nat网关高可用

背景:

  最近因业务需要,需要允许内网服务器上网,因为本身没有硬件防火墙做网关,暂时只能用iptables做nat转发上网了.

直接上拓扑图,说明如下:

 

 

  1. lvs_master和lvs_slave都有两块网卡,外网卡连接上联交换机、内网卡连接内网交换机。
  2. lvs_master 外网卡地址:192.168.168.11/24  内网卡地址:192.168.40.11/24
  3. lvs_slave   外网卡地址:192.168.168.12/24   内网卡地址:192.168.40.12/24
  4. lvs_master和lvs_slave 需要开启iptables转发功能并做相应设置
  5. lvs_master和lvs_slave 需要安装并配置keepalived应用
  6. 所有需要上网的内网服务器都要和lvs_master和lvs_slave的内网在同一个网络内并且默认路由都配置为 内网的vip地址:192.168.40.10

  

 开始搞:

  1、以上1、2、3 不做说明。

  2、4步骤

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 ! -d 192.168.168.0/24 -p tcp --syn -j LOG --log-level 5 --log-prefix "IPTABLES SNAT: "
iptables -A FORWARD -s 192.168.40.0/24 -j ACCEPT
iptables  -A FORWARD -d 192.168.40.0/24 -j ACCEPT
iptables  -t nat -A POSTROUTING -o eth0 -s 192.168.40.0/24 ! -d 192.168.168.0/24 -j MASQUERADE
iptables  -t nat -A POSTROUTING -o eth0 -s 192.168.168.0/24 ! -d 192.168.40.0/24 -j MASQUERADE

  3、5步骤 安装并配置keepalived

tar -zxvf keepalived-1.3.5.tar.gz
cd keepalived-1.3.5
./configure --prefix=/usr/local/keepalived-1.3.5 --with-kernel-dir=/usr/src/linux --enable-profile --enable-snmp --enable-snmp-vrrp --
enable-snmp-rfcv2 --enable-snmp-rfcv3
make && make install
ln -s /usr/local/keepalived-1.3.5 /usr/local/keepalived

 master配置keepalived

[root@gw-master keepalived]# more keepalived.conf
! Configuration File for Keepalived

! ---------------------------------------------------------------------------
! GLOBAL
! ---------------------------------------------------------------------------

global_defs {
	! this is who emails will go to on alerts
	notification_email {
		email@126.com
		! add a few more email addresses here if you would like
	}
	notification_email_from wx@126.com
	
	! mail relay server
	smtp_server 127.0.0.1
	smtp_connect_timeout 30
	
	! each load balancer should have a different ID
	! this will be used in SMTP alerts, so you should make
	! each router easily identifiable
	router_id LVS_151
	vrrp_mcast_group4 224.0.0.18
	lvs_sync_daemon eth1 VI1_LVS_GW
	script_user root
}

vrrp_instance VI1_LVS_NAT_GW {

	state MASTER
	interface eth1

	track_interface {
		eth0
		eth1
	}
	
	! interface to run LVS sync daemon on

	! lvs_sync_daemon_interface eth1

	!mcast_src_ip 192.168.40.11

	! each virtual router id must be unique per instance name!

	virtual_router_id 10

	! MASTER and BACKUP state are determined by the priority
	! even if you specify MASTER as the state, the state will
	! be voted on by priority (so if your state is MASTER but your
	! priority is lower than the router with BACKUP, you will lose
	! the MASTER state)
	! I make it a habit to set priorities at least 50 points apart
	! note that a lower number is lesser priority - lower gets less vote

	priority 100

	! how often should we vote, in seconds?

	advert_int 1

	! send an alert when this instance changes state from MASTER to BACKUP

	smtp_alert
	
	! this authentication is for syncing between failover servers
	! keepalived supports PASS, which is simple password
	! authentication or AH, which is the IPSec authentication header.
	! Don't use AH yet as many people have reported problems with it

	authentication {
		auth_type PASS
		auth_pass xzliveVw
	}

	! these are the IP addresses that keepalived will setup on this
	! machine. Later in the config we will specify which real
	! servers  are behind these IPs without this block, keepalived
	! will not setup and takedown any IP addresses

	virtual_ipaddress {
		123.123.123.123/28 dev eth0
		192.168.40.10/24 dev eth1
	}
	notify_master "/etc/keepalived/keepalived_gw_route master"
	notify_backup "/etc/keepalived/keepalived_gw_route backup"
}

slave配置keepalived

[root@gw-slave keepalived]# more keepalived.conf
! Configuration File for Keepalived

! ---------------------------------------------------------------------------
! GLOBAL
! ---------------------------------------------------------------------------

global_defs {
	! this is who emails will go to on alerts
	notification_email {
		email@126.com
		! add a few more email addresses here if you would like
	}
	notification_email_from wx@126.com
	
	! mail relay server
	smtp_server 127.0.0.1
	smtp_connect_timeout 30
	
	! each load balancer should have a different ID
	! this will be used in SMTP alerts, so you should make
	! each router easily identifiable
	router_id LVS_151
	vrrp_mcast_group4 224.0.0.18
	lvs_sync_daemon eth1 VI1_LVS_GW
	script_user root
}

vrrp_instance VI1_LVS_NAT_GW {

	state MASTER
	interface eth1

	track_interface {
		eth0
		eth1
	}
	
	! interface to run LVS sync daemon on

	! lvs_sync_daemon_interface eth1

	!mcast_src_ip 192.168.40.12

	! each virtual router id must be unique per instance name!

	virtual_router_id 10

	! MASTER and BACKUP state are determined by the priority
	! even if you specify MASTER as the state, the state will
	! be voted on by priority (so if your state is MASTER but your
	! priority is lower than the router with BACKUP, you will lose
	! the MASTER state)
	! I make it a habit to set priorities at least 50 points apart
	! note that a lower number is lesser priority - lower gets less vote

	priority 90

	! how often should we vote, in seconds?

	advert_int 1

	! send an alert when this instance changes state from MASTER to BACKUP

	smtp_alert
	
	! this authentication is for syncing between failover servers
	! keepalived supports PASS, which is simple password
	! authentication or AH, which is the IPSec authentication header.
	! Don't use AH yet as many people have reported problems with it

	authentication {
		auth_type PASS
		auth_pass xzliveVw
	}

	! these are the IP addresses that keepalived will setup on this
	! machine. Later in the config we will specify which real
	! servers  are behind these IPs without this block, keepalived
	! will not setup and takedown any IP addresses

	virtual_ipaddress {
		123.123.123.123/28 dev eth0
		192.168.40.10/24 dev eth1
	}
	notify_master "/etc/keepalived/keepalived_gw_route master"
	notify_backup "/etc/keepalived/keepalived_gw_route backup"
}  

主从切换执行脚本

[root@gw-master keepalived]# more keepalived_gw_route 
#! /bin/bash
#
# keepalived_gw_route       Bring add/del gw/route for keepalived
#
# chkconfig: 2345 15 85
# description: Add/Delete iptables rule for keepalived to start at boot time.
#
### BEGIN INIT INFO
# Provides: $keepalived_gw_route
### END INIT INFO

# Source function library.
. /etc/init.d/functions

INTER_GW=123.123.123.113
INTRA_GW=192.168.40.10
INTER_DEV=eth0
INTRA_DEV=eth1


# ---------
# functions
# ---------

message() { echo -e "$@"; }        # message - output message on stdout
error() { echo -e "$@" >&2; }      # error - output message on stderr
die() { error "$@"; exit 1; }   # die - output message on stderr and exit

TO_INTER_GW()
{
	ip route del default
	ip route add default via ${INTER_GW} dev ${INTER_DEV}
}

TO_INTRA_GW()
{
	ip route del default
	ip route add default via ${INTRA_GW} dev ${INTRA_DEV}
}

status() {
	ip route show
}

case "$1" in
        to_inter_gw)
                TO_INTER_GW
        ;;
	to_intra_gw)
		TO_INTRA_GW
	;;
        status)
                status
        ;;
        *)
                echo $"Usage: $0 {to_inter_gw|to_intra_gw|status}"
                exit 1
esac

exit 0

 4、其他服务器上配置默认路由

ip route add default via 192.168.40.10

 

验证并测试:

1、master、slave上启动keepalived后,查看主从状态以及vip状态是否正常。

2、切换主从后是否正常

3、其他服务器上访问外网是否正常   或者 curl “ipinfo.io/ip” 显示的IP地址是否 123.123.123.123 

 

配置完成。内网服务器可以愉快的上网了。

 

wx@126.com
posted @ 2020-04-09 22:45  MR__Wang  阅读(511)  评论(1编辑  收藏  举报