Policy-Based Routing Using Software Firewalls? 38
Bios_Hakr asks: "My local computer group meets for monthly LAN parties. The location that hosts the parties also has a small internet cafe. After the cafe closes, they allow us to connect to their T-1 line. They supply us with a single IP address which we NAT/(PAT?) via a Linksys DSL router. We also have a second T-1 supplied by one of the more gracious members of our group. He agreed to supply this T-1 after experiencing abysmal ping rates with 30 people sharing the bandwidth. Herein lies the quandry: How can we implement Policy-Based routing for our LAN? I'd like all HTTP and FTP to be directed out one line while popular gaming ports are directed over the second line. All file-sharing traffic should be killed. I know how to do this via Cisco IOS and policy-route-mapping, but I'm at a loss when it comes to doing it via software firewall solutions. We have several Linux-familiar people in the group and lots of Windows geeks; but the solution should be simple and require zero brainpower to set up after the initial implementation. How would you split your LAN traffic across two T-1 lines?"
shorewall + traffic shaping (Score:3, Informative)
Best path routing (Score:1)
Re:Best path routing (Score:1)
Isn't going to happen due to the cost, and the ISP will not be amused that you flap your BGP session up and down every day, if not more often.
openbsd (Score:1)
it's magical. it "just works"
lots of good examples in the man pages too
throw it on a soekris and toss the linksys =)
Documentation for Policy Routing in linux (Score:5, Informative)
Please visit http://linux-ip.net [linux-ip.net] and more specifically for your problem: http://linux-ip.net/html/ch-advanced-routing.html [linux-ip.net]
That should get you started. It's be no means simple, but my understanding is that once you get it up, it works.
Easy (Score:4, Informative)
iproute2
iptables & Patch-o-matic
netfilter CONNMARK extension
You have the matching power of iptables to implement any sort of policy routing that you could ever dream of!
Re:Easy (Score:2)
OpenBSD with pf and altq (Score:5, Informative)
OpenBSD comes out of the box with a great firewall (that will also handle your NAT). The firewall can easily handle packet queueing and prioritization. Tell the firewall how much bandwidth you have to work with, set your host up with priority over your traffic, even break it down by protocol if you want.
Re:OpenBSD with pf and altq (Score:2)
Click here ... (Score:2)
IPTables and QoS (Score:5, Informative)
Basically, you'd be looking at doing the following things. Multiple outbound providers, [linux-ip.net] which will need another routing table built for the second link. Then you'll need to dive into QoS [lartc.org] to split up your traffic into your definitions of bulk (HTTP, FTP), priority (Gaming), and drop (P2P). I notice that you have no default set up, but I leave that up to you. Finally, you can use iptables to mark and NAT your traffic out the right interface.
Under Windows, you would need some advanced routing software I think. ISA may do it, but I doubt your budget allows it. By default, Windows does have the ability to enforce QoS terms, but you'd need something to apply those QoS marks (I doubt that games commonly mark their packets with ToS)...which means a bridge in front of the Windows router. Might as well use a Linux router instead.
If anybody knows of a way to get a Windows box to route based on ports, I'd love to hear it.
Oh, and a simple solution for the exact problem you describe (which I don't think is what you really want) would be a proxy for the HTTP and FTP link, and a router for the other link. All HTTP and FTP requests would be sent out the proxy, everything else would go the default route (to the router) which could be configured to drop P2P and route everything else. Optionally, you could do QoS on the router to prioritize certain traffic. If you go that route, I'm fond of AnalogX [analogx.com] Proxy (for Windows) because it's free and simple. Of course, that does require client configuration....unless you use Transparent Proxying [tldp.org].
Re:IPTables and QoS (Score:1)
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to $FIRST_T1
iptables -t nat -A POSTROUTING -p udp --dport 27015 -j SNAT --to $SECOND_T1
IIRC this will route all web traffic to the first T1 and all halflife traffic to the second T1, or did I miss something?
Re:IPTables and QoS (Score:2)
To be specific, you're looking at doing policy based routing. Normally, routing is only done based on destination network. But, in this case, we want to route based on destination ports (or ToS if these games happen to classify their packets with it). iproute2 can
Re:IPTables and QoS (Score:2, Informative)
Do you mean using Internet connection sharing?
If you click on the properties of the network connection you are sharing you can route ports (individual ones only unfortunately) to specific IP's on your lan. or even their computer name.
Ive used it, its works, the only problem is when you have port ranges greater than...oh say 2 that you want to forward, then its a bitch to do them all manually.
I've got emails an
Re:IPTables and QoS (Score:2)
I was talking more along the lines of the OP question, which is routing eg. destination port 80 one way and all others another.
Re:IPTables and QoS (Score:1)
Re:Why not just go with simplicity? (Score:2)
If I understand you correctly, then you're talking about simply adding static routes for the gaming servers to the routing table. That would work if the IP addresses of the gaming servers are known in advance.
I kind of misspoke when
A couple of options (Score:5, Informative)
The first thing I would try would be to setup one of your lines with 'tc' and bandwidth shape the line with CBQ and SFQ. CBQ will let you set the outbound "rate" for the line, and SFQ will enforce "fairness" between different "connections". This should keep ftp uploads from swamping upstream traffic and pushing your ping times thru the sky. You can do some similar things with 'tc' ingress policies to shape the incoming traffic, but this is less effective.
If you still want to try two lines, here is the basic setup.
You need a Linux box that has three network interfaces. One for each of your T-1s, and one for your local LAN. The Linux box's IP address is the default gateway for everyone on your local LAN.
You setup a firewall on the Linux box with something like:
LAN on eth0
T1 on eth1
T1 on eth2
iptables -i eth0 --dport 80 --state NEW,ESTABLISHED --set-mark 1
iptables -t nat -o eth1 -j MASQUERADE
iptables -t nat -o eth2 -j MASQUERADE
ip ru add fwmark 1 table 10
ip route add default via IP_ADDRESS_OF_T1#1 dev eth1
ip route add default via IP_ADDRESS_OF_T1#2 dev eth2 table 10
This is far from complete (and I haven't tested it), but it should set "fwmark" to 1 for HTTP traffic. The router table should then take traffic with FWMARK set to 1 and use routing table 10 instead of the default table, which can have a different default route. In that both eth1 and eth2 are MASQed, both will NAT.
You will need a lot more here to be fully functional. You need to completely filter the traffic you don't want, and probably classify a bunch more stuff along the way.
Good luck.
my rc.iprules script (Score:5, Informative)
http://hibernia.jakma.org/~paul/rc.iprules [jakma.org]
For a script that does something similar to what you want, policy routing to route based on source IP. It should be easy enough to add an additional 'firewall mark' field to the table and policy route based on that (i'm on holiday, otherwise i might have done that for you). The listed "intranets" will use the main table.
Basically, all you need is:
1. create a table for each policy (edit
2. use iptables to add arbitrary 'fwmarks' to incoming packets based on whatever criteria you have
3. use the 'ip rule' command to direct routing for packets with specific fwmarks to specific routing tables.
4. direct other traffic to the default 'main' table.
Finally, see the Linux Advanced Routing & Traffic Control [lartc.org] site for further information.
iptables on the linksys (Score:2)
and you can replace the system image
(tutorials exist for linksys routers)
then you can easily write a shell script
to select the outgoing connection by
destination port using a couple of iptable commands. No additional hardware is required.
Re:iptables on the linksys (Score:2)
Also, the switches on those linksys boxes I'm sure aren't managed, so you'd not be able to use them to load-balance t1's like that very easily.
Best to use a pc with 3 NICS in it.
Sveasoft (Score:2)
Simple solution (Score:1)
A lot of people got down to the nitty gritty technical details, but as I understand you want something simple that just works. Well, I use a Linux Firewall distro to do the routing in combination with a small script to configure the QoS.
Try Clarkconnect [clarkconnect.org] in combination with Wondershaper [lartc.org]. Wondershaper uses some basic input parameter to configure the kernel to traffic prioritization. I found it
Re:Simple perl script will do it (Score:1, Offtopic)
HTTP and FTP only? Proxy it. (Score:1, Insightful)
Squid doesn't help for raw FTP, but you can still use it as a FTP proxy if you access it through a web browser. You could also some some masquerading and route mangling to s
Linux Advanced Routing and Traffic Control (Score:3, Informative)
Linux Advanced Routing and Traffic Control [lartc.org]
I know this stuff is dense, but I happen to think it's stuff that any serious Linux admin should know about eventually, so I spread the word. If you want some pointers on where to start, send me an IM. I'll be at work all day today more-or-less.
Since you asked... (Score:1)
Very happily!
-------------------
linux (Score:2)
$IPTABLES -t mangle -A PREROUTING -p tcp --dport
80 -j MARK --set-mark 0x05
$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark 0x06
Then, make sure you have used iproute to select the routing table you use based on the fwmark (requires entries in
echo 100 tone >>
echo 200 ttwo >>
ip route add $router1 dev eth1 src $eth1_ip
check out zebra (Score:3, Informative)
GNU Zebra [zebra.org] is a cisco IOS clone [linuxforum.com] for linux. i think its what you're looking for.
Re:check out zebra (Score:2)