架構
環境準備
我的VirtualBox版本是4.3.28,四台主機都要準備兩張網卡。介面卡1: 在「附加到(A):」欄位選擇「僅限主機介面卡」,並新增一個新的172.24.10.0網段的網路。
介面卡1是設定LVS時會使用到的網路卡,但僅限主機介面卡不能連線到網際網路,所以要再準備另一張網路卡,用於連線到網際網路下載所需要的套件。
介面卡2 : 請選擇任何一種網路,只要能連線到網際網路下載套件就可以,LVS的設定不會用到這個網段。
ProFTPd的設定請參考這篇文章: http://jyc-blog.blogspot.tw/2015/07/centos-7-proftpd-ftpftpssftp.html
安裝套件
############lvs_active##############
[root@lvs_active ~]# yum install keepalived ipvsadm -y
############lvs_backup##############
[root@lvs_active ~]# yum install keepalived ipvsadm -y
############lvs_backup##############
[root@lvs_backup ~]# yum install keepalived ipvsadm -y
############proftpd1##############
[root@proftpd1 ~]# yum install arptables -y
############proftpd2##############
[root@proftpd1 ~]# yum install arptables -y
############proftpd2##############
[root@proftpd2 ~]# yum install arptables -y
設定LVS與Keepalived
############lvs_active##############
#要建一個全新的設定檔,將原本的keepalived設定檔重新命名
[root@lvs_active ~]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.original#建立設定檔
[root@lvs_active ~]# vim /etc/keepalived/keepalived.conf
#add following
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 60
}
vrrp_instance RH_1 {
state MASTER
interface enp0s3
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass password123
}
virtual_ipaddress {
172.24.10.100
}
}
virtual_server 172.24.10.100 21 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.103 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.104 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
virtual_server 172.24.10.100 2221 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.103 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.104 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
[root@lvs_active ~]# systemctl start keepalived.service
[root@lvs_active ~]# systemctl enable keepalived.service
[root@lvs_active ~]# vim /etc/sysctl.conf
#add following
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
#載入LVS的FTP module
[root@lvs_active ~]# modprobe ip_vs_ftp
#設定開機自動載入Kernel module
[root@lvs_active ~]# vim /etc/modules-load.d/ip_vs_ftp.conf
#add following
ip_vs_ftp
[root@lvs_backup ~]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.original
#建立設定檔
[root@lvs_backup ~]# vim /etc/keepalived/keepalived.conf
#add following
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 60
}
vrrp_instance RH_1 {
state BACKUP
interface enp0s3
virtual_router_id 50
priority 80 #Backup node的priority值要比Active node的值小
advert_int 1
authentication {
auth_type PASS
auth_pass password123
}
virtual_ipaddress {
172.24.10.100
}
}
virtual_server 172.24.10.100 21 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.103 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.104 21 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
virtual_server 172.24.10.100 2221 {
delay_loop 10
lb_algo rr
lb_kind DR
persistence_timeout 9600
protocol TCP
real_server 172.24.10.103 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
real_server 172.24.10.104 2221 {
weight 1
TCP_CHECK {
connect_timeout 10
}
}
}
[root@lvs_backup ~]# systemctl start keepalived.service
[root@lvs_backup ~]# systemctl enable keepalived.service
[root@lvs_backup ~]# vim /etc/sysctl.conf
#add following
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
#載入LVS的FTP module
[root@lvs_backup ~]# modprobe ip_vs_ftp
#設定開機自動載入Kernel module
[root@lvs_backup ~]# vim /etc/modules-load.d/ip_vs_ftp.conf
#add following
ip_vs_ftp
設定防火牆
############lvs_active##############
[root@lvs_active ~]# systemctl start iptables[root@lvs_active ~]# systemctl enable iptables
[root@lvs_active ~]# vim iptables.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 21 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 40000:45000 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 2221 -j MARK --set-mark 2221
iptables-save > /etc/sysconfig/iptables
[root@lvs_active ~]# sh iptables.sh
[root@lvs_active ~]# systemctl restart iptables.service
############lvs_backup##############
[root@lvs_backup ~]# systemctl start iptables[root@lvs_backup ~]# systemctl enable iptables
[root@lvs_backup ~]# vim iptables.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 21 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 40000:45000 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d 172.24.10.100/32 --dport 2221 -j MARK --set-mark 2221
iptables-save > /etc/sysconfig/iptables
[root@lvs_backup ~]# systemctl restart iptables.service
設定Real Server
############proftpd1############
[root@proftpd1 ~]# systemctl start arptables.service
[root@proftpd1 ~]# systemctl enable arptables.service
[root@proftpd1 ~]# vim arptable.sh
#add following
arptables -F
arptables -X
arptables -P INPUT ACCEPT
arptables -P OUTPUT ACCEPT
arptables -P FORWARD ACCEPT
arptables -A INPUT -d 172.24.10.100 -j DROP
arptables -A OUTPUT -s 172.24.10.100 -j mangle --mangle-ip-s 172.24.10.103
arptables-save > /etc/sysconfig/arptables
[root@proftpd1 ~]# sh arptable.sh
[root@proftpd1 ~]# systemctl restart arptables.service
[root@proftpd1 ~]# systemctl start iptables.service
[root@proftpd1 ~]# systemctl enable iptables.service
[root@proftpd1 ~]# vim iptable.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 21 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 2221 -j REDIRECT
iptables-save > /etc/sysconfig/iptables
[root@proftpd1 ~]# sh iptable.sh
#載入iptables的FTP模組
[root@proftpd1 ~]# vim /etc/sysconfig/iptables-config
[root@proftpd1 ~]# systemctl restart iptables.service
[root@proftpd1 ~]# vim /etc/sysctl.conf
#add following
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
[root@proftpd1 ~]# sysctl -p
############proftpd2############
[root@proftpd2 ~]# systemctl start arptables.service
[root@proftpd2 ~]# systemctl enable arptables.service
[root@proftpd2 ~]# vim arptable.sh
#add following
arptables -F
arptables -X
arptables -P INPUT ACCEPT
arptables -P OUTPUT ACCEPT
arptables -P FORWARD ACCEPT
arptables -A INPUT -d 172.24.10.100 -j DROP
arptables -A OUTPUT -s 172.24.10.100 -j mangle --mangle-ip-s 172.24.10.104
arptables-save > /etc/sysconfig/arptables
[root@proftpd2 ~]# sh arptable.sh
[root@proftpd2 ~]# systemctl restart arptables.service
[root@proftpd2 ~]# systemctl start iptables.service
[root@proftpd2 ~]# systemctl enable iptables.service
[root@proftpd2 ~]# vim iptable.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 21 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 2221 -j REDIRECT
iptables-save > /etc/sysconfig/iptables
[root@proftpd2 ~]# sh iptable.sh
#載入iptables的FTP模組
[root@proftpd2 ~]# vim /etc/sysconfig/iptables-config
[root@proftpd2 ~]# systemctl restart iptables.service
[root@proftpd2 ~]# vim /etc/sysctl.conf
#add following
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
[root@proftpd2 ~]# sysctl -p
[root@proftpd1 ~]# systemctl start arptables.service
[root@proftpd1 ~]# systemctl enable arptables.service
[root@proftpd1 ~]# vim arptable.sh
#add following
arptables -F
arptables -X
arptables -P INPUT ACCEPT
arptables -P OUTPUT ACCEPT
arptables -P FORWARD ACCEPT
arptables -A INPUT -d 172.24.10.100 -j DROP
arptables -A OUTPUT -s 172.24.10.100 -j mangle --mangle-ip-s 172.24.10.103
arptables-save > /etc/sysconfig/arptables
[root@proftpd1 ~]# sh arptable.sh
[root@proftpd1 ~]# systemctl restart arptables.service
[root@proftpd1 ~]# systemctl start iptables.service
[root@proftpd1 ~]# systemctl enable iptables.service
[root@proftpd1 ~]# vim iptable.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 21 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 2221 -j REDIRECT
iptables-save > /etc/sysconfig/iptables
[root@proftpd1 ~]# sh iptable.sh
#載入iptables的FTP模組
[root@proftpd1 ~]# vim /etc/sysconfig/iptables-config
#line 6 modify
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
[root@proftpd1 ~]# systemctl restart iptables.service
[root@proftpd1 ~]# vim /etc/sysctl.conf
#add following
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
[root@proftpd1 ~]# sysctl -p
############proftpd2############
[root@proftpd2 ~]# systemctl start arptables.service
[root@proftpd2 ~]# systemctl enable arptables.service
[root@proftpd2 ~]# vim arptable.sh
#add following
arptables -F
arptables -X
arptables -P INPUT ACCEPT
arptables -P OUTPUT ACCEPT
arptables -P FORWARD ACCEPT
arptables -A INPUT -d 172.24.10.100 -j DROP
arptables -A OUTPUT -s 172.24.10.100 -j mangle --mangle-ip-s 172.24.10.104
arptables-save > /etc/sysconfig/arptables
[root@proftpd2 ~]# sh arptable.sh
[root@proftpd2 ~]# systemctl restart arptables.service
[root@proftpd2 ~]# systemctl start iptables.service
[root@proftpd2 ~]# systemctl enable iptables.service
[root@proftpd2 ~]# vim iptable.sh
#add following
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -s 172.24.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 21 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp -d 172.24.10.100 --dport 2221 -j REDIRECT
iptables-save > /etc/sysconfig/iptables
[root@proftpd2 ~]# sh iptable.sh
#載入iptables的FTP模組
[root@proftpd2 ~]# vim /etc/sysconfig/iptables-config
#line 6 modify
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
[root@proftpd2 ~]# systemctl restart iptables.service
[root@proftpd2 ~]# vim /etc/sysctl.conf
#add following
net.ipv4.conf.enp0s3.arp_ignore = 1
net.ipv4.conf.enp0s3.arp_announce = 2
[root@proftpd2 ~]# sysctl -p
查看連線狀態:
如果在測試的時候發現一直連到同一台Real Server的話,這是正常的,只要多換幾個IP試試就可以了,因為在設定的時候我加入了「persistence_timeout」與「firewall mark」,因此同一個IP連線的時候會被導向同一台Real Server。
請問ipvsadm安裝完預設會啟動嗎?這邊沒有看你寫,而當我主動下systemctl start ipvsadm時,會出現"Job for ipvsadm.service failed. See 'systemctl status ipvsadm.service' and 'journalctl -xn' for details."
回覆刪除keepalived會自動管理ipvsadm rule,因此建議不要啟動,可能會有衝突,
刪除就算不安裝ipvadm也可以正常執行,因為lvs己經寫到kernel裡了,
這篇會安裝ipvsadm,單純只是為了查看lvs的連線裝態。