Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Implementing nat,dr with LVS

2025-04-08 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

Implementing nat,dr with LVS

1.lvs:Linux Virtual Server

(1) L4 layer 4 router, layer 4 switch

VS: forward the scheduling of the request message to a RealServer according to its target IP, target protocol and port, and select the RS according to the scheduling algorithm

(2) lvs: ipvsadm/ipvs

Ipvsadm: a command-line tool in user space, a rule manager, for managing cluster services and related RealServer;ipvs: a framework that works on the INPUT hook of netfilter in kernel space

(3) terms in lvs cluster type:

Vs:Virtual Server, Director, Dispatcher, Balancerrs:Real Server, upstream server, backend serverCIP:Client IP, VIP: Virtual serve IP, RIP: Real server IP, DIP: Director IPCIP VIP = = DIP RIP

(4) the type of lvs cluster:

(a) lvs-nat: modify the target IP; of the request message, the DNAT of the multi-target IP

The DNAT of multi-destination IP can be forwarded by modifying the destination address and port in the request message to the RIP and PORT of a selected RS; (1) RIP and DIP must be on the same IP network and should use a private network address; RS gateway to DIP; (2) request message and response message must be forwarded via Director; Director is easy to become a system bottleneck; (3) Port mapping is supported, and the target PORT of the request message can be modified (4) vs must be a Linux system, and rs can be any system.

(B) lvs-dr:Direct Routing, direct routing

By re-encapsulating a MAC header for the request message for forwarding, the source MAC is the MAC of the interface on which the DIP is located, and the destination MAC is the MAC address of the interface on which the RIP of a selected RS is located; the source IP/PORT and the destination IP/PORT remain unchanged

Both Director and each RS have to be configured to use VIP

(1) ensure that the front-end router sends the request message with the destination IP of VIP to Director: (a) make a static binding at the front-end gateway; (b) use arptables; on RS (c) modify kernel parameters on RS to limit the level of arp advertisements and responses; arp_announcearp_ignore (2) the RIP of RS can use either a private address or a public address; RIP and DIP are on the same IP network The gateway of RIP cannot point to DIP to ensure that the response message will not be on the same physical network as Director via Director; (3) RS; (4) the request message will be sent via Director, but the response cannot be sent directly to Client; via Director. (5) Port mapping is not supported.

(C) lvs-tun:

Forwarding method: instead of modifying the IP header of the request message (the source IP is CIP and the destination IP is VIP), it encapsulates an IP header in addition to the original IP message (the source IP is DIP and the destination IP is RIP), and sends the message to the selected destination RS;RS to respond directly to the client (the source IP is VIP and the destination IP is CIP)

(1) DIP, VIP and RIP should all be public network addresses; (2) the gateway of RS cannot and cannot point to DIP; (3) the request message is via Director, but the response cannot be via Director; (4) does not support port mapping; (5) the OS of RS must support tunneling function.

(d) lvs-fullnat:

Forward by modifying both the source IP address and the destination IP address of the request message

CIP DIP

VIP RIP

(1) VIP is a public network address, RIP and DIP are private network addresses, and are not usually on the same IP network; therefore, the gateway of RIP generally does not point to DIP; (2) the source address of the request message received by RS is DIP, so it can only respond to DIP;, but Director has to send it to Client; (3) request and response messages are supported by port mapping via Director; (4). Note: this type is not supported by default.

(5) scheduling algorithm ipvs scheduler:

According to whether the current load state of each RS is taken into account when scheduling, it can be divided into static method and dynamic method:

(a) static method: scheduling based only on the algorithm itself

RR:roundrobin, polling; WRR:Weighted RR, weighted polling; SH:Source Hashing, which implements the hash of the session DH:Destination Hashing; destination address. Requests sent to the same destination address will always be forwarded to the RS in the first pick. A typical use scenario is the load balancing in the forward proxy cache scenario.

(B) dynamic approach: scheduling is mainly based on the current load status and scheduling algorithm of each RS

LC:least connections Overhead=activeconns*256+inactiveconnsWLC:Weighted LC Overhead= (activeconns*256+inactiveconns) / weightSED:Shortest Expection DelayOverhead= (activeconns+1) * 256/weightNQ:Never QueueLBLC:Locality-Based LC, dynamic DH algorithm; LBLCR:LBLC with Replication, LBLC with replication function

2.ipvsadm:

(1) package: ipvsadm

Unit File: ipvsadm.service main program: / usr/sbin/ipvsadm rule saving tool: / usr/sbin/ipvsadm-save rule reloading tool: / usr/sbin/ipvsadm-restore configuration file: / etc/sysconfig/ipvsadm-config

(2) ipvsadm command:

Core functions:

Cluster service management: add, delete, change

RS management of cluster services: add, delete and modify

(a) View:

Ipvsadm-A | E-t | u | f service-address [- s scheduler] [- p [timeout]] [- M netmask] [--pe persistence_engine] [- b sched-flags] ipvsadm-D-t | u | f service-addressipvsadm-Cipvsadm-Ripvsadm-S [- n] ipvsadm-a | e-t | u | f service-address-r server-address [options] ipvsadm-d-t | u | f service-address-r server-addressipvsadm-L | l [options] ipvsadm-Z [- t | u | f service-address]

(B) manage cluster services: add, modify and delete

Add or modify: ipvsadm-A | E-t | u | f service-address [- s scheduler] [- p [timeout]] Delete: ipvsadm-D-t | u | f service-addressservice-address:-t | u | f:-t: TCP protocol port, VIP:TCP_PORT-u: UDP protocol port, VIP:UDP_PORT-f:firewall MARK, is a number; [- s scheduler]: specify the scheduling algorithm of the cluster. Default is wlc.

(C) manage RS on the cluster: add, modify, delete

Add or modify: ipvsadm-a | e-t | u | f service-address-r server-address [- g | I | m] [- w weight] Delete: ipvsadm-d-t | u | f service-address-r server-addressserver-address: rip [: port] option: lvs type:-g: gateway, dr type-I: ipip, tun type-m: masquerade, nat type-w weight: weight

(B) clear all the contents of the definition:

Ipvsadm- C View: ipvsadm- L | l [options]-- numeric,-n:numeric output of addresses and ports--exact:expand numbers (display exact values)-- connection,-c:output of current IPVS connections--stats:output of statistics information--rate: output of rate information Save and reload: ipvsadm- S = ipvsadm-save ipvsadm- R = ipvsadm-restore

3. Implement the lvs-nat model:

(1) Experimental environment:

Three servers, one as director and two as real server,director have one external network card (192.168.1.29) and one internal network ip (192.168.100.1). Only the internal network ip (192.168.100.2) and (192.168.100.2) are on the two real server, and the intranet gateways of the two real server need to be set to the intranet ip of director (192.168.0.8).

(2) installation configuration:

The httpd service is installed on both real server

# yum install-y httpd

Install ipvsadm on Director

# yum install-y ipvsadm

(3) Director configuration:

[root@localhost /] # echo 1 > / proc/sys/net/ipv4/ip_forward: turn on core forwarding [root@localhost /] # ipvsadm-A-t 192.168.1.29 ipvsadm 80-s wrr [root@localhost /] # ipvsadm-a-t 192.168.1.29 ipvsadm 80-r 192.168.100.2 proc/sys/net/ipv4/ip_forward 80-m [root@localhost /] # ipvsadm-a-t 192.168.1.29 root@localhost 80-r 192.168.100.3lance 80-m

(4) View the rules set by ipvsadm

[root@localhost /] # ipvsadm-LIP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port Forward Weight ActiveConn InActConnTCP localhost.localdomain:http wrr-> 192.168.100.2:http Masq 100-> 192.168.100.3:http Masq 100

4. Implement the lvs-dr model:

(1) Experimental environment

Three servers, one as director, two as real server,director, dip is 172.20.10.9, only private network rip1 (172.20.10.8) and rip2 (172.20.10.10) are on the two real server, and vip is set to 172.20.10.12

(2) configuration script of rs:

[root@node6 ~] # vim rs.sh #! / bin/bash#vip=172.20.10.12mask=255.255.255.255case $1 instart) echo 1 > / proc/sys/net/ipv4/conf/all/arp_ignore echo 1 > / proc/sys/net/ipv4/conf/lo/arp_ignore echo 2 > / proc/sys/net/ipv4/conf/all/arp_announce echo 2 > / proc/sys/net/ipv4/conf/lo/arp_announce ifconfig lo:0 $vip netmask $mask broadcast $vip up route add-host $vip dev lo:0 ; stop) ifconfig lo:0 down echo 0 > / proc/sys/net/ipv4/conf/all/arp_ignore echo 0 > / proc/sys/net/ipv4/conf/lo/arp_ignore echo 0 > / proc/sys/net/ipv4/conf/all/arp_announce echo 0 > / proc/sys/net/ipv4/conf/lo/arp_announce;; *) echo "Usage $(basename $0) start | stop" exit 1 Esac [root@node6 ~] # yum instal-y httpd [root@node6 ~] # vim / var/www/html/index.htmlnode6 web page

(3) configuration on director:

[root@node5 ~] ifconfig ens33:0 172.20.10.12 netmask 255.255.255.255 broadcast 172.20.10.12 up [root@node5 ~] # ipvsadm-A-t 172.20.10.12 up 80-s wrr [root@node5 ~] # ipvsadm-a-t 172.20.10.12 ipvsadm 80-r 172.20.10.8 80-g-w 1 [root@node5 ~] # ipvsadm-a-t 172.20.10.12 .20.10.10: 80-g-w 2

(4) View the rules set by ipvsadm:

[root@node5] # ipvsadm-LnIP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port Forward Weight ActiveConn InActConnTCP 172.20.10.12 Prot LocalAddress:Port Scheduler Flags 80 wrr-> 172.20.10.8 LnIP Virtual Server version 80 Route 100-> 172.20.10.10 LnIP Virtual Server version 80 Route 200

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report