我们刚刚实施了辅助互联网连接。它将用作纯故障转移,所以暂时我只想避免异步路由问题。
我设置了 2 个路由表:
fw1 ~ # ip route sho tabl 10 | grep default
default via 59.167.xx.xx dev eth0 src 59.167.xx.xx
fw1 ~ # ip route sho tabl 20 | grep default
default via 115.64.xx.xx dev eth0.2 src 115.64.xx.xx
表 10 是我们的主要连接,表 20 是新连接。我已经设置了根据连接标记选择路由表的规则:
fw1 ~ # ip rule sho
0: from all lookup local
32736: from all fwmark 0x14 lookup 20
32737: from all fwmark 0xa lookup 10
32766: from all lookup main
32767: from all lookup default
适当的规则也在 iptables 中设置:
fw1 ~ # iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 300K packets, 164M bytes)
pkts bytes target prot opt in out source destination
372K 201M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
371K 201M PBR all -- * * 0.0.0.0/0 0.0.0.0/0 /* this stream has no mark; send it to the PBR chain */ mark match 0x0
fw1 ~ # iptables -t mangle -nvL PBR
Chain PBR (1 references)
pkts bytes target prot opt in out source destination
10 666 MARK-gw1 all -- eth0 * 0.0.0.0/0 59.167.xx.xx/29 /* prevent asynchronous routing */ state NEW mark match 0x0
18 1128 MARK-gw2 all -- eth0.2 * 0.0.0.0/0 115.64.xx.xx/29 /* prevent asynchronous routing */ state NEW mark match 0x0
fw1 ~ # iptables -t mangle -nvL MARK-gw1
Chain MARK-gw1 (1 references)
pkts bytes target prot opt in out source destination
10 666 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* send via 59.167.xx.xx */ MARK set 0xa
10 666 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
10 666 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
fw1 ~ # iptables -t mangle -nvL MARK-gw2
Chain MARK-gw2 (1 references)
pkts bytes target prot opt in out source destination
18 1128 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* send via 115.64.xx.xx */ MARK set 0x14
18 1128 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
18 1128 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
我正在使用来自外部 VPS 的 ping 进行测试。连接跟踪表确认标记设置正确:
icmp 1 28 src=173.255.xx.xx dst=115.64.xx.xx type=8 code=0 id=29301 src=115.64.xx.xx dst=173.255.xx.xx type=0 code=0 id=29301 mark=20 secmark=0 use=2
但是 tcpdump 显示通过 eth0 而不是 eth0.2 发送的回复,即使它具有正确的源地址:
fw1 ~ # tcpdump -lnn -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:07:56.429765 IP 115.64.xx.xx > 173.255.xx.xx: ICMP echo reply, id 29301, seq 619, length 64
好吧,我不确切知道为什么我的不起作用,但我根据此 [1] 指南使用“throw default”选项重新实现了它。我知道我不应该链接到外部网站作为答案,但很抱歉,复制和粘贴到这里太长了。
[1] http://www.cyber.com.au/~twb/doc/dual-uplink.txt