场景介绍:
客户端业务服务器A:192.168.11.11
iptables服务器B: 192.168.22.22(主) 192.168.22.23(备)
VIP: 192.168.22.41 192.168.22.42
服务端业务服务器C:192.168.33.33
业务服务器C要进行IP源地址健全,每个客户号要有独立访问的源地址。
而所有的客户号(例:1-10)都是指定在客户端A的程序中,
正常情况下,在服务器C上看到的客户号1-10所对应的都是同一个源地址,如何来解决这个问题呢?
在A和C之间加个正向代理服务器即可,配置有多个地址,并在A程序里根据客户号访问不同的代理服务器IP即可。
本文中使用iptables里的SNAT和DNAT功能来实现,并使用keepalived来进行二台热备。
一、keepalived的配置如下:
! Configuration File for keepalived
global_defs {
notification_email {
aa@bbcom
}
notification_email_from root@bb.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id iptables33
}
vrrp_instance MOPIN {
state MASTER
interface eth0
virtual_router_id 51
priority 110
advert_int 1
track_interface {
eth0 weight 5
}
authentication {
auth_type PASS
auth_pass mopin
}
virtual_ipaddress {
192.168.22.41/24 brd 192.168.22.255 dev eth0 label eth0:1
192.168.22.42/24 brd 192.168.22.255 dev eth0 label eth0:2
}
notify_backup "/usr/local/keepalived/bin/show.sh vip1 backup"
notify_master "/usr/local/keepalived/bin/show.sh vip1 master"
notify_fault "/usr/local/keepalived/bin/show.sh vip1 fault"
smtp_alert
}
二、iptables配置:
#Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*mangle
:PREROUTING ACCEPT [881:72068]
:INPUT ACCEPT [881:72068]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1009:123804]
:POSTROUTING ACCEPT [1009:123804]
-A PREROUTING -d 192.168.22.41/32 -m conntrack --ctstate NEW -j MARK --set-xmark 0x41/0xffffffff
-A PREROUTING -d 192.168.22.42/32 -m conntrack --ctstate NEW -j MARK --set-xmark 0x42/0xffffffff
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
# Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.22.41/32 -p tcp -m tcp --dport 10041 -j DNAT --to-destination 192.168.33.33:80
-A PREROUTING -d 192.168.22.42/32 -p tcp -m tcp --dport 10042 -j DNAT --to-destination 192.168.33.33:80
-A POSTROUTING -m mark --mark 0x41 -j SNAT --to-source 192.168.22.41
-A POSTROUTING -m mark --mark 0x42 -j SNAT --to-source 192.168.22.42
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
# Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2024:234224]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p vrrp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
主要是针对不同的VIP地址进行mangle上打标签,来区别不同的源地址。
本文出自 “秋天的童话” 博客,请务必保留此出处http://wushank.blog.51cto.com/3489095/1747631
原文地址:http://wushank.blog.51cto.com/3489095/1747631
