iptables+keepalived實現多源地址訪問
場景介紹:服務器
客戶端業務服務器A:192.168.11.11tcp
iptables服務器B: 192.168.22.22(主) 192.168.22.23(備)
ide
VIP: 192.168.22.41 192.168.22.42
spa
服務端業務服務器C:192.168.33.33代理
業務服務器C要進行IP源地址健全,每一個客戶號要有獨立訪問的源地址。router
而全部的客戶號(例:1-10)都是指定在客戶端A的程序中,server
正常狀況下,在服務器C上看到的客戶號1-10所對應的都是同一個源地址,如何來解決這個問題呢?ip
在A和C之間加個正向代理服務器便可,配置有多個地址,並在A程序里根據客戶號訪問不一樣的代理服務器IP便可。it
本文中使用iptables裏的SNAT和DNAT功能來實現,並使用keepalived來進行二臺熱備。io
1、keepalived的配置以下:
! Configuration File for keepalived
global_defs {
notification_email {
aa@bbcom
}
notification_email_from root@bb.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id iptables33
}
vrrp_instance MOPIN {
state MASTER
interface eth0
virtual_router_id 51
priority 110
advert_int 1
track_interface {
eth0 weight 5
}
authentication {
auth_type PASS
auth_pass mopin
}
virtual_ipaddress {
192.168.22.41/24 brd 192.168.22.255 dev eth0 label eth0:1
192.168.22.42/24 brd 192.168.22.255 dev eth0 label eth0:2
}
notify_backup "/usr/local/keepalived/bin/show.sh vip1 backup"
notify_master "/usr/local/keepalived/bin/show.sh vip1 master"
notify_fault "/usr/local/keepalived/bin/show.sh vip1 fault"
smtp_alert
}
2、iptables配置:
#Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*mangle
:PREROUTING ACCEPT [881:72068]
:INPUT ACCEPT [881:72068]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1009:123804]
:POSTROUTING ACCEPT [1009:123804]
-A PREROUTING -d 192.168.22.41/32 -m conntrack --ctstate NEW -j MARK --set-xmark 0x41/0xffffffff
-A PREROUTING -d 192.168.22.42/32 -m conntrack --ctstate NEW -j MARK --set-xmark 0x42/0xffffffff
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
# Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.22.41/32 -p tcp -m tcp --dport 10041 -j DNAT --to-destination 192.168.33.33:80
-A PREROUTING -d 192.168.22.42/32 -p tcp -m tcp --dport 10042 -j DNAT --to-destination 192.168.33.33:80
-A POSTROUTING -m mark --mark 0x41 -j SNAT --to-source 192.168.22.41
-A POSTROUTING -m mark --mark 0x42 -j SNAT --to-source 192.168.22.42
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
# Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2024:234224]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p vrrp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
主要是針對不一樣的VIP地址進行mangle上打標籤,來區別不一樣的源地址。
- 1. Android 訪問地址
- 2. erlang訪問https地址
- 3. swagger默認訪問地址
- 4. ssh scp訪問ipv6地址
- 5. thinkphp nginx 地址訪問404!!!
- 6. vs訪問地址衝突
- 7. C6748_EMIF_NandFlash_訪問異步地址
- 8. 利用nginx實現多個域名訪問指向同一個項目地址
- 9. 如何實現請求訪問者地址
- 10. 實現私有地址訪問互聯網
- 更多相關文章...
- • 物理地址(MAC地址)是什麼? - TCP/IP教程
- • Swift 訪問控制 - Swift 教程
- • ☆基於Java Instrument的Agent實現
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
-
每一个你不满意的现在,都有一个你没有努力的曾经。