架構
環境準備
我的VirtualBox版本是4.3.28,兩台主機都要準備兩張網卡。介面卡1: 在「附加到(A):」欄位選擇「僅限主機介面卡」,並新增一個新的172.24.10.0網段的網路。
介面卡1是設定LVS時會使用到的網路卡,但僅限主機介面卡不能連線到網際網路,所以要再準備另一張網路卡,用於連線到網際網路下載所需要的套件。
介面卡2 : 請選擇任何一種網路,只要能連線到網際網路下載套件就可以,LVS的設定不會用到這個網段。
ProFTPd的設定請參考這篇文章: http://jyc-blog.blogspot.tw/2015/07/centos-7-proftpd-ftpftpssftp.html
安裝套件
############lvs_active##############
[root@lvs_active ~]# yum install keepalived ipvsadm -y
############lvs_backup##############
[root@lvs_active ~]# yum install keepalived ipvsadm -y
############lvs_backup##############
[root@lvs_backup ~]# yum install keepalived ipvsadm -y
設定LVS與Keepalived (lvs_active)
############lvs_active##############
#要建一個全新的設定檔,將原本的keepalived設定檔重新命名
[root@lvs_active ~]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.original#建立設定檔
[root@lvs_active ~]# vim /etc/keepalived/keepalived.conf
#add following
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 60
}
vrrp_instance RH_1 {
state MASTER
interface enp0s3
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass password123
}
virtual_ipaddress {
172.24.10.100
}
}
virtual_server 172.24.10.100 21 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.101 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.102 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
virtual_server 172.24.10.100 2221 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.101 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.102 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
[root@lvs_active ~]# systemctl start keepalived.service
[root@lvs_active ~]# systemctl enable keepalived.service
[root@lvs_active ~]# vim /etc/sysctl.conf
#add following
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
#載入LVS的FTP module
[root@lvs_active ~]# modprobe ip_vs_ftp
#設定開機自動載入Kernel module
[root@lvs_active ~]# vim /etc/modules-load.d/ip_vs_ftp.conf
#add following
ip_vs_ftp
設定LVS與Keepalived (lvs_backup)
[root@lvs_backup ~]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.original
#建立設定檔
[root@lvs_backup ~]# vim /etc/keepalived/keepalived.conf
#add following
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 60
}
vrrp_instance RH_1 {
state BACKUP
interface enp0s3
virtual_router_id 50
priority 80 #Backup node的priority值要比Active node的值小
advert_int 1
authentication {
auth_type PASS
auth_pass password123
}
virtual_ipaddress {
172.24.10.100
}
}
virtual_server 172.24.10.100 21 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.101 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.102 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
virtual_server 172.24.10.100 2221 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.101 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.102 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
[root@lvs_backup ~]# systemctl start keepalived.service
[root@lvs_backup ~]# systemctl enable keepalived.service
[root@lvs_backup ~]# vim /etc/sysctl.conf
#add following
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
#載入LVS的FTP module
[root@lvs_backup ~]# modprobe ip_vs_ftp
#設定開機自動載入Kernel module
[root@lvs_backup ~]# vim /etc/modules-load.d/ip_vs_ftp.conf
#add following
ip_vs_ftp
設定防火牆 (lvs_active)
[root@lvs_active ~]# systemctl enable iptables
[root@lvs_active ~]# vim iptables.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 21 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 40000:45000 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 2221 -j MARK --set-mark 2221
iptables-save > /etc/sysconfig/iptables
[root@lvs_active ~]# sh iptables.sh
#載入iptables的FTP模組
[root@lvs_active ~]# vim /etc/sysconfig/iptables-config
#line 6 modify
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
[root@lvs_active ~]# systemctl restart iptables.service
設定防火牆 (lvs_backup)
[root@lvs_backup ~]# systemctl start iptables
[root@lvs_backup ~]# systemctl enable iptables[root@lvs_backup ~]# vim iptables.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 21 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 40000:45000 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 2221 -j MARK --set-mark 2221
#下面三行Redirect Rule如果也設定在lvs_active,則Client連線到VIP(172.24.10.100)的時候,不會透過LVS轉發封包,這會導致Client只能夠跟lvs_active連線,這就失去負載平衡的功能了。iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 21 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 2221 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 40000:45000 -j REDIRECT
iptables-save > /etc/sysconfig/iptables
#載入iptables的FTP模組
[root@lvs_backup ~]# vim /etc/sysconfig/iptables-config
#line 6 modify
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
[root@lvs_backup ~]# systemctl restart iptables.service
查看連線狀態:
如果在測試的時候發現一直連到同一台Real Server的話,這是正常的,只要多換幾個IP試試就可以了,因為在設定的時候我加入了「persistence_timeout」與「firewall mark」,因此同一個IP連線的時候會被導向同一台Real Server。
沒有留言:
張貼留言