nat网关高可用

背景:

  最近因业务需要,需要允许内网服务器上网,因为本身没有硬件防火墙做网关,暂时只能用iptables做nat转发上网了.

直接上拓扑图,说明如下:

  1. lvs_master和lvs_slave都有两块网卡,外网卡连接上联交换机、内网卡连接内网交换机。
  2. lvs_master 外网卡地址:192.168.168.11/24  内网卡地址:192.168.40.11/24
  3. lvs_slave   外网卡地址:192.168.168.12/24   内网卡地址:192.168.40.12/24
  4. lvs_master和lvs_slave 需要开启iptables转发功能并做相应设置
  5. lvs_master和lvs_slave 需要安装并配置keepalived应用
  6. 所有需要上网的内网服务器都要和lvs_master和lvs_slave的内网在同一个网络内并且默认路由都配置为 内网的vip地址:192.168.40.10

开始搞:

  1、以上1、2、3 不做说明。

  2、4步骤

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 ! -d 192.168.168.0/24 -p tcp --syn -j LOG --log-level 5 --log-prefix "IPTABLES SNAT: "
iptables -A FORWARD -s 192.168.40.0/24 -j ACCEPT
iptables  -A FORWARD -d 192.168.40.0/24 -j ACCEPT
iptables  -t nat -A POSTROUTING -o eth0 -s 192.168.40.0/24 ! -d 192.168.168.0/24 -j MASQUERADE
iptables  -t nat -A POSTROUTING -o eth0 -s 192.168.168.0/24 ! -d 192.168.40.0/24 -j MASQUERADE

  3、5步骤 安装并配置keepalived

tar -zxvf keepalived-1.3.5.tar.gz
cd keepalived-1.3.5
./configure --prefix=/usr/local/keepalived-1.3.5 --with-kernel-dir=/usr/src/linux --enable-profile --enable-snmp --enable-snmp-vrrp --
enable-snmp-rfcv2 --enable-snmp-rfcv3
make && make install
ln -s /usr/local/keepalived-1.3.5 /usr/local/keepalived

 master配置keepalived

[[email protected] keepalived]# more keepalived.conf
! Configuration File for Keepalived

! ---------------------------------------------------------------------------
! GLOBAL
! ---------------------------------------------------------------------------

global_defs {
	! this is who emails will go to on alerts
	notification_email {
		[email protected]
		! add a few more email addresses here if you would like
	}
	notification_email_from [email protected]

	! mail relay server
	smtp_server 127.0.0.1
	smtp_connect_timeout 30

	! each load balancer should have a different ID
	! this will be used in SMTP alerts, so you should make
	! each router easily identifiable
	router_id LVS_151
	vrrp_mcast_group4 224.0.0.18
	lvs_sync_daemon eth1 VI1_LVS_GW
	script_user root
}

vrrp_instance VI1_LVS_NAT_GW {

	state MASTER
	interface eth1

	track_interface {
		eth0
		eth1
	}

	! interface to run LVS sync daemon on

	! lvs_sync_daemon_interface eth1

	!mcast_src_ip 192.168.40.11

	! each virtual router id must be unique per instance name!

	virtual_router_id 10

	! MASTER and BACKUP state are determined by the priority
	! even if you specify MASTER as the state, the state will
	! be voted on by priority (so if your state is MASTER but your
	! priority is lower than the router with BACKUP, you will lose
	! the MASTER state)
	! I make it a habit to set priorities at least 50 points apart
	! note that a lower number is lesser priority - lower gets less vote

	priority 100

	! how often should we vote, in seconds?

	advert_int 1

	! send an alert when this instance changes state from MASTER to BACKUP

	smtp_alert

	! this authentication is for syncing between failover servers
	! keepalived supports PASS, which is simple password
	! authentication or AH, which is the IPSec authentication header.
	! Don‘t use AH yet as many people have reported problems with it

	authentication {
		auth_type PASS
		auth_pass xzliveVw
	}

	! these are the IP addresses that keepalived will setup on this
	! machine. Later in the config we will specify which real
	! servers  are behind these IPs without this block, keepalived
	! will not setup and takedown any IP addresses

	virtual_ipaddress {
		123.123.123.123/28 dev eth0
		192.168.40.10/24 dev eth1
	}
	notify_master "/etc/keepalived/keepalived_gw_route master"
	notify_backup "/etc/keepalived/keepalived_gw_route backup"
}

slave配置keepalived

[[email protected] keepalived]# more keepalived.conf
! Configuration File for Keepalived

! ---------------------------------------------------------------------------
! GLOBAL
! ---------------------------------------------------------------------------

global_defs {
	! this is who emails will go to on alerts
	notification_email {
		[email protected]
		! add a few more email addresses here if you would like
	}
	notification_email_from [email protected]

	! mail relay server
	smtp_server 127.0.0.1
	smtp_connect_timeout 30

	! each load balancer should have a different ID
	! this will be used in SMTP alerts, so you should make
	! each router easily identifiable
	router_id LVS_151
	vrrp_mcast_group4 224.0.0.18
	lvs_sync_daemon eth1 VI1_LVS_GW
	script_user root
}

vrrp_instance VI1_LVS_NAT_GW {

	state MASTER
	interface eth1

	track_interface {
		eth0
		eth1
	}

	! interface to run LVS sync daemon on

	! lvs_sync_daemon_interface eth1

	!mcast_src_ip 192.168.40.12

	! each virtual router id must be unique per instance name!

	virtual_router_id 10

	! MASTER and BACKUP state are determined by the priority
	! even if you specify MASTER as the state, the state will
	! be voted on by priority (so if your state is MASTER but your
	! priority is lower than the router with BACKUP, you will lose
	! the MASTER state)
	! I make it a habit to set priorities at least 50 points apart
	! note that a lower number is lesser priority - lower gets less vote

	priority 90

	! how often should we vote, in seconds?

	advert_int 1

	! send an alert when this instance changes state from MASTER to BACKUP

	smtp_alert

	! this authentication is for syncing between failover servers
	! keepalived supports PASS, which is simple password
	! authentication or AH, which is the IPSec authentication header.
	! Don‘t use AH yet as many people have reported problems with it

	authentication {
		auth_type PASS
		auth_pass xzliveVw
	}

	! these are the IP addresses that keepalived will setup on this
	! machine. Later in the config we will specify which real
	! servers  are behind these IPs without this block, keepalived
	! will not setup and takedown any IP addresses

	virtual_ipaddress {
		123.123.123.123/28 dev eth0
		192.168.40.10/24 dev eth1
	}
	notify_master "/etc/keepalived/keepalived_gw_route master"
	notify_backup "/etc/keepalived/keepalived_gw_route backup"
}  

主从切换执行脚本

[[email protected] keepalived]# more keepalived_gw_route
#! /bin/bash
#
# keepalived_gw_route       Bring add/del gw/route for keepalived
#
# chkconfig: 2345 15 85
# description: Add/Delete iptables rule for keepalived to start at boot time.
#
### BEGIN INIT INFO
# Provides: $keepalived_gw_route
### END INIT INFO

# Source function library.
. /etc/init.d/functions

INTER_GW=123.123.123.113
INTRA_GW=192.168.40.10
INTER_DEV=eth0
INTRA_DEV=eth1

# ---------
# functions
# ---------

message() { echo -e "[email protected]"; }        # message - output message on stdout
error() { echo -e "[email protected]" >&2; }      # error - output message on stderr
die() { error "[email protected]"; exit 1; }   # die - output message on stderr and exit

TO_INTER_GW()
{
	ip route del default
	ip route add default via ${INTER_GW} dev ${INTER_DEV}
}

TO_INTRA_GW()
{
	ip route del default
	ip route add default via ${INTRA_GW} dev ${INTRA_DEV}
}

status() {
	ip route show
}

case "$1" in
        to_inter_gw)
                TO_INTER_GW
        ;;
	to_intra_gw)
		TO_INTRA_GW
	;;
        status)
                status
        ;;
        *)
                echo $"Usage: $0 {to_inter_gw|to_intra_gw|status}"
                exit 1
esac

exit 0

 4、其他服务器上配置默认路由

ip route add default via 192.168.40.10

 

验证并测试:

1、master、slave上启动keepalived后,查看主从状态以及vip状态是否正常。

2、切换主从后是否正常

3、其他服务器上访问外网是否正常   或者 curl “ipinfo.io/ip” 显示的IP地址是否 123.123.123.123 

配置完成。内网服务器可以愉快的上网了。

原文地址:https://www.cnblogs.com/xzlive/p/12670246.html

时间: 2024-10-20 01:16:58

nat网关高可用的相关文章

微服务时代之网关及注册中心高可用架构设计

1. 微服务关系架构图 简要说明: (1)所有应用或者服务要想对外提供服务(包括网关),必须首先到注册中心进行注册. (2)所有访问通过服务网关进行访问,然后由服务网关路由到对应服务中心进行交互访问. 2. 网关及注册中心高可用架构图 2.1 springcloud eureka高可用方案 由上图可以看出,注册中心与路由很容易成为单点故障,软件老王以前使用springcloud eureka高可用架构方案: (1)euraka部署成集群模式,相互注册,通过心跳策略同步注册信息: (2)客户端注册

Keepalived实现高可用Nginx反向代理和基于NAT的LVS及分析

1. 前言 keepalived是一个C语言开发的,能够基于Linux基础架构提供一个HA实现的软件.HA是基于VRRP协议实现,可以为LVS.Nginx.HAProxy等实现的LB提供高可用. 下图是keepalived的软件架构图 主要核心模块: Checkers:负责对Real Server进行健康检查. VRRP栈:实现了VRRP协议,实现了vrrp_sync_group扩展,不依赖于LVS可以独立的使用.例如下面第一个实验keepalived+nginx反代. IPVS Wrapper

CentOS 6.3下部署LVS(NAT)+keepalived实现高性能高可用负载均衡

一.系统环境 实验拓扑: 实验环境: Vmware 9.01 + Windows 8 x64 企业版+8G内存 虚拟机步骤: 1.安装一台CentOS 6.3 x64主机,内存为1GB,网络为NAT模式,注意检查Vmware中EDIT菜单下Virtual Network Editor中VMnet8 2. 加电,安装系统.基础知识了,不再多说,注意:选择英文而不要选择中文,选择是Basic Server模式,系统名称:LVS-MASTER 3.安装系统后,用root用户登录进去,执行 ifconf

CentOS 6.3下部署LVS(NAT模式)+keepalived实现高性能高可用负载均衡

一.简介 VS/NAT原理图: 二.系统环境 实验拓扑: 系统平台:CentOS 6.3 Kernel:2.6.32-279.el6.i686 LVS版本:ipvsadm-1.26 keepalived版本:keepalived-1.2.4 三.安装 0.安装LVS前系统需要安装popt-static,kernel-devel,make,gcc,openssl-devel,lftp,libnl*,popt* 1.在两台Director Server上分别配置LVS+Keepalived LVS

CentOS 6.3下部署LVS(NAT)+keepalived实现高性能高可用负载均衡【转】

CentOS 6.3下部署LVS(NAT)+keepalived实现高性能高可用负载均衡 一.简介 VS/NAT原理图: 二.系统环境 实验拓扑: 系统平台:CentOS 6.3 Kernel:2.6.32-279.el6.i686 LVS版本:ipvsadm-1.26 keepalived版本:keepalived-1.2.4 三.安装 0.安装LVS前系统需要安装popt-static,kernel-devel,make,gcc,openssl-devel,lftp,libnl*,popt*

CentOS7Linux中服务器LVS负载均衡、高可用集群搭建(NAT、DR)

目录 集群 声明 集群概念 集群特性 Web服务器并发相应瓶颈 集群的分类 LB实现方法: LVS集群 负载调度器 服务器池 共享存储 LVS负载均衡的三种模式 负载均衡 集群 声明 文档不断更新中... 集群概念 一组相互独立又相互依赖的,通过网络连接的由计算机组,以单一的模式进行管理,为对方提供服务,对于用户来说,用户会认为对方是一个服务. DIP:用来和后端服务器进行数据交互的IP CIP:客户端的IP VIP:是域名解析的IP,是集群对外的公网IP RIP:真实服务器的IP 节点:一组计

高可用技术均衡负载NAT

第一步安装[web服务]和[网络负载平衡] 安装成功后,在网络连接对话框中, 在[网络负载平衡NLB]打勾,不用点安装,直接点确定. 从  管理工具   中选择 网络均衡负载 我们可以把已经有的群集删除掉 新建自己的群集 第一台主机的标识符 必须是 1  第一台主机的ip地址是  主机本身的ip地址 设置群集ip地址 这个ip是属于公共的,所有群集ip必须统一 选择群集参数 , 群集操作模式 选择 多播 修改 端口范围和 协议 还有 模式 设置完成后,第一台主机就成功了,现在的状态是 已聚合 我

spring cloud深入学习(十二)-----Spring Cloud Zuul网关 Filter、熔断、重试、高可用的使用方式

Zuul的核心 Filter是Zuul的核心,用来实现对外服务的控制.Filter的生命周期有4个,分别是“PRE”.“ROUTING”.“POST”.“ERROR”,整个生命周期可以用下图来表示. Zuul大部分功能都是通过过滤器来实现的,这些过滤器类型对应于请求的典型生命周期. PRE: 这种过滤器在请求被路由之前调用.我们可利用这种过滤器实现身份验证.在集群中选择请求的微服务.记录调试信息等. ROUTING:这种过滤器将请求路由到微服务.这种过滤器用于构建发送给微服务的请求,并使用Apa

Nginx+Zuul集群实现高可用网关

代码参考:https://github.com/HCJ-shadow/Zuul-Gateway-Cluster-Nginx Zuul的路由转发功能 前期准备 搭建Eureka服务注册中心 服务提供者msc-provider-5001[提供一个hello请求做测试] 创建gateway-7001 pom依赖 <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-