| [210] | 1 | #!/bin/sh |
|---|
| 2 | ## Joe Presbrey <presbrey@mit.edu> |
|---|
| [1184] | 3 | ## Quentin Smith <quentin@mit.edu> |
|---|
| [1792] | 4 | ## Mitchell Berger <mitchb@mit.edu> |
|---|
| [210] | 5 | ## SIPB Scripts LVS Firewall marks |
|---|
| 6 | |
|---|
| 7 | iptables -F -t mangle |
|---|
| 8 | |
|---|
| [1184] | 9 | # Create a table for regular scripts hosts |
|---|
| 10 | iptables -t mangle -N scripts 2>/dev/null || : |
|---|
| 11 | |
|---|
| 12 | # scripts-vhosts.mit.edu |
|---|
| 13 | iptables -A PREROUTING -t mangle -d 18.181.0.46 -j scripts |
|---|
| [210] | 14 | # scripts.mit.edu |
|---|
| [1184] | 15 | iptables -A PREROUTING -t mangle -d 18.181.0.43 -j scripts |
|---|
| 16 | # scripts-cert.mit.edu |
|---|
| 17 | iptables -A PREROUTING -t mangle -d 18.181.0.50 -j scripts |
|---|
| [210] | 18 | |
|---|
| [1184] | 19 | # Send Apache-bound traffic to FWM 2 (load-balanced) |
|---|
| 20 | iptables -A scripts -t mangle -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2 |
|---|
| 21 | # Send SMTP-bound traffic to FWM 3 (load-balanced) |
|---|
| 22 | iptables -A scripts -t mangle -m tcp -p tcp --dport 25 -j MARK --set-mark 3 |
|---|
| [1199] | 23 | # Send finger-bound traffic to FWM 255 (the LVS director itself) |
|---|
| [1200] | 24 | iptables -A scripts -t mangle -m tcp -p tcp --dport 78:79 -j MARK --set-mark 255 |
|---|
| [1184] | 25 | # Send everything else to FWM 1 (primary) |
|---|
| 26 | iptables -A scripts -t mangle -m mark --mark 0 -j MARK --set-mark 1 |
|---|
| [965] | 27 | |
|---|
| [1184] | 28 | # webzephyr.mit.edu is special because its SMTP needs to always go to the primary (FWM 1) |
|---|
| 29 | iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443,444 -j MARK --set-mark 2 |
|---|
| [577] | 30 | iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.49 -j MARK --set-mark 1 |
|---|
| [1792] | 31 | |
|---|
| 32 | # scripts-primary.mit.edu goes to the primary (FWM 1) on all ports |
|---|
| 33 | iptables -A PREROUTING -t mangle -d 18.181.0.182 -j MARK --set-mark 1 |
|---|
| [2497] | 34 | |
|---|
| [2699] | 35 | # sipb.mit.edu acts like regular scripts for the web ports, everything else goes to i-hate-penguins.xvm.mit.edu (FWM 4) |
|---|
| [2497] | 36 | iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 80,443,444 -j MARK --set-mark 2 |
|---|
| 37 | # Also send port 25 there too because the IP is shared with rtfm.mit.edu (fix this after renaming the machine) |
|---|
| [2699] | 38 | #iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 20,21,25 -j MARK --set-mark 4 |
|---|
| 39 | # All else to i-hate-penguins |
|---|
| 40 | iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.29 -j MARK --set-mark 4 |
|---|
