Use Linux to implement Internet redundancy

Article Title: Use Linux to implement Internet redundancy. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
As the ISP starts to provide users with high-speed Internet connections, it is very easy for small enterprises and computer users to establish their own Web servers, FTP servers, or Mail servers. However, what should we do if an ISP error occurs? One of the most common solutions is to perform redundant connections from another ISP. This article describes how to use a Linux host to complete Internet redundant connections, including the following:
　　
1. configure the host so that it can process inbound information from multiple ISPs.
2. load balancing of outbound network connections.
3. configure various services for redundancy.
4. use ipchains or iptables to configure the firewall.
　　
Describes the structure of a small enterprise or a home computer network. As shown in the figure, Linux serves as a firewall between the Internet and the internal LAN. In this example, the DSL used by the network adapter eth1 and the network adapter eht2 uses the cable modem. Linux hosts achieve load balancing by connecting to two ISPs. this method is not only applicable to high-speed network connections. The same technology can also be used to achieve load balancing between two dial-up connections.
　　 　
　　 Linux host with redundant Internet connection
The tested host uses an Intel Celon 533MHz CPU, Red Hat 6.2 operating system, and 2.2.18 kernel. The method described in this article is also tested and passed in Red Hat 7.2 with the kernel 2.4.13. However, in practice, the reader does not have to use a 533MHz CPU. In fact, in this example, you can use an old Pentium 100 machine with 32 m memory as a firewall. In addition, although some examples in this article are for Red Hat, they can be used in other Linux distributions with only a slight modification.
　　
In this article, I did not provide Nic configuration, Linux kernel compilation, and DNS configuration. This is because a large amount of information is available on the Internet or in bookstores. In addition, readers can also go to the http://www.linuxdoc.org to find some relevant information.
　　
　　 1. configure the kernel
Linux kernel 2.2 and later support advanced routing technology, which can achieve load balancing and multiple default routes on a Linux host. To support multiple Internet connections, you must add the following kernel network options during compilation:
　　
CONFIG_IP_ADVANCED_ROUTER = y
CONFIG_IP_MULTIPLE_TABLES = y
CONFIG_IP_ROUTE_MULTIPATH = y
　　
If you want to use the advanced routing feature in the new kernel, you must install the ip routing Toolkit (which is included in Red Hat 7.1 and later versions). If you do not have this toolkit, download from the following address:
　　
Ftp://ftp.inr.ac.ru/ip-routing/
　　
The ip routing toolkit provides two specialized commands: ip and tc for advanced routing. for the ip command file, see the following address: http://snfu.freedom.org/linux2.2/docs/ip-cref/ip-cref.html.
　　
　　 2. source IP address routing
By default, TCP/IP data packets detect the destination IP address, and then find a path to the destination in the routing table. You can run the netstat-r command to view the route table. If a path is found, the data packet is sent to the NIC. Otherwise, the data packet is sent to the default gateway. For most hosts directly connected to the Internet, the default gateway is generally an ISP. In this example, this means that all Internet connections to the external are connected through the DSL interface. This is not what a redundant Internet connection is intended. Obviously, when you add a cable Modem to the system, you do not want DSL connection to respond to your cable Modem connection.
　　
To solve this problem, we use the ip command to create a multi-route table. The route table is based on the IP address of the outbound packet. This can be achieved through the following command:
　　
# Setup source IP routing rules for DSL
Ip rule add from 63.89.102.157 lookup 1
Ip route add 10.0.0.0/24 via 10.0.0.1 table 1
Ip route add 0/0 via 63.89.102.1 table 1
　　
# Setup source IP routing rules for cable modem
Ip rule add from 65.3.17.20.lookup 2
Ip route add 10.0.0.0/24 via 10.0.0.1 table 2
Ip route add 0/0 via 65.3.17.1 table 2
　　
If the source IP address of an outbound packet is 63.89.102.157 (DSL), select route Table 1. it has two paths:
　　
> Ip route list table 1
10.0.0.0/24 via 10.0.0.1 dev eth0
Default via 63.89.102.1 dev eth1
　　
The first line routes the local data stream to the intranet, and the second line captures all the remaining data packets and sends them to the ISP through the DSL interface. Route Table 2 of the cable Modem uses the same method.
　　
　　 3. Load Balancing
The CONFIG_IP_ROUTE_MULTIPATH kernel option is used to balance outbound load in the intranet. it allows the system to have multiple default gateways. You can use the following command to delete the default gateway from the/etc/sysconfig/network file, and then use the advanced routing function to set the default gateway:
　　
# Ip route add default equalize
Nexthop via 63.89.102.1 dev eth1
Nexthop via 65.3.17.1 dev eth2
　　
To view the advanced route table, run the following command:
　　
> Ip route list
Zookeeper 255.255 dev eth0 scope link
Zookeeper 255.255 dev eth2 scope link
Zookeeper 255.255 dev eth1 scope link
10.0.0.1 dev eth0 scope link
63.89.102.157 dev eth1 scope link
65.3.17.appsdev eth2 scope link
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1
63.89.102.0/24 dev eth1 proto kernel scope link src 63.89.102.157
65.3.small/24 dev eth2 proto kernel scope link src 65.3.17.small
127.0.0.0/8 dev lo scope link
Default equalize
Nexthop via 63.89.102.1 dev eth1 weight 1
Nexthop via 65.3.17.1 dev eth2 weight 1
　　
The CONFIG_IP_ROUTE_MULTIPATH kernel option treats all these paths (default routes) as equivalent, and then selects a specific method based on/usr/src/linux/Documentation/Configure. help. The equalize option of the Ip route command will enable the Linux kernel to balance external connections based on Ip addresses. For a specific IP address, the kernel selects an interface for transmitting outgoing data packets, and then the kernel creates a record for the IP address in the routing buffer. In this way, other packets with the same IP address will use the same interface until the record is deleted from the routing buffer. We can use the ip route list cache command to view the route buffer.
　　
　　 4. configure the service
Various services (such as DNS, SMTP, HTTP, LDAP, and SSH) can be implemented through DNS loops. Reduce the TTL (survival time) in each DNS record, so that the remote system can only buffer IP information for 30 minutes. In this way, the inbound information will be scattered on two IP addresses. For incoming SMTP connections, two MX records are added to the DNS, so that if an interface is closed, the email will be sent from another interface.
　　
You can use the following dig command to check your DNS configuration:
　　
> Dig alphapager.org any
　　
; <> DiG 8.2 <> alphapager.org any
; Res options: init recurs defnam dnsrch
; Got answer:
;-> HEADER <-opcode: QUERY, status: NOERROR, id: 4
; Flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 5
; Query section:
; Alphapager.org, type = ANY, class = IN
　　
; Answer section:
Alphapager.org. 30 m in a 63.89.102.157
Alphapager.org. 30 m in a 65.3.17.htm
Alphapager.org. 30 m in ns ns.alphapager.org.
Alphapager.org. 30 m in ns ns.herdejurgen.com.
Alphapager.org. 30 m in soa proxy.alphapager.org.
Root.proxy.alphapager.org .(
2001031000; serial
3 H; refresh
1 H; retry
1 W; expiry
30 M); minimum
　　
Alphapager.org. 30 m in mx 10 ns.herdejurgen.com.
Alphapager.org. 30 m in mx 10 ns.alphapager.org.
　　
; Additional section:
Ns.alphapager.org. 30 m in a 63.89.102.157
Ns.herdejurgen.com. 30 m in a 65.3.17.htm
　　
; Total query time: 98 msec
; FROM: pandora to SERVER: default -- 192.168.100.1
; WHEN: Sat Mar 10 22:15:22 2001
; Msg size sent: 32 rcvd: 326
　　
All DNS records (except ns.alphapager.org and ns.herdejurgen.com) are now resolved to two IP addresses. For example:
　　
> Nslookup seann.herdejurgen.com
Server: proxy-in.alphapager.org
Address: 10.0.0.1
　　
Name: seann.herdejurgen.com
Addresses: 65.3.17.133, 63.89.102.157
　　
For Apache, you can change the following lines in httpd. conf to implement virtual hosts with multiple names:
　　
NameVirtualHost 63.89.102.157: 80
NameVirtualHost 65.3.17.small: 80
Inbound LDAP and SSH traffic are distributed using round-robin DNS and require no special
Configuration.
　　
　　 5. start the script
To support our network configuration, you must make some changes to the startup script. The changed script here refers to Red Hat, but we can easily promote it to other Linux distributions. After the system is started, the ip rule command can only be executed once. We can add the following lines to the/etc/rc. d/init. d/network script to achieve this purpose:
　　
# Add non interface-specific static-rules
If [-f/etc/sysconfig/static-rules]; then
Sh/etc/sysconfig/static-rules
Fi
/Etc/sysconfig/static-rules file content:
# Setup source IP routing rules
Ip rule add from 63.89.102.157 lookup 1
Ip rule add from 65.3.17.20.lookup 2
　　
# Setup load balancing
Ip route add default equalize