LVS-NAT
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了LVS-NAT相关的知识,希望对你有一定的参考价值。
安装包组-ipvsadm
生成文件解析:
Unit File: ipvsadm.service
主程序:/usr/sbin/ipvsadm
规则保存工具:/usr/sbin/ipvsadm-save
规则重载工具:/usr/sbin/ipvsadm-restore
配置文件:/etc/sysconfig/ipvsadm-config
基本命令介绍:
基本命令:
增加服务:
ipvsadm -A -t|u|f service-address [-s 算法] [-p 超时时长]
具体使用:
ipvsadm -A -t 172.20.23.32:80 -s rr
修改服务:
ipvsadm -E -t|u|f service-address [-s 算法] [-p 超时时长]
删除服务:
ipvsadm -D -t|u|f service-address
service-address格式:
-t:TCP协议的端口 VIP:TCP_PORT
-u:UDP协议端口 VIP:UDP_PORT
-f:firewall MARK 标记 一个管理集群上的RS:
ipvsadm -a|e -t|u|f [集群服务IP地址:port] -r [后端主机] [-g|i|m] [-w weight]
具体使用:
ipvsadm -a -t 172.20.23.32:80 -r 192.168.23.33 -m
ipvsadm -a -t 172.20.23.32:80 -r 192.168.23.34 -m
lvs类型指定:
-g: gateway, dr类型,默认
-i: ipip, tun类型
-m: masquerade, nat类型
service-address格式:
RIP:port 省略端口,就不做端口映射
-w [n]:指定权重
清空定义的所有内容:ipvsadm –C
清空计数器:ipvsadm -Z [-t|u|f service-address]
查看:ipvsadm -L|l [options]
--numeric, -n:以数字形式输出地址和端口号
--exact:扩展信息,精确值
--connection,-c:当前IPVS连接输出
--stats:统计信息
--rate :输出速率信息NAT模型应用:
注意:
1 制作集群时首要原则要保证集群内各个节点的时时间要保持一致!
2 NAT模型需要开启端口转发功能:
一次性开启:
echo 1 > /proc/sys/net/ipv4/ip_forward
永久有效方式:
编辑配置文件:
/etc/sysctl.conf
net.ipv4.ip_forward=1
环境描述:
客户端主机:172.20.23.20
LVS服务器:
VIP--172.20.23.34
DIP--192.168.23.34
后端服务器:apache
RS1 --192.168.23.36
RS2 --192.168.23.37
配置LVS规则:
[[email protected]:21:49~]#cat /proc/sys/net/ipv4/ip_forward
1
[[email protected]:22:30~]#ipvsadm -A -t 172.20.23.34:80 -s rr
[[email protected]:22:37~]#ipvsadm -a -t 172.20.23.34:80 -r 192.168.23.36 -m
[[email protected]:23:05~]#ipvsadm -a -t 172.20.23.34:80 -r 192.168.23.37 -m
[[email protected]:23:09~]#ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.20.23.20:80 rr
-> 192.168.23.36:80 Masq 1 0 0
-> 192.168.23.37:80 Masq 1 0 0
配置后端服务器网关指向LVS服务器:
route add default gw 192.168.23.34
客户端测试:
网关指向LVS服务器!当然实际中会有路由器隔开,那就
把网关指向最近路由器接口即可!
测试结果:
[[email protected]:30:57network-scripts]#for i in {1..1000};do curl 172.20.23.34; sleep 1 ; done
hello linux
hello world更改调度规则实现权重:
[[email protected]:30:50~]#ipvsadm -E -t 172.20.23.34:80 -s wrr
[[email protected]:34:49~]#ipvsadm -e -t 172.20.23.34:80 -r 192.168.23.37 -m -w 3
[[email protected]:35:17~]#ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.20.23.34:80 wrr
-> 192.168.23.36:80 Masq 1 0 0
-> 192.168.23.37:80
客户端测试:
[[email protected]:32:36network-scripts]#for i in {1..1000};do curl 172.20.23.34; sleep 1 ; done
hello linux
hello world
hello world
hello worldhttps集群调度方式:
LVS服务器配置:
[[email protected]:35:23~]#ipvsadm -A -t 172.20.23.34:443 -s rr
[[email protected]:37:41~]#ipvsadm -a -t 172.20.23.34:443 -r 192.168.23.36 -m
[[email protected]:37:58~]#ipvsadm -a -t 172.20.23.34:443 -r 192.168.23.37 -m
[[email protected]:38:02~]#ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.20.23.34:80 wrr
-> 192.168.23.36:80 Masq 1 0 0
-> 192.168.23.37:80 Masq 3 0 0
TCP 172.20.23.34:443 rr
-> 192.168.23.36:443 Masq 1 0 0
-> 192.168.23.37:443
测试方式:
[[email protected]:41:14network-scripts]#for i in {1..1000};do curl -k https://172.20.23.34:443; sleep 1 ; done
hello linux
hello world
-k:忽略证书检测
注意:
1 这里仅仅为了测试没有申请证书,实际中后端服务器
需要配置ssl证书加密!实现根据原IP绑定会话:sh
[[email protected]:48:26~]#ipvsadm -A -t 172.20.23.34:80 -s sh
[[email protected]:48:33~]#ipvsadm -a -t 172.20.23.34:80 -r 192.168.23.36 -m
[[email protected]:48:46~]#ipvsadm -a -t 172.20.23.34:80 -r 192.168.23.37 -m
[[email protected]:48:50~]#ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.20.23.34:80 sh
-> 192.168.23.36:80 Masq 1 0 0
-> 192.168.23.37:80 Masq 1 0 0
客户端测试:
[[email protected]:47:16network-scripts]#for i in {1..1000};do curl http://172.20.23.34; sleep 1 ; done
hello world
hello world删除和保存策略:
删除LVS策略:
ipvsadm -D -t 172.20.23.32:443
.......................................
清空加保存:
保存策略:
ipvsadm-save -n > LVS.backup
清空策略:
ipvsadm -C
恢复策略:
ipvsadm-restore < LVS.backup
保存的特殊配置文件:可做unix脚本启动服务
/etc/sysconfig/ipvsadm
手动将使用ipvsadm-save命令保存到这个文件!
这样下次启动的时候可以使用systemctl start ipvsadm 命令加载
这个文件中的LVS策略!
可设置开机自动启动:
[[email protected]:39:14~]#systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.实现跨网段NAT:
环境描述:
客户端:172.20.23.20/16
LVS服务器:
VIP:172.20.23.34/16
DIP:10.0.0.100/24
路由器:
eth0 --10.0.0.1/24
eth1 --192.168.23.10/24
后端服务器:
RS1 --192.168.23.36
RS2 --192.168.23.37
网关及路由设置:
客户端:
[[email protected]:34:35certs]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.20.23.34 0.0.0.0 UG 100 0 0 eth0
172.20.0.0 0.0.0.0 255.255.0.0 U 100 0 0 eth0
LVS服务器:
[[email protected]:31:54network-scripts]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
172.20.0.0 0.0.0.0 255.255.0.0 U 101 0 0 eth1
192.168.23.0 10.0.0.1 255.255.255.0 UG 0 0 0 eth0
路由器:
[[email protected]:35:29~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.23.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.20.0.0 10.0.0.100 255.255.0.0 UG 0 0 0 eth0
后端服务器:
[[email protected]:35:58network-scripts]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.23.10 0.0.0.0 UG 100 0 0 eth0
192.168.23.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
修改LVS服务器规则:
[[email protected]:31:29network-scripts]#ipvsadm -E -t 172.20.23.34:80 -s wrr
[[email protected]:31:35network-scripts]#ipvsadm -e -t 172.20.23.34:80 -r 192.168.23.36 -m
[[email protected]:31:50network-scripts]#ipvsadm -e -t 172.20.23.34:80 -r 192.168.23.37 -m
客户端测试:
[[email protected]:36:16certs]#for i in {1..1000};do curl http://172.20.23.34; sleep 1 ; done
hello world
hello linux以上是关于LVS-NAT的主要内容,如果未能解决你的问题,请参考以下文章