iptables
Friday, September 17th, 2010
In order to block an IP on your Linux server you need to use iptables . First you need to log into shell as root privileged user. To block an IP address you need to type the iptables command as follows:
Syntax to block an IP address under Linux
iptables -A INPUT -s IP-ADDRESS -j DROP
Replace IP-ADDRESS with your actual IP address. For example, if you wish to block an ip address 87.18.19.20 for whatever reason then type the command as follows:
iptables -A INPUT -s 55.65.75.85 -j DROP
If you have IP tables firewall script, add the above rule to your script.
If you just want to block access to one port from an ip 65.55.44.100 to port 25 then type command:
iptables -A INPUT -s 55.65.75.85 -p tcp --dport 22 -j DROP
The above rule will drop all packets coming from IP 55.65.75.85 to ssh port 22 , by changing the dport (destination port) to other service ports like eg:
* Port 25 ( Mail )
* Port 3306 ( MySql)
* Port 80 (Web)
CentOS / RHEL / Fedora Block And Save It To Config File
Type the following two command:
iptables -A INPUT -s 55.65.85.95 -j DROP
iptables-save > /etc/sysconfig/iptables
Note: remember to disable selinux before saving the iptables
How Do I Unblock An IP Address?
Use the following syntax (the -d options deletes the rule from table):
iptables -D INPUT -s 55.65.85.95 -j DROP
iptables -D INPUT -s 100.200.300.400 -j DROP
iptables-save > /etc/sysconfig/iptables
Comments
Post a Comment