Lvs-nat Architecture principle and implementation scheme

Virtual server implementation via NAT (Vs/nat)

Due to the increasing tension and security of IP address space in IPV4, many networks use reserved IP addresses (10.0.0.0/255.0.0.0, 172.16.0.0/255.128.0.0, and 192.168.0.0/255.255.0.0) [64, 65, 66]. These addresses are not used on the Internet, but are reserved exclusively for the internal network. When hosts in the internal network are accessing the Internet or are being accessed by the Internet, they need to use network address translation (translation, referred to as NAT) to convert the internal address to an external address available on Internets. NAT works by the message header (destination address, source address, port, etc.) is correctly rewritten, the customer believes that they connect an IP address, and the different IP address of the server group also think that they are directly connected with the customer. Thus, the parallel network service with different IP addresses can be transformed into a virtual service on an IP address using the NAT method.

The architecture of the Vs/nat. There is a scheduler in front of a group of servers that are connected by Switch/hub. These servers provide the same network service, the same content, that is, regardless of the request is sent to which server, the execution result is the same. The content of the service can be replicated to the local hard disk of each server and can be shared through a network file system (such as NFS) or through a distributed file system.

650) this.width=650; "style=" width:600px;height:561px; "src=" http://s3.51cto.com/wyfs02/M02/6E/2F/ Wkiol1v2pwkt9ohhaagzsovr9bg598.jpg "title=" vs-nat.jpg "alt=" wkiol1v2pwkt9ohhaagzsovr9bg598.jpg "border=" 0 "height= "561" hspace= "0" vspace= "0" width= "/>"

When the customer accesses the network service through the virtual IP address (the IP addresses of the fictitious service), the request message arrives at the scheduler, and the scheduler chooses a server from a set of real servers according to the connection scheduling algorithm, and the target address of the message is virtual IP Address is rewritten as the location of the selected server, the destination port of the message is rewritten to the appropriate port on the selected server, and the modified message is sent to the selected server. At the same time, the dispatcher records this connection in the connection hash table, when the next message arrives, the address and port of the original selected server can be obtained from the connection hash table, and the same rewrite operation will be sent to the original selected server. When the response message from the real server passes through the scheduler, the dispatcher changes the source address and the source port of the message to the virtual IP address and the corresponding port, then sends the message to the user.

NAT Basic Architecture implementation

Environment Preparation:

Equipment	Software Environment	Network environment
Virtual_server (dir)	CentOS 6.6+ipvs (IPVSADM)	eth0:vip:192.168.137.128 (IP for outbound service, IP for client access)
		eth1:ip:192.168.1.121
Real_server_a (RSA)	CentOS 6.6+nginx (monitored service items)	eth0:ip:192.168.1.118
Real_server_b (RSB)	CentOS 6.6+nginx (monitored service items)	eth0:ip:192.168.1.119

Configuration method:

# First in RSA and RSB to start nginx, test whether the normal access to [[email protected] ~]#/etc/init.d/nginx start is starting Nginx: Determine

650) this.width=650; "style=" width:600px;height:414px; "src=" http://s3.51cto.com/wyfs02/M02/6E/3D/ Wkiom1v240bsoqoxaalzhd8wrru150.jpg "title=" nginxrsa.jpg "alt=" wkiom1v240bsoqoxaalzhd8wrru150.jpg "border=" 0 " height= "414" hspace= "0" vspace= "0" width= "/>"

# For more intuitive access, we modified the homepage [[email protected] ~]# vim/usr/share/nginx/html/index.htmlthis is test page,this is a.[[email protect Ed] ~]#/etc/init.d/nginx Reload re-loading nginx: [OK]# We're looking at it.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6E/39/wKioL1V25ifgAcXzAAB5JU7qICQ313.jpg "title=" a.jpg " alt= "Wkiol1v25ifgacxzaab5ju7qicq313.jpg"/>

#  when RSA and RSB Nginx can be accessed normally, we need to modify the gateway of two devices to Dir's intranet ip[[email protected] ~]# vim /etc/ sysconfig/network-scripts/ifcfg-eth0device=eth0type=ethernetuuid=779f98ef-706a-4b8c-9e78-75fa1e79fcabonboot= Yesnm_controlled=yesbootproto=statichwaddr=00:0c:29:56:5c:c5defroute=yespeerdns=yespeerroutes=yesipv4_failure_ Fatal=yesipv6init=noname= "System eth0" ipaddr=192.168.1.118netmask=255.255.255.0gateway=192.168.1.121dns1= 202.96.128.166dns2=202.96.134.133[[email protected] ~]# service network restart is shutting down the interface  eth0:                                          [OK] Close Loopback interface:                                               [OK] Eject loopback interface:                                                [OK] Popup interface  eth0: Determining if ip address  192.168.1.118 is already in use for device eth0...                                                               [OK]

Next we start to configure the Dir machine, we configure it as a script

[[Email protected] ~]# vim /usr/local/sbin/lvs_nat.sh#! /bin/bash# director   Turn on routing forwarding on the server: echo 1 > /proc/sys/net/ipv4/ip_forward #  turn off ICMP redirection echo  0 > /proc/sys/net/ipv4/conf/all/send_redirectsecho 0 > /proc/sys/net/ipv4 /conf/default/send_redirectsecho 0 > /proc/sys/net/ipv4/conf/eth0/send_redirectsecho 0  > /proc/sys/net/ipv4/conf/eth1/send_redirects# director  Set NAT Firewall iptables -t  nat -fiptables -t nat -xiptables -t nat -a postrouting -s  192.168.1.0/24  -j masquerade# director set ipvsadmipvsadm= '/sbin/ipvsadm ' $IPVSADM  -c$ ipvsadm -a -t 192.168.137.128:80 -s rr  $IPVSADM  -a -t  192.168.137.128:80 -r 192.168.1.118:80 -m -w 1$ipvsadm -a -t  192.168.137.128:80 -r 192.168.1.119:80 -m -w 1[[email protected] ~]# chmod a+x ! $chmod  a+x / usr/local/sbin/lvs_nat.sh[[email protected] ~]# /bin/bash /usr/local/sbin/lvs_nat.sh#   View the status of the configuration [[Email protected] ~]# ipvsadm -lnip virtual server version  1.2.1  (size=4096) prot localaddress:port scheduler flags  ->  remoteaddress:port           forward weight  Activeconn inactconntcp  192.168.137.128:80 rr  -> 192.168.1.118:80              masq    1       0          0   -> 192.168.1.119:80             masq     1 &nbSp;    0          0 

Next we go through the VIP access test

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/3D/wKiom1V26Mfh1anWAACHAL4vWIM090.jpg "title=" ok.jpg "alt=" Wkiom1v26mfh1anwaachal4vwim090.jpg "/>

650) this.width=650; "style=" width:500px;height:282px; "src=" http://s3.51cto.com/wyfs02/M01/6E/3D/ Wkiom1v26pmddrhoaaciefn_blg566.jpg "title=" b.jpg "border=" 0 "height=" 282 "hspace=" 0 "vspace=" 0 "width=" alt= " Wkiom1v26pmddrhoaaciefn_blg566.jpg "/>

This article is from the "topspeed_king" blog, make sure to keep this source http://mylinuxlife.blog.51cto.com/4706737/1660216

Lvs-nat Architecture principle and implementation scheme