LVS-fwm&persistence

Evernote Export

1、LVS-fwm

fwm:FireWall Mark


       在netfilter上给报文打标记;mangle表;


       ipvsadm -A|E -t|u|f service-address [-s scheduler]

           -t, -u: service-address

               ip:port

           -f: service-address

               firewall mark


       iptables的功能:

           filter, nat, mangle, raw


           mangle:

               target: MARK

                   –set-mark value[/mask]


       基于fwm定义集群服务的步骤:

           (1) 打标

               # iptables -t mangle -A PREROUTING -d $vip -p $protocol –dport $serviceport -j MARK –set-mark #

           (2) 定义集群服务

               # ipvsadm -A -f # [-s scheduler]


实验拓扑:

         DS地址:192.168.150.137 DIP、192.168.150.131 VIP

         RS地址:192.168.150.138 RS1、192.168.150.139 RS1

         CLIENT:192.168.150.133


LVS-fwm测试

DS配置(RS配置同LVS-dr配置)

[root@localhost ~]# iptables -t mangle -A PREROUTING -d 192.168.150.131 -p tcp –dport 80 -j MARK –s et-mark 1         iptables上添加MARK规则,规则在PREROUTING上设置,设定在VIP上面

[root@localhost ~]# iptables -t mangle -vnL

Chain PREROUTING (policy ACCEPT 12 packets, 792 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 MARK       tcp  —  *      *       0.0.0.0/0            192.168.150.131      tcp dpt:80 M

ARK set 0x1

Chain INPUT (policy ACCEPT 12 packets, 792 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7 packets, 1284 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 7 packets, 1284 bytes)

pkts bytes target     prot opt in     out     source               destination

[root@localhost ~]# iptables -t mangle -vnL

Chain PREROUTING (policy ACCEPT 20 packets, 1284 bytes)

pkts bytes target     prot opt in     out     source               destination

   3   152 MARK       tcp  —  *      *       0.0.0.0/0            192.168.150.131      tcp dpt:80 M          当有客户端请求时,iptables开始打mark

ARK set 0x1

Chain INPUT (policy ACCEPT 20 packets, 1284 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 15 packets, 2656 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 15 packets, 2656 bytes)

pkts bytes target     prot opt in     out     source               destination

[root@localhost ~]# ipvsadm -A -f 1 -s rr          添加LVS集群服务 -f即为fwm -s调度方法为rr轮询

[root@localhost ~]# ipvsadm -a -f 1 -r 192.168.150.138 -g -w 1      管理集群服务上的RS -g为gateway默认模式

[root@localhost ~]# ipvsadm -a -f 1 -r 192.168.150.139 -g -w 1

[root@localhost ~]# ipvsadm -Ln

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Scheduler Flags

-> RemoteAddress:Port           Forward Weight ActiveConn InActConn

FWM  1 rr

-> 192.168.150.138:0            Route   1      0          0

-> 192.168.150.139:0            Route   1      0          0

[root@localhost ~]# ipvsadm -Ln

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Scheduler Flags

-> RemoteAddress:Port           Forward Weight ActiveConn InActConn

FWM  1 rr

-> 192.168.150.138:0            Route   1      0          0

-> 192.168.150.139:0            Route   1      0          0

此时的fwm已经配置完成并生效

客户端访问结果:

[root@localhost ~]# curl http://192.168.150.131

<h1>RS2</h1>

[root@localhost ~]# curl http://192.168.150.131

<h1>RS1</h1>

[root@localhost ~]# curl http://192.168.150.131

<h1>RS2</h1>

[root@localhost ~]# curl http://192.168.150.131

<h1>RS1</h1>



2、LVS persistent持久连接

       功能:无论ipvs使用何种scheduler,其都能够实现在指定时间范围内始终将来自同一个ip地址的请求发往同一个RS;此功能是通过lvs持久连接模板实现,其与调度方法无关;


       ipvs持久连接的模式:

           每端口持久(PPC):对某个端口进行持久

           每客户端持久(PCC):定义tcp或udp协议的0号端口为集群服务端口;

           每FWM持久(PFWMC):对防火墙编辑下的端口进行持久

               http, https


       定义持久连接服务的方法:

           ipvsadm -A|E -t|u|f service-address [-s scheduler]

           [-p [timeout]]


实验拓扑:

         DS地址:192.168.150.137 DIP、192.168.150.131 VIP

         RS地址:192.168.150.138 RS1、192.168.150.139 RS1

         CLIENT:192.168.150.133


1、每客户端持久(PCC):定义tcp或udp协议的0号端口为集群服务端口;

[root@localhost ~]# ipvsadm -E -f 1 -s rr -p 300     此时将此前的LVS集群服务加上-p进行持久

[root@localhost ~]# ipvsadm -Ln

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Scheduler Flags

-> RemoteAddress:Port           Forward Weight ActiveConn InActConn

FWM  1 rr persistent 300

-> 192.168.150.138:0            Route   1      0          0          添加时ip地址不加端口号指定默认为0,代表没客户端持久连接,客户端第一次连入此RS后,后面连接均在此RS上

-> 192.168.150.139:0            Route   1      0          0

客户端测试结果,调度算法无效果:

[root@localhost ~]# curl http://192.168.150.131

<h1>RS2</h1>

[root@localhost ~]# curl http://192.168.150.131

<h1>RS2</h1>

[root@localhost ~]# curl http://192.168.150.131

<h1>RS2</h1>

[root@localhost ~]# curl http://192.168.150.131

<h1>RS2</h1>

DS端也可以对ip进行:0指定进行设置

[root@localhost ~]# ipvsadm -A -t 192.168.150.131:0 -s rr -p

[root@localhost ~]# ipvsadm -a -t 192.168.150.131:0 -r 192.168.150.138 -g -w 1

[root@localhost ~]# ipvsadm -a -t 192.168.150.131:0 -r 192.168.150.139 -g -w 1

2、每端口持久(PPC):对某个端口进行持久

[root@localhost ~]# iptables -t mangle -A PREROUTING -d 192.168.150.131 -p tcp –dport 80 -j MARK –s et-mark 1

[root@localhost ~]# ipvsadm -A -t 192.168.150.131:23 -s rr -p 300          加入-p选项时即表明开启持久连接,此时持久连接为300s,地址后面加端口号表示仅对某个端口进行持久

[root@localhost ~]# ipvsadm -a -t 192.168.150.131:23 -r 192.168.150.138 -g -w 1

[root@localhost ~]# ipvsadm -a -t 192.168.150.131:23 -r 192.168.150.139 -g -w 1

RS端开启telnet服务1和2均开启

[root@localhost ~]# systemctl start telnet.socket

[root@localhost ~]# ss -tnl

State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port

LISTEN      0      128                    *:22                                 *:*

LISTEN      0      100            127.0.0.1:25                                 *:*

LISTEN      0      128                   :::80                                :::*

LISTEN      0      128                   :::22                                :::*

LISTEN      0      128                   :::23                                :::*

LISTEN      0      100                  ::1:25                                :::*

客户端测试结果:

[root@localhost ~]# ssh 192.168.150.131     ssh访问会持久在192.168.150.139这台RS上

The authenticity of host '192.168.150.131 (192.168.150.131)' can't be established.

RSA key fingerprint is 22:fc:db:5b:e5:26:8a:35:96:9f:2d:c4:4f:07:d1:e8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.150.131' (RSA) to the list of known hosts.

root@192.168.150.131's password:

Permission denied, please try again.

root@192.168.150.131's password:

Last failed login: Thu Dec  1 01:23:09 CST 2016 from 192.168.150.133 on ssh:notty

There were 2 failed login attempts since the last successful login.

Last login: Thu Dec  1 00:34:06 2016 from 192.168.150.1

[root@localhost ~]# ifconfig

eno33554976: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

inet 192.168.150.139  netmask 255.255.255.0  broadcast 192.168.150.255

inet6 fe80::20c:29ff:fe7c:2ca9  prefixlen 64  scopeid 0x20<link>

ether 00:0c:29:7c:2c:a9  txqueuelen 1000  (Ethernet)

RX packets 8532  bytes 8978251 (8.5 MiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 3594  bytes 320788 (313.2 KiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

inet 127.0.0.1  netmask 255.0.0.0

inet6 ::1  prefixlen 128  scopeid 0x10<host>

loop  txqueuelen 0  (Local Loopback)

RX packets 20  bytes 1760 (1.7 KiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 20  bytes 1760 (1.7 KiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo:0: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

inet 192.168.150.131  netmask 255.255.255.255

loop  txqueuelen 0  (Local Loopback)

3、对于多端口的持久可以通过使用FWM中的防火墙下的端口进行持久

测试:进行http和https的端口持久

DS主机配置:

情况规则

root@localhost ~]# ipvsadm -C

创建私有CA

[root@localhost ~]# cd /etc/pki/CA/

[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

…………………………………………+++

……..+++

e is 65537 (0x10001)

[root@localhost CA]# ls -l private/

总用量 4

-rw——- 1 root root 1679 12月  1 01:28 cakey.pem

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

—–

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SZ

Locality Name (eg, city) [Default City]:SZ

Organization Name (eg, company) [Default Company Ltd]:CPTW

Organizational Unit Name (eg, section) []:OPS

Common Name (eg, your name or your server's hostname) []:CPTW.COM.CN

Email Address []:MAIL.CPTW.COM.CN

[root@localhost CA]# touch index.txt

[root@localhost CA]# echo 01 > serial

RS1配置

包安装,RS2上同步安装

[root@localhost ~]# yum -y install mod_ssl

已加载插件:fastestmirror

Loading mirror speeds from cached hostfile

* base: mirrors.cn99.com

* extras: mirrors.cn99.com

* updates: mirrors.cn99.com

正在解决依赖关系

–> 正在检查事务

—> 软件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 将被 安装

–> 解决依赖关系完成

依赖关系解决

=====================================================================================================

Package            架构              版本                                  源                  大小

=====================================================================================================

正在安装:

mod_ssl            x86_64            1:2.4.6-40.el7.centos.4               updates            104 k

事务概要

=====================================================================================================

安装  1 软件包

总下载量:104 k

安装大小:224 k

Downloading packages:

mod_ssl-2.4.6-40.el7.centos.4.x86_64.rpm                                      | 104 kB  00:00:00

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

正在安装    : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                           1/1

验证中      : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                           1/1

已安装:

mod_ssl.x86_64 1:2.4.6-40.el7.centos.4

完毕!

秘钥加密

[root@localhost ~]# cd /etc/httpd/

[root@localhost httpd]# ls

conf  conf.d  conf.modules.d  logs  modules  run

[root@localhost httpd]# mkdir ssl

[root@localhost httpd]# cd ssl

[root@localhost ssl]# ls

[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024)

Generating RSA private key, 1024 bit long modulus

……..++++++

……..++++++

e is 65537 (0x10001)

[root@localhost ssl]# ls

httpd.key

证书请求

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

—–

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SZ

Locality Name (eg, city) [Default City]:SZ

Organization Name (eg, company) [Default Company Ltd]:CPTW

Organizational Unit Name (eg, section) []:OPS

Common Name (eg, your name or your server's hostname) []:WWW.CPTW.COM.CN

Email Address []:MAIL.CPTW.COM.CN

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@localhost ssl]# ls

httpd.csr  httpd.key  root@192.168.150.137

将证书请求发送至颁发证书机构进行签证

[root@localhost ssl]# scp httpd.csr root@192.168.150.137:/tmp

root@192.168.150.137's password:

httpd.csr

DS上进行证书签证并回拷至RS1

[root@localhost tmp]# ls

httpd.crt  httpd.csr  ipvsadm-config.v1

[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Nov 30 18:08:27 2016 GMT

Not After : Nov 30 18:08:27 2017 GMT

Subject:

countryName               = CN

stateOrProvinceName       = SZ

organizationName          = CPTW

organizationalUnitName    = OPS

commonName                = WWW.CPTW.COM.CN

emailAddress              = MAIL.CPTW.COM.CN

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

C2:C2:F3:E3:91:CC:82:96:B2:38:CB:23:84:F4:4F:93:FF:32:FC:BD

X509v3 Authority Key Identifier:

keyid:F0:26:D0:A8:94:A9:81:E2:C5:C0:5A:95:5B:D3:1B:BB:BB:28:59:87

Certificate is to be certified until Nov 30 18:08:27 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@localhost tmp]# ls

httpd.crt  httpd.csr  ipvsadm-config.v1

[root@localhost tmp]# scp httpd.crt root@192.168.150.138:/etc/httpd/ssl

root@192.168.150.138's password:

httpd.crt

RS1修改httpd相关配置,并将证书和配置拷贝至RS2

[root@localhost httpd]# vim conf.d/ssl.conf

SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

[root@localhost ssl]# scp -rp /etc/httpd/ssl/ root@192.168.150.139:/etc/httpd/

root@192.168.150.139's password:

httpd.key                                                                                                                                                    100%  887     0.9KB/s   00:00

root@192.168.150.137                                                                                                                                         100%  676     0.7KB/s   00:00

httpd.csr                                                                                                                                                    100%  684     0.7KB/s   00:00

httpd.crt                                                                                                                                                    100% 3808     3.7KB/s   00:00

[root@localhost ssl]# scp /etc/httpd/conf.d/ssl.conf root@192.168.150.139:/etc/httpd/conf.d/ssl.conf

root@192.168.150.139's password:

ssl.conf

两台RS均进行httpd的重启并查看443是否已正常开启

[root@localhost httpd]# systemctl start httpd.service

[root@localhost httpd]# ss -tnl

State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port

LISTEN      0      128                                                                 *:22                                                                              *:*

LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*

LISTEN      0      128                                                                :::80                                                                             :::*

LISTEN      0      128                                                                :::22                                                                             :::*

LISTEN      0      128                                                                :::23                                                                             :::*

LISTEN      0      100                                                               ::1:25                                                                             :::*

LISTEN      0      128                                                                :::443                                                                            :::*

DS主机配置

[root@localhost ~]# iptables -t mangle -A PREROUTING -d 192.168.150.131 -p tcp -m multiport –dports 80,443 -j MARK –set-mark 10     添加了80和443两个目标端口并mark

[root@localhost ~]# iptables -t mangle -vnL

Chain PREROUTING (policy ACCEPT 135 packets, 11432 bytes)

pkts bytes target     prot opt in     out     source               destination

0     0 MARK       tcp  —  *      *       0.0.0.0/0            192.168.150.131      multiport dp

orts 80,443 MARK set 0xa

Chain INPUT (policy ACCEPT 135 packets, 11432 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 117 packets, 11516 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 117 packets, 11516 bytes)

pkts bytes target     prot opt in     out     source               destination

客户端进行请求

[root@localhost ~]# curl http://192.168.150.131

curl: (7) couldn't connect to host

[root@localhost ~]# curl https://192.168.150.131

curl: (7) couldn't connect to host

[root@localhost ~]# curl https://192.168.150.138

curl: (60) Peer certificate cannot be authenticated with known CA certificates

此时DS上状态,已经有包请求并以mark

[root@localhost ~]# iptables -t mangle -vnL

Chain PREROUTING (policy ACCEPT 142 packets, 11892 bytes)

pkts bytes target     prot opt in     out     source               destination

2   120 MARK       tcp  —  *      *       0.0.0.0/0            192.168.150.131      multiport dp

orts 80,443 MARK set 0xa

Chain INPUT (policy ACCEPT 142 packets, 11892 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 124 packets, 12864 bytes)

pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 124 packets, 12864 bytes)

pkts bytes target     prot opt in     out     source               destination

DS上添加持久

[root@localhost ~]# ipvsadm -A -f 10 -s rr -p

[root@localhost ~]# ipvsadm -a -f 10 -r 192.168.150.138 -g -w 1

[root@localhost ~]# ipvsadm -a -f 10 -r 192.168.150.139 -g -w 2

[root@localhost ~]# ipvsadm -Ln

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Scheduler Flags

-> RemoteAddress:Port           Forward Weight ActiveConn InActConn

FWM  10 rr persistent 360

-> 192.168.150.138:0            Route   1      0          0

-> 192.168.150.139:0            Route   2      0          0

客户端执行结果:此时客户端访问的443和80端口均会绑定持久在同一台RS上

[root@localhost ~]# curl http://192.168.150.131

<h1>RS1</h1>

[root@localhost ~]# curl -k  https://192.168.150.131

<h1>RS1</h1>


原创文章,作者:N23-苏州-void,如若转载,请注明出处:http://www.178linux.com/61846

(0)
N23-苏州-voidN23-苏州-void
上一篇 2016-12-01
下一篇 2016-12-01

相关推荐

  • N22-妙手-第十周博客作业

    1、请详细描述CentOS系统的启动流程(详细到每个过程系统做了哪些事情)     (1) POST阶段         加电自检,确保每个设备能正常工作     (2) BIOS  &nb…

    Linux干货 2016-12-05
  • 18页PPT带你深度解读运维自动化

    一、概述    在前面的文章中,提到【运维的本质—可视化】,在其中着重强调是自动化的可视化和数据化的可视化。在这个文章中,全面解码看看自动化的极致状态为什么是可视化?在前面的另外一篇文章【运维平台全体系介绍】中,也讲到运维平台体系的构成,提出“**及服务”的理念,其中有几部分和自动化密切相关,比如说资源及服务、配置及服务、架构…

    2015-04-03
  • Linux基本知识之echo命令详解

    该博文以CentOS6.8_x86_64系统为基础,Xshell使用pts/X终端登录CentOS6.8系统,以root身份登录系统。 为什么学习echo命令?     echo是一种最常用的与广泛使用的内置于Linux的bash和C shell的命令,通常用在脚本语言和批处理文件中来在标准输出或者文件中显示一行文本或者字符串。…

    Linux干货 2016-07-29
  • lnmp部署实验

    Lnmp部署 实验环境: 1、Centos 7主机一台,客户机一台。 2、在centos 7主机上部署:    Nginx  php-fpm  php-mysql  mariadb-server 实验步骤: 1、启动nginx服务,确保80端口打开,启动mariadb-server,确保3306端口…

    Linux干货 2016-10-30
  • 使用httpd反向代理模块实现tomcat负载均衡集群(上)

    前言  tomcat介绍:   tomcat是一个免费开放源代码的web应用服务器,不是一个完整意义上的Java EE服务器;它甚至都没有提供哪怕对一个主Java EE API的实现,但由于遵守apache开源协议,tomcat却有为众多的java应用程序服务器嵌入自己的产品中构建商业的java应用程序服务器,如JBoss和JOnAS等。…

    Linux干货 2015-07-21
  • Nginx相关配置及其应用

    LB Cluster: 传输层:lvs、nginx、haproxy 应用层:nginx(http, https, smtp, pop, imap), haproxy(http), httpd(http/https), ats, perlbal, pound, … nginx load balancer: tcp/udp   nginx …

    Linux干货 2016-11-11

评论列表(1条)

  • 马哥教育
    马哥教育 2017-04-13 08:52

    总结的比较详细,能给出物理拓扑和实验验证的例子会更好~~继续加油~