1 | #!/bin/sh |
---|
2 | ## Joe Presbrey <presbrey@mit.edu> |
---|
3 | ## Quentin Smith <quentin@mit.edu> |
---|
4 | ## Mitchell Berger <mitchb@mit.edu> |
---|
5 | ## SIPB Scripts LVS Firewall marks |
---|
6 | |
---|
7 | iptables -F -t mangle |
---|
8 | |
---|
9 | # Create a table for regular scripts hosts |
---|
10 | iptables -t mangle -N scripts 2>/dev/null || : |
---|
11 | |
---|
12 | # scripts-vhosts.mit.edu |
---|
13 | iptables -A PREROUTING -t mangle -d 18.181.0.46 -j scripts |
---|
14 | # scripts.mit.edu |
---|
15 | iptables -A PREROUTING -t mangle -d 18.181.0.43 -j scripts |
---|
16 | # scripts-cert.mit.edu |
---|
17 | iptables -A PREROUTING -t mangle -d 18.181.0.50 -j scripts |
---|
18 | |
---|
19 | # Send Apache-bound traffic to FWM 2 (load-balanced) |
---|
20 | iptables -A scripts -t mangle -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2 |
---|
21 | # Send SMTP-bound traffic to FWM 3 (load-balanced) |
---|
22 | iptables -A scripts -t mangle -m tcp -p tcp --dport 25 -j MARK --set-mark 3 |
---|
23 | # Send finger-bound traffic to FWM 255 (the LVS director itself) |
---|
24 | iptables -A scripts -t mangle -m tcp -p tcp --dport 78:79 -j MARK --set-mark 255 |
---|
25 | # Send everything else to FWM 1 (primary) |
---|
26 | iptables -A scripts -t mangle -m mark --mark 0 -j MARK --set-mark 1 |
---|
27 | |
---|
28 | # webzephyr.mit.edu is special because its SMTP needs to always go to the primary (FWM 1) |
---|
29 | iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443,444 -j MARK --set-mark 2 |
---|
30 | iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.49 -j MARK --set-mark 1 |
---|
31 | |
---|
32 | # scripts-primary.mit.edu goes to the primary (FWM 1) on all ports |
---|
33 | iptables -A PREROUTING -t mangle -d 18.181.0.182 -j MARK --set-mark 1 |
---|
34 | |
---|
35 | # sipb.mit.edu acts like regular scripts, except ftp goes to i-hate-penguins.xvm.mit.edu (FWM 4) |
---|
36 | iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 80,443,444 -j MARK --set-mark 2 |
---|
37 | # Also send port 25 there too because the IP is shared with rtfm.mit.edu (fix this after renaming the machine) |
---|
38 | iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 20,21,25 -j MARK --set-mark 4 |
---|
39 | # All else to the primary |
---|
40 | iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.29 -j MARK --set-mark 1 |
---|