华子目录
lvs-nat
- 本质是
多目标IP的DNAT,通过将请求报文中的目标地址和目标端口修改为某挑出的RS的rip和port实现转发
rip和dip应在同一个IP网络(同一网段),且应使用私网地址RS的网关要指向dip请求报文和响应报文都必须经由Director转发,Director易于成为系统瓶颈- 支持
端口映射,可修改请求报文的目标port
vs必须是Linux系统,RS可以是任意OS系统
nat模式数据逻辑
客户端发送访问请求,请求数据包中含有请求来源(cip),访问目标地址(VIP),访问目标端口(80port)VS服务器接收到访问请求做DNAT把请求数据包中的目的地址由VIP换成RS的RIP和相应端口9000RS1响应请求,发送响应数据包,包中的响应报文为数据来源(RIP1),响应目标(CIP),响应端口(9000port)VS服务器接收到响应数据包,改变包中的数据来源(RIP1-->VIP),响应目标端口(9000-->80)VS服务器把修改过报文的响应数据包回传给客户端
nat模式的弊端
lvs的NAT模式接收和返回客户端数据包时都要经过lvs的调度机,所以lvs的调度机容易阻塞
实验拓扑
实验主机准备
- 准备
3台主机,一台lvs,两台webserver(webserver1,Webserver2)
lvs主机上两个网卡,一个nat,一个仅主机- 两个
webserver上一个仅主机网卡
rip的网关指向dip
- 由于
lvs的nat模式和仅主机模式的网卡处于不同vlan,两个网卡要想通信,就必须打开Linux内核路由转发功能
webserver1网卡设定
实验步骤
1.lvs上的ip设置
vip:172.25.254.100dip:192.168.0.100
bash
复制代码
[root@lvs ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
type=ethernet
interface-name=eth0
[ethernet]
[ipv4]
address=172.25.254.100/24,172.25.254.2
dns=114.114.114.114
method=manual
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
bash
复制代码
[root@lvs ~]# cat /etc/NetworkManager/system-connections/eth1.nmconnection
[connection]
id=eth1
type=ethernet
interface-name=eth1
[ethernet]
[ipv4]
address=192.168.0.100/24
method=manual
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
bash
复制代码
[root@lvs ~]# nmcli connection reload
[root@lvs ~]# nmcli connection up eth0
[root@lvs ~]# nmcli connection up eth1
bash
复制代码
[root@lvs ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:35:a8:7c brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 172.25.254.100/24 brd 172.25.254.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::aae4:10d1:b082:a3e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:35:a8:86 brd ff:ff:ff:ff:ff:ff
altname enp19s0
altname ens224
inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::d494:9f80:ebde:c2fe/64 scope link noprefixroute
valid_lft forever preferred_lft forever
2.lvs中开启路由转发功能
bash
复制代码
[root@lvs ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1 #在末尾添加
bash
复制代码
[root@lvs ~]# sysctl -p #重新加载
net.ipv4.ip_forward = 1
3.webserver1的ip配置
rip:192.168.0.10网关指向dip:192.168.0.100
bash
复制代码
[root@webserver1 ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
type=ethernet
interface-name=eth0
[ethernet]
[ipv4]
address=192.168.0.10/24,192.168.0.100
method=manual
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
bash
复制代码
[root@webserver1 ~]# nmcli connection reload
[root@webserver1 ~]# nmcli connection up eth0
bash
复制代码
[root@webserver1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:5f:4a:ff brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 192.168.0.10/24 brd 192.168.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::aae4:10d1:b082:a3e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
bash
复制代码
[root@webserver1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
4.webserver2的ip配置
rip:192.168.0.20网关指向dip:192.168.0.100
bash
复制代码
[root@webserver2 ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
type=ethernet
interface-name=eth0
[ethernet]
[ipv4]
address=192.168.0.20/24,192.168.0.100
method=manual
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
bash
复制代码
[root@webserver2 ~]# nmcli connection reload
[root@webserver2 ~]# nmcli connection up eth0
bash
复制代码
[root@webserver2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:ef:47:71 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 192.168.0.20/24 brd 192.168.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::4edb:9236:122:df1a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
bash
复制代码
[root@webserver2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
5.webserver12端安装httpd,并编写测试网页,开启自启动
bash
复制代码
[root@webserver1 ~]# yum install httpd -y
bash
复制代码
[root@webserver1 ~]# echo webserver1-192.168.0.10 > /var/www/html/index.html
bash
复制代码
[root@webserver1 ~]# systemctl enable --now httpd
bash
复制代码
[root@webserver2 ~]# yum install httpd -y
bash
复制代码
[root@webserver2 ~]# echo webserver2-192.168.0.20 > /var/www/html/index.html
bash
复制代码
[root@webserver2 ~]# systemctl enable --now httpd
6.内网web服务测试
bash
复制代码
[root@lvs ~]# curl 192.168.0.10
webserver1-192.168.0.10
[root@lvs ~]# curl 192.168.0.20
webserver2-192.168.0.20
7.安装lvs软件ipvsadm
bash
复制代码
[root@lvs ~]# yum install ipvsadm -y
8.查看策略
bash
复制代码
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
9.启动ipvsadm
- 注意:在启动
ipvsadm之前,需要存在/etc/sysconfig/ipvsadm文本文件,否则启动会失败
bash
复制代码
[root@lvs ~]# touch /etc/sysconfig/ipvsadm
bash
复制代码
[root@lvs ~]# systemctl restart ipvsadm
bash
复制代码
[root@lvs ~]# systemctl enable --now ipvsadm.service
10.添加策略
bash
复制代码
[root@lvs ~]# ipvsadm -A -t 172.25.254.100:80 -s rr
[root@lvs ~]# ipvsadm -a -t 172.25.254.100:80 -r 192.168.0.10:80 -m
[root@lvs ~]# ipvsadm -a -t 172.25.254.100:80 -r 192.168.0.20:80 -m
bash
复制代码
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.25.254.100:80 rr
-> 192.168.0.10:80 Masq 1 0 0
-> 192.168.0.20:80 Masq 1 0 0
#当访问172.25.254.100:80端口时,使用rr轮询算法,转发到192.168.0.10:80或192.168.0.20:80中
- 当停止
ipvsadm服务后,会将策略自动写入/etc/sysconfig/ipvsadm文本中。所以策略是永久添加,添加完之后就会立即生效
- 也可以使用
ipvsadm-save命令实现永久保存策略
bash
复制代码
[root@lvs ~]# ipvsadm-save > /etc/sysconfig/ipvsadm
[root@lvs ~]# cat /etc/sysconfig/ipvsadm
-A -t lvs:http -s rr
-a -t lvs:http -r 192.168.0.10:http -m -w 1
-a -t lvs:http -r 192.168.0.20:http -m -w 1
11.lvs-nat模式测试效果
