iptables+keepalived实现多源地址访问
场景介绍:服务器
客户端业务服务器A:192.168.11.11tcp
iptables服务器B: 192.168.22.22(主) 192.168.22.23(备)
ide
VIP: 192.168.22.41 192.168.22.42
spa
服务端业务服务器C:192.168.33.33代理
业务服务器C要进行IP源地址健全,每一个客户号要有独立访问的源地址。router
而全部的客户号(例:1-10)都是指定在客户端A的程序中,server
正常状况下,在服务器C上看到的客户号1-10所对应的都是同一个源地址,如何来解决这个问题呢?ip
在A和C之间加个正向代理服务器便可,配置有多个地址,并在A程序里根据客户号访问不一样的代理服务器IP便可。it
本文中使用iptables里的SNAT和DNAT功能来实现,并使用keepalived来进行二台热备。io
1、keepalived的配置以下:
! Configuration File for keepalived
global_defs {
notification_email {
aa@bbcom
}
notification_email_from root@bb.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id iptables33
}
vrrp_instance MOPIN {
state MASTER
interface eth0
virtual_router_id 51
priority 110
advert_int 1
track_interface {
eth0 weight 5
}
authentication {
auth_type PASS
auth_pass mopin
}
virtual_ipaddress {
192.168.22.41/24 brd 192.168.22.255 dev eth0 label eth0:1
192.168.22.42/24 brd 192.168.22.255 dev eth0 label eth0:2
}
notify_backup "/usr/local/keepalived/bin/show.sh vip1 backup"
notify_master "/usr/local/keepalived/bin/show.sh vip1 master"
notify_fault "/usr/local/keepalived/bin/show.sh vip1 fault"
smtp_alert
}
2、iptables配置:
#Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*mangle
:PREROUTING ACCEPT [881:72068]
:INPUT ACCEPT [881:72068]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1009:123804]
:POSTROUTING ACCEPT [1009:123804]
-A PREROUTING -d 192.168.22.41/32 -m conntrack --ctstate NEW -j MARK --set-xmark 0x41/0xffffffff
-A PREROUTING -d 192.168.22.42/32 -m conntrack --ctstate NEW -j MARK --set-xmark 0x42/0xffffffff
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
# Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.22.41/32 -p tcp -m tcp --dport 10041 -j DNAT --to-destination 192.168.33.33:80
-A PREROUTING -d 192.168.22.42/32 -p tcp -m tcp --dport 10042 -j DNAT --to-destination 192.168.33.33:80
-A POSTROUTING -m mark --mark 0x41 -j SNAT --to-source 192.168.22.41
-A POSTROUTING -m mark --mark 0x42 -j SNAT --to-source 192.168.22.42
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
# Generated by iptables-save v1.4.7 on Fri Mar 4 16:03:45 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2024:234224]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p vrrp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 4 16:03:45 2016
主要是针对不一样的VIP地址进行mangle上打标签,来区别不一样的源地址。
- 1. Android 访问地址
- 2. erlang访问https地址
- 3. swagger默认访问地址
- 4. ssh scp访问ipv6地址
- 5. thinkphp nginx 地址访问404!!!
- 6. vs访问地址冲突
- 7. C6748_EMIF_NandFlash_访问异步地址
- 8. 利用nginx实现多个域名访问指向同一个项目地址
- 9. 如何实现请求访问者地址
- 10. 实现私有地址访问互联网
- 更多相关文章...
- • 物理地址(MAC地址)是什么? - TCP/IP教程
- • Swift 访问控制 - Swift 教程
- • ☆基于Java Instrument的Agent实现
- • Spring Cloud 微服务实战(三) - 服务注册与发现
-
每一个你不满意的现在,都有一个你没有努力的曾经。