nat网关高可用

背景:

  最近因业务需要,需要允许内网服务器上网,因为本身没有硬件防火墙做网关,暂时只能用iptables做nat转发上网了.

直接上拓扑图,说明如下:

 

 

  1. lvs_master和lvs_slave都有两块网卡,外网卡连接上联交换机、内网卡连接内网交换机。
  2. lvs_master 外网卡地址:192.168.168.11/24  内网卡地址:192.168.40.11/24
  3. lvs_slave   外网卡地址:192.168.168.12/24   内网卡地址:192.168.40.12/24
  4. lvs_master和lvs_slave 需要开启iptables转发功能并做相应设置
  5. lvs_master和lvs_slave 需要安装并配置keepalived应用
  6. 所有需要上网的内网服务器都要和lvs_master和lvs_slave的内网在同一个网络内并且默认路由都配置为 内网的vip地址:192.168.40.10

  

 开始搞:

  1、以上1、2、3 不做说明。

  2、4步骤

1
2
3
4
5
6
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 ! -d 192.168.168.0/24 -p tcp --syn -j LOG --log-level 5 --log-prefix "IPTABLES SNAT: "
iptables -A FORWARD -s 192.168.40.0/24 -j ACCEPT
iptables  -A FORWARD -d 192.168.40.0/24 -j ACCEPT
iptables  -t nat -A POSTROUTING -o eth0 -s 192.168.40.0/24 ! -d 192.168.168.0/24 -j MASQUERADE
iptables  -t nat -A POSTROUTING -o eth0 -s 192.168.168.0/24 ! -d 192.168.40.0/24 -j MASQUERADE

  3、5步骤 安装并配置keepalived

1
2
3
4
5
6
tar -zxvf keepalived-1.3.5.tar.gz
cd keepalived-1.3.5
./configure --prefix=/usr/local/keepalived-1.3.5 --with-kernel-dir=/usr/src/linux --enable-profile --enable-snmp --enable-snmp-vrrp --
enable-snmp-rfcv2 --enable-snmp-rfcv3
make && make install
ln -s /usr/local/keepalived-1.3.5 /usr/local/keepalived

 master配置keepalived

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[root@gw-master keepalived]# more keepalived.conf
! Configuration File for Keepalived
 
! ---------------------------------------------------------------------------
! GLOBAL
! ---------------------------------------------------------------------------
 
global_defs {
    ! this is who emails will go to on alerts
    notification_email {
        email@126.com
        ! add a few more email addresses here if you would like
    }
    notification_email_from wx@126.com
     
    ! mail relay server
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
     
    ! each load balancer should have a different ID
    ! this will be used in SMTP alerts, so you should make
    ! each router easily identifiable
    router_id LVS_151
    vrrp_mcast_group4 224.0.0.18
    lvs_sync_daemon eth1 VI1_LVS_GW
    script_user root
}
 
vrrp_instance VI1_LVS_NAT_GW {
 
    state MASTER
    interface eth1
 
    track_interface {
        eth0
        eth1
    }
     
    ! interface to run LVS sync daemon on
 
    ! lvs_sync_daemon_interface eth1
 
    !mcast_src_ip 192.168.40.11
 
    ! each virtual router id must be unique per instance name!
 
    virtual_router_id 10
 
    ! MASTER and BACKUP state are determined by the priority
    ! even if you specify MASTER as the state, the state will
    ! be voted on by priority (so if your state is MASTER but your
    ! priority is lower than the router with BACKUP, you will lose
    ! the MASTER state)
    ! I make it a habit to set priorities at least 50 points apart
    ! note that a lower number is lesser priority - lower gets less vote
 
    priority 100
 
    ! how often should we vote, in seconds?
 
    advert_int 1
 
    ! send an alert when this instance changes state from MASTER to BACKUP
 
    smtp_alert
     
    ! this authentication is for syncing between failover servers
    ! keepalived supports PASS, which is simple password
    ! authentication or AH, which is the IPSec authentication header.
    ! Don't use AH yet as many people have reported problems with it
 
    authentication {
        auth_type PASS
        auth_pass xzliveVw
    }
 
    ! these are the IP addresses that keepalived will setup on this
    ! machine. Later in the config we will specify which real
    ! servers  are behind these IPs without this block, keepalived
    ! will not setup and takedown any IP addresses
 
    virtual_ipaddress {
        123.123.123.123/28 dev eth0
        192.168.40.10/24 dev eth1
    }
    notify_master "/etc/keepalived/keepalived_gw_route master"
    notify_backup "/etc/keepalived/keepalived_gw_route backup"
}

slave配置keepalived

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[root@gw-slave keepalived]# more keepalived.conf
! Configuration File for Keepalived
 
! ---------------------------------------------------------------------------
! GLOBAL
! ---------------------------------------------------------------------------
 
global_defs {
    ! this is who emails will go to on alerts
    notification_email {
        email@126.com
        ! add a few more email addresses here if you would like
    }
    notification_email_from wx@126.com
     
    ! mail relay server
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
     
    ! each load balancer should have a different ID
    ! this will be used in SMTP alerts, so you should make
    ! each router easily identifiable
    router_id LVS_151
    vrrp_mcast_group4 224.0.0.18
    lvs_sync_daemon eth1 VI1_LVS_GW
    script_user root
}
 
vrrp_instance VI1_LVS_NAT_GW {
 
    state MASTER
    interface eth1
 
    track_interface {
        eth0
        eth1
    }
     
    ! interface to run LVS sync daemon on
 
    ! lvs_sync_daemon_interface eth1
 
    !mcast_src_ip 192.168.40.12
 
    ! each virtual router id must be unique per instance name!
 
    virtual_router_id 10
 
    ! MASTER and BACKUP state are determined by the priority
    ! even if you specify MASTER as the state, the state will
    ! be voted on by priority (so if your state is MASTER but your
    ! priority is lower than the router with BACKUP, you will lose
    ! the MASTER state)
    ! I make it a habit to set priorities at least 50 points apart
    ! note that a lower number is lesser priority - lower gets less vote
 
    priority 90
 
    ! how often should we vote, in seconds?
 
    advert_int 1
 
    ! send an alert when this instance changes state from MASTER to BACKUP
 
    smtp_alert
     
    ! this authentication is for syncing between failover servers
    ! keepalived supports PASS, which is simple password
    ! authentication or AH, which is the IPSec authentication header.
    ! Don't use AH yet as many people have reported problems with it
 
    authentication {
        auth_type PASS
        auth_pass xzliveVw
    }
 
    ! these are the IP addresses that keepalived will setup on this
    ! machine. Later in the config we will specify which real
    ! servers  are behind these IPs without this block, keepalived
    ! will not setup and takedown any IP addresses
 
    virtual_ipaddress {
        123.123.123.123/28 dev eth0
        192.168.40.10/24 dev eth1
    }
    notify_master "/etc/keepalived/keepalived_gw_route master"
    notify_backup "/etc/keepalived/keepalived_gw_route backup"
}  

主从切换执行脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[root@gw-master keepalived]# more keepalived_gw_route
#! /bin/bash
#
# keepalived_gw_route       Bring add/del gw/route for keepalived
#
# chkconfig: 2345 15 85
# description: Add/Delete iptables rule for keepalived to start at boot time.
#
### BEGIN INIT INFO
# Provides: $keepalived_gw_route
### END INIT INFO
 
# Source function library.
. /etc/init.d/functions
 
INTER_GW=123.123.123.113
INTRA_GW=192.168.40.10
INTER_DEV=eth0
INTRA_DEV=eth1
 
 
# ---------
# functions
# ---------
 
message() { echo -e "$@"; }        # message - output message on stdout
error() { echo -e "$@" >&2; }      # error - output message on stderr
die() { error "$@"; exit 1; }   # die - output message on stderr and exit
 
TO_INTER_GW()
{
    ip route del default
    ip route add default via ${INTER_GW} dev ${INTER_DEV}
}
 
TO_INTRA_GW()
{
    ip route del default
    ip route add default via ${INTRA_GW} dev ${INTRA_DEV}
}
 
status() {
    ip route show
}
 
case "$1" in
        to_inter_gw)
                TO_INTER_GW
        ;;
    to_intra_gw)
        TO_INTRA_GW
    ;;
        status)
                status
        ;;
        *)
                echo $"Usage: $0 {to_inter_gw|to_intra_gw|status}"
                exit 1
esac
 
exit 0

 4、其他服务器上配置默认路由

1
ip route add default via 192.168.40.10

 

验证并测试:

1、master、slave上启动keepalived后,查看主从状态以及vip状态是否正常。

2、切换主从后是否正常

3、其他服务器上访问外网是否正常   或者 curl “ipinfo.io/ip” 显示的IP地址是否 123.123.123.123 

 

配置完成。内网服务器可以愉快的上网了。

 

1
wx@126.com
posted @   MR__Wang  阅读(512)  评论(1编辑  收藏  举报
编辑推荐:
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
阅读排行:
· 25岁的心里话
· 闲置电脑爆改个人服务器(超详细) #公网映射 #Vmware虚拟网络编辑器
· 零经验选手,Compose 一天开发一款小游戏!
· 因为Apifox不支持离线,我果断选择了Apipost!
· 通过 API 将Deepseek响应流式内容输出到前端
点击右上角即可分享
微信分享提示