实现双线路策略的LINUX服务器及其一些拓展应用-红联Linux系统门户

实现双线路策略的LINUX服务器--前言
[align=center]

[/align]
[align=center]网络示意图[/align]组网要求：
1. 实现双线路策略
2. 防止IP地址盗用
3. 实现ETH3和ETH4的BONDING
4. 实现DNS功能
5. 实现VPN
6. 实现WEB网站的端口影射

首先在开始尝试之前，我们必须得选择一个机子，一般的机子即可，软件系统，我装的是RHEL 4。硬件用的是赛杨D 2.6GHZ的，主板是INTER 865的，主要选它的原因，是因为有5个PCI插槽，这正好可以安装5块TP-LINK的千兆网卡。不过正是因为这5块网卡，差点让我放弃，主要是因为一般机子大都是由一个中断控制器8259来控制系统中每个硬件的IRQ值。目前共有16组IRQ，去掉其中用来做“桥接”的一组IRQ，实际上只有15组IRQ可供硬件使用。因此，千万要注意在BIOS里设置好IRQ，避免因为IRQ冲突造成各个硬件无法正常工作。
IRQ的分配与冲突产生的原因

[table=480][tr][td=3,1]表1 各irq在bios中所对应的硬件设备
[/td][/tr][tr][td=1,1,43]irq 编号
[/td][td=1,1,81]设备
名称
[/td][td=1,1,310]用途
[/td][/tr][tr][td=1,1,43]irq0
[/td][td=1,1,81]time
[/td][td=1,1,310]电脑系统计时器
[/td][/tr][tr][td=1,1,43]irq1
[/td][td=1,1,81]keyboard
[/td][td=1,1,310]键盘
[/td][/tr][tr][td=1,1,43]irq2
[/td][td=1,1,81]redirect irq9
[/td][td=1,1,310]与irq9相接，mpu-401 mdi使用该irq
[/td][/tr][tr][td=1,1,43]irq3
[/td][td=1,1,81]com2
[/td][td=1,1,310]串口设备
[/td][/tr][tr][td=1,1,43]irq4
[/td][td=1,1,81]com1
[/td][td=1,1,310]串口设备
[/td][/tr][tr][td=1,1,43]irq5
[/td][td=1,1,81]lpt2
[/td][td=1,1,310]建议声卡使用该irq
[/td][/tr][tr][td=1,1,43]irq6
[/td][td=1,1,81]fdd
[/td][td=1,1,310]软驱传输控制用
[/td][/tr][tr][td=1,1,43]irq7
[/td][td=1,1,81]lpt1
[/td][td=1,1,310]打印机传输控制用
[/td][/tr][tr][td=1,1,43]irq8
[/td][td=1,1,81]cmos alert
[/td][td=1,1,310]即时时钟
[/td][/tr][tr][td=1,1,43]irq9
[/td][td=1,1,81]redirect irq2
[/td][td=1,1,310]与irq2相接；可设定给其他硬件使用
[/td][/tr][tr][td=1,1,43]irq10
[/td][td=1,1,81]reversed
[/td][td=1,1,310]建议网卡使用该irq
[/td][/tr][tr][td=1,1,43]irq11
[/td][td=1,1,81]reversed
[/td][td=1,1,310]与irq10相同，都是保留给pci硬件使用，建议分配给显卡
[/td][/tr][tr][td=1,1,43]irq12
[/td][td=1,1,81]ps/2mouse
[/td][td=1,1,310]接ps/2鼠标，若无，也可设定给其他硬件使用
[/td][/tr][tr][td=1,1,43]irq13
[/td][td=1,1,81]fpu
[/td][td=1,1,310]协处理器用，例如fpu（浮点运算器）
[/td][/tr][tr][td=1,1,43]irq14
[/td][td=1,1,81]primary ide
[/td][td=1,1,310]主硬盘传输控制器（1号）
[/td][/tr][tr][td=1,1,43]irq15
[/td][td=1,1,81]secondary ide
[/td][td=1,1,310]从硬盘传输控制器（2号）
[/td][/tr][/table]

下面开始进行尝试：

东方鹗于 2007-09-25 21:17:38发表:

实现双线路策略的LINUX服务器六

六．实现WEB网站的端口映射
这个比较简单。
我下载了一个安装包ipvsadm-1.24-6.src.rpm安装，然后做了一个脚本
# vi ipvsadm.sh
ipvsadm -C
ipvsadm -A -t 219.150.222.36:80 -s wlc //打开80端口
ipvsadm -A -t 219.150.222.36:21 -s wlc //打开21端口
ipvsadm -A -t 219.150.222.36:25 -s wlc //打开25端口
ipvsadm -A -t 219.150.222.36:110 -s wlc //打开110端口
ipvsadm -A -t 125.42.176.199:80 -s wlc //打开80端口
ipvsadm -A -t 125.42.176.199:25 -s wlc //打开25端口
ipvsadm -A -t 125.42.176.199:110 -s wlc //打开110端口
ipvsadm -a -t 219.150.222.36:80 -r 10.0.0.2:80 -m -w 9 //实现端口映射
ipvsadm -a -t 125.42.176.199:80 -r 10.0.0.2:80 -m -w 99 //实现端口映射

为了更好的让大家理解这份命令手册，将手册里面用到的几个术语先简单的介绍
一下：
1，virtual-service-address:是指虚拟服务器的ip 地址
2，real-service-address:是指真实服务器的ip 地址
3，scheduler：调度方法
(lna@networksbase.com 翻译 ipvsadm v1.21 2004 年4 月)
ipvsadm 的用法和格式如下：
ipvsadm -A|E -t|u|f virutal-service-address:port [-s scheduler] [-p
[timeout]] [-M netmask]
ipvsadm -D -t|u|f virtual-service-address
ipvsadm -C
ipvsadm -R
ipvsadm -S [-n]
ipvsadm -a|e -t|u|f service-address:port -r real-server-address:port
[-g|i|m] [-w weight]
ipvsadm -d -t|u|f service-address -r server-address
ipvsadm -L|l [options]
ipvsadm -Z [-t|u|f service-address]
ipvsadm --set tcp tcpfin udp
ipvsadm --start-daemon state [--mcast-interface interface]
ipvsadm --stop-daemon
ipvsadm -h
命令选项解释：
有两种命令选项格式，长的和短的，具有相同的意思。在实际使用时，两种都可
以。
-A --add-service 在内核的虚拟服务器表中添加一条新的虚拟服务器记录。也
就是增加一台新的虚拟服务器。
-E --edit-service 编辑内核虚拟服务器表中的一条虚拟服务器记录。
-D --delete-service 删除内核虚拟服务器表中的一条虚拟服务器记录。
-C --clear 清除内核虚拟服务器表中的所有记录。
-R --restore 恢复虚拟服务器规则
-S --save 保存虚拟服务器规则，输出为-R 选项可读的格式
-a --add-server 在内核虚拟服务器表的一条记录里添加一条新的真实服务器
记录。也就是在一个虚拟服务器中增加一台新的真实服务器
-e --edit-server 编辑一条虚拟服务器记录中的某条真实服务器记录
-d --delete-server 删除一条虚拟服务器记录中的某条真实服务器记录
-L|-l --list 显示内核虚拟服务器表
-Z --zero 虚拟服务表计数器清零（清空当前的连接数量等）
--set tcp tcpfin udp 设置连接超时值
--start-daemon 启动同步守护进程。他后面可以是master 或backup，用来说
明LVS Router 是master 或是backup。在这个功能上也可以采用keepalived 的
VRRP 功能。
--stop-daemon 停止同步守护进程
-h --help 显示帮助信息
其他的选项:
-t --tcp-service service-address 说明虚拟服务器提供的是tcp 的服务
[vip:port] or [real-server-ip:port]
-u --udp-service service-address 说明虚拟服务器提供的是udp 的服务
[vip:port] or [real-server-ip:port]
-f --fwmark-service fwmark 说明是经过iptables 标记过的服务类型。
-s --scheduler scheduler 使用的调度算法，有这样几个选项
rr|wrr|lc|wlc|lblc|lblcr|dh|sh|sed|nq,
默认的调度算法是： wlc.
-p --persistent [timeout] 持久稳固的服务。这个选项的意思是来自同一个客
户的多次请求，将被同一台真实的服务器处理。timeout 的默认值为300 秒。
-M --netmask netmask persistent granularity mask
-r --real-server server-address 真实的服务器[Real-Server:port]
-g --gatewaying 指定LVS 的工作模式为直接路由模式（也是LVS 默认的模式）
-i --ipip 指定LVS 的工作模式为隧道模式
-m --masquerading 指定LVS 的工作模式为NAT 模式
-w --weight weight 真实服务器的权值
--mcast-interface interface 指定组播的同步接口
-c --connection 显示LVS 目前的连接如：ipvsadm -L -c
--timeout 显示tcp tcpfin udp 的timeout 值如：ipvsadm -L --timeout
--daemon 显示同步守护进程状态
--stats 显示统计信息
--rate 显示速率信息
--sort 对虚拟服务器和真实服务器排序输出
--numeric -n 输出IP 地址和端口的数字形式
ipvsadm -L

东方鹗于 2007-09-25 21:15:50发表:

实现双线路策略的LINUX服务器五

五．实现VPN
通过网上的资料查证可得，如果在双线路策略的LINUX代理服务器上实现VPN，那么INTERNET中的其他单一线路的机子通过VPN可以实现双线路，类似与统一网关的功能。所以这一句就是为了实现VPN。
查看是否安装PPTPD软件包，如果没有，需要从网上下载并安装。
[root@xxpostnet ~]# rpm -q pptpd
pptpd-1.3.3-1.rhel4
对系统文件进行配置，其中需要修改默认配置的地方都加粗了字体。
[root@xxpostnet etc]# vi pptpd.conf
###########################################################################
# $Id: pptpd.conf,v 1.10 2006/09/04 23:30:57 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###########################################################################

# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd

# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam

# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay
# Turns on broadcast relay to clients from interface
#
#bcrelay eth1

# TAG: delegate
# Delegates the allocation of client IP addresses to pppd.
#
# Without this option, which is the default, pptpd manages the list of
# IP addresses for clients and passes the next free address to pppd.
# With this option, pptpd does not pass an address, and so pppd may use
# radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
# Limits the number of client connections that may be accepted.
#
# If pptpd is allocating IP addresses (e.g. delegate is not
# used) then the number of connections is also limited by the
# remoteip option. The default is 100.
#connections 100

# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# These options are ignored if delegate option is set.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than the value of connections,
# it will start at the beginning of the list and go until it
# gets connections IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.0.1
remoteip 192.168.0.220-238
netmask 255.255.255.0
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

[root@xxpostnet etc]# vi ppp/options.pptpd
###########################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###########################################################################

# Authentication

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain

# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)

# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}

# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}

# Network and Routing
auth
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.//设置DNS
ms-dns 219.150.150.150
ms-dns 202.102.224.68
ms-dns 202.102.227.68

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100

# Logging
logfile /var/log/pptpd.log
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump

# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp

# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd

# put plugins here
# (putting them higher up may cause them to sent messages to the pty)

[root@xxpostnet etc]# vi ppp/chap-secrets //这是定义客户端密码的配置
# Secrets for authentication using CHAP
# client server secret IP addresses
"xxpostvpn1" * "xxpostvpn1#" 192.168.106.220
"xxpostvpn2" * "xxpostvpn2#" 192.168.106.221
"xxpostvpn3" * "xxpostvpn3#" 192.168.106.222
"xxpostvpn4" * "xxpostvpn4#" 192.168.106.223
"xxpostvpn5" * "xxpostvpn5#" 192.168.106.224
"xxpostvpn6" * "xxpostvpn6#" 192.168.106.225
"xxpostvpn7" * "xxpostvpn7#" 192.168.106.226
"xxpostvpn8" * "xxpostvpn8#" 192.168.106.227
"xxpostvpn9" * "xxpostvpn9#" 192.168.106.228
"xxpostvpn10" * "xxpostvpn10#" 192.168.106.229
"xxpostvpn11" * "xxpostvpn11#" 192.168.106.230
"xxpostvpn12" * "xxpostvpn12#" 192.168.106.231
"xxpostvpn13" * "xxpostvpn13#" 192.168.106.232
"xxpostvpn14" * "xxpostvpn14#" 192.168.106.233
"xxpostvpn15" * "xxpostvpn15#" 192.168.106.234
"xxpostvpn16" * "xxpostvpn16#" 192.168.106.235
"xxpostvpn17" * "xxpostvpn17#" 192.168.106.236
####### redhat-config-network will overwrite this part!!! (begin) ##########
####### redhat-config-network will overwrite this part!!! (end) ############
启动PPTPD服务
/etc/rc.d/init.d/pptpd start
到此LINUX服务器上关于PPTPD的配置也就完成了。
客户端配置如下：

东方鹗于 2007-09-25 21:14:41发表:

实现双线路策略的LINUX服务器四

四．实现DNS功能
修改 /etc/hosts

xxpost.com为域名，还有一个xxpost.com域名是一个申请好的国际域名，此处没有写出来。
guangdian.xxpost.com和wangtong.xxpost.com为连接外网的两个ISP提供商的地址。
注意：域名解析的顺序由/etc/host.conf 指定，先从hosts解析, 再从bind解析。

Multi on为多IP域名设置。
修改 /etc/resolv.conf
nameserver xxpost.com
nameserver guangdian.xxpost.com
nameserver wangtong.xxpost.com
先由本机域名服务器xxpost.com搜索，再从其他域名服务器搜索。
修改 /etc/named.conf
这是一个链接文件，原文件位于 /var/named/chroot/etc/)
//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-query { any;};
recursion no;
forwarders {202.102.224.68;};

forward only;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
acl "cncip"{//创建访问列表。
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.28.0.0/15;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.21.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.56.0.0/14;
218.60.0.0/15;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;};
view "CNC" { //利用BIND9的特殊功能VIEW（视图），该功能能够对不同的访问对象返回不同的IP。
match-clients {"cncip";125.42.176.199;};
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "xxpost.com" IN {//添加正向解析域
type master;
file "xxpost.com.cnc.hosts";
# allow-transfer {125.42.176.199;};
forwarders{ };
};
zone "176.42.125.in-addr.arpa" IN {//添加反向解析域。
type master;
file "xxpost.com.cnc.local";
};
include "/etc/rndc.key";
};
view "OTHERS" {//创建访问列表。
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "xxpost.com" IN {//添加正向解析域
type master;
file "xxpost.com.hosts";
# allow-transfer {219.150.222.36;};
};
zone "222.150.219.in-addr.arpa" IN {//添加反向解析域。
type master;
file "xxpost.com.local";
};
include "/etc/rndc.key";
};
创建网通正反向解析域文件
xxpost.com.cnc.hosts为网通线路域名正向解析域文件
[root@xxpost named]# vi xxpost.com.cnc.hosts

$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
2007062012
3H
15M
1W
1D)
@ IN NS dns1.xxpost.com.
IN A 125.42.176.199
dns1 IN A 125.42.176.199
www IN CNAME dns1.xxpost.com.
mail IN CNAME dns1.xxpost.com.
ftp IN CNAME dns1.xxpost.com.
dns IN CNAME dns1.xxpost.com.
xxpost.com.cnc.local为网通线路域名反向解析域文件
[root@xxpost named]# vi xxpost.com.cnc.local

$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
20070622;
28800;
14400;
3600000;
86400);
IN NS dns1.xxpost.com.
10 IN PTR dns1.xxpost.com.
10 IN PTR www.xxpost.com.
10 IN PTR mail.xxpost.com.
10 IN PTR ftp.xxpost.com.
100 IN PTR dns.xxpost.com.
创建电信正反向解析域文件
xxpost.com.hosts为电信线路域名正向解析域文件
[root@xxpost named]# vi xxpost.com.hosts

$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
2007062013
3H
15M
1W
1D)
@ IN NS dns2.xxpost.com.
IN A 219.150.222.36
dns2 IN A 219.150.222.36
www IN CNAME dns2.xxpost.com.
mail IN CNAME dns2.xxpost.com.
ftp IN CNAME dns2.xxpost.com.
dns IN CNAME dns2.xxpost.com.
xxpost.com.local为电信线路域名反向解析域文件
[root@xxpost named]# vi xxpost.com.local
$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
20070621;
28800;
14400;
3600000;
86400);
IN NS dns2.xxpost.com.
10 IN PTR dns2.xxpost.com.
10 IN PTR www.xxpost.com.
10 IN PTR mail.xxpost.com.
10 IN PTR ftp.xxpost.com.
100 IN PTR dns.xxpost.com.
重新启动DNS服务，或重新加载域名解析规则
# /etc/init.d/named stop
# /etc/init.d/named start
或
# /etc/init.d/named restart
或
# /etc/init.d/named reload
查询域名测试
[root@xxpost named]# nslookup
> server
Default server: xxpost.com
Address: 125.42.176.199#53
Default server: guangdian.xxpost.com
Address: 219.150.222.33#53
Default server: wangtong.xxpost.com
Address: 125.42.176.193#53
> www.xxpost.com
Server: xxpost.com
Address: 125.42.176.199#53

www.xxpost.com canonical name = dns1.xxpost.com.
Name: dns1.xxpost.com
Address: 125.42.176.199
> 125.42.176.199
Server: xxpost.com
Address: 125.42.176.199#53

** server can't find 199.176.42.125.in-addr.arpa: NXDOMAIN
测试不是很成功，而且要想让其他地方的网通线路快速登陆网站的话，需要把DNS改成本服务器的地址。

东方鹗于 2007-09-25 21:13:10发表:

实现双线路策略的LINUX服务器三

三．实现ETH3和ETH4的BONDING

双网卡绑定实现就是使用两块网卡虚拟成为一块网卡，这个聚合起来的设备看起来是一个单独的以太网接口设备，通俗点讲就是两块网卡具有相同的IP地址而并行链接聚合成一个逻辑链路工作。其实这项技术在Sun和Cisco中早已存在，被称为Trunking和Etherchannel技术，在Linux的2.4.x/2.6.x的内核中也采用这这种技术，被称为bonding。下面我们讨论一下bonding 的原理,什么是bonding需要从网卡的混杂(promisc)模式说起。我们知道，在正常情况下，网卡只接收目的硬件地址(MAC Address)是自身Mac的以太网帧，对于别的数据帧都滤掉，以减轻驱动程序的负担。但是网卡也支持另外一种被称为混杂promisc的模式，可以接收网络上所有的帧，比如说tcpdump，就是运行在这个模式下。bonding也运行在这个模式下，而且修改了驱动程序中的mac地址，将两块网卡的Mac地址改成相同，可以接收特定mac的数据帧。然后把相应的数据帧传送给bond驱动程序处理。详细信息请参考RedHat中Bonding。

绑定的前提条件：芯片组型号相同，而且网卡应该具备自己独立的BIOS芯片。

1.编辑虚拟网络接口配置文件,指定网卡IP

vi /etc/sysconfig/ network-scripts/ ifcfg-bond0

[root@***** root]# cp /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-bond0

2. 修改ifcfg-bond0

将第一行改成 DEVICE=bond0

# cat ifcfg-bond0

DEVICE=bond0

BOOTPROTO=static

IPADDR=192.168.0.1

NETMASK=255.255.255.0

BROADCAST=192.168.0.254

ONBOOT=yes

TYPE=Ethernet

这里要主意，不要指定单个网卡的IP 地址、子网掩码或网卡 ID。将上述信息指定到虚拟适配器(bonding)中即可。

[root@***** network-scripts]# cat ifcfg-eth0

DEVICE=eth0

ONBOOT=yes

[root@***** network-scripts]# cat ifcfg-eth1

DEVICE=eth0

ONBOOT=yes

3 .修改 /etc/modules.conf

编辑 /etc/modules.conf 文件，加入如下一行内容，以使系统在启动时加载bonding模块，对外虚拟网络接口设备为 bond0

加入下列两行

alias bond0 bonding

options bond0 miimon=100 mode=0

说明：miimon是用来进行链路监测的。比如:miimon=100，那么系统每100ms监测一次链路连接状态，如果有一条线路不通就转入另一条线路；mode的值表示工作模式，他共有0，1,2,3四种模式，常用的为0,1两种。

mode=0表示load balancing (round-robin)为负载均衡方式，两块网卡都工作。

mode=1表示fault-tolerance (active-backup)提供冗余功能，工作方式是主备的工作方式,也就是说默认情况下只有一块网卡工作,另一块做备份.

bonding只能提供链路监测，即从主机到交换机的链路是否接通。如果只是交换机对外的链路down掉了，而交换机本身并没有故障，那么bonding会认为链路没有问题而继续使用

4.修改 /etc/rc.d/rc.local

加入两行

ifenslave bond0 eth0 eth1

route add -net 192.168.0.254 netmask 255.255.255.0 bond0

到这时已经配置完毕重新启动机器.

重启会看见以下信息就表示配置成功了

................

Bringing up interface bond0 OK

Bringing up interface eth0 OK

Bringing up interface eth1 OK

................

通过查看bond0的工作状态查询能详细的掌握bonding的工作状态

[root@***** bonding]# cat /proc/net/bonding/bond0

bonding.c:v2.4.1 (September 15, 2003)

Bonding Mode: load balancing (round-robin)

MII Status: up

MII Polling Interval (ms): 0

Up Delay (ms): 0

Down Delay (ms): 0

Multicast Mode: all slaves

Slave Interface: eth1

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:0e:7f:25:d9:8a

Slave Interface: eth0

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:0e:7f:25:d9:8b

现在BONGDING 功能也实现了，我用的MODE 0来实现负载均衡，不过在一块网卡失效的情况下，整个BONGDING都无法正常通信。其中一块网卡失效主要是由于中断冲突造成的。至今我没有解决办法。

东方鹗于 2007-09-25 21:11:30发表:

实现双线路策略的LINUX服务器二

二．进行内网IP地址绑定

新建文件

vi /etc/ethers

……

192.168.0.4 aa:aa:aa:aa:aa:aa #绑定假MAC地址，不准备别人利用此IP

192.168.0.5 00:10:22:04:86:3B #绑定实际MAC地址，禁止其他人强占此IP

…..

然后执行 arp -f /etc/ethers

常用命令：

查看IPTABLES规则

Iptables -t nat -L -n

查看NAT转发表

Cat -n /proc/net/ip_connetrack

查看路由

IP ROUTE

查看规则

IP RULE

在这里，ETHERS文件里不能绑定网关的MAC地址，而且这样绑定的效果并不明显，最好是在客户机上也进行网关和本机MAC地址的绑定，但是由于绑定客户机的工作量太大。需要另想办法

东方鹗于 2007-09-25 21:08:17发表:

实现双线路策略的LINUX服务器一

一．实现双线路策略

流量分割

让我们先定义一些符号。令第一块网卡的名字叫eth1，而第二块网卡叫做eth2；然后设置网卡1的IP地址为219.150.222.36（CTC分配网址），网卡2 的IP地址为125.42.176.199（CNC分配网址）；ISP1（电信）网关地址为219.150.222.33，ISP2（网通）网关地址为125.42.176.193；最后，ISP1（电信）的网络地址为219.150.222.32/27，ISP2（网通）的网络地址为125.42.176.192/27。

额外创建两个路由表，50 和51 ，加入到/etc//iproute2/rt_tables中。然后如下设置两个路由表中的路由：

ip route add 219.150.222.32/27 dev eth1 src 219.150.222.36 table 50

ip route add default via 219.150.222.33 table 50

ip route add 125.42.176.192/27 dev eth2 src 125.42.176.199 table 51

ip route add default via 125.42.176.193 table 51

主机设置

配置如下文件：

Wan1.cong:

interface=eth0

ipaddr=219.150.222.36

gateway=219.150.222.33

network=219.150.222.32/27

routefile=/etc/quick/IP_CTC.list（电信网段）

配置ETH0，用于连接电信链路连接。

wan2.cong:

interface=eth1

ipaddr=125.42.176.199

gateway=125.42.176.193

network=125.42.176.192/27

routefile=/etc/quick/IP_CNC.list（网通网段）

配置ETH1，用于连接网通链路连接。

routefile= 后面填该线路对应的路由表文件。IP_CNC.list 和IP_CTC.list，这两个文件都在/etc/quick 目录下，其中IP_CNC.list 文件是网通路由表文件，IP_CTC.list 为电信路由表文件。

IP_CTC.list的内容如下：

58.32.0.0/13

58.40.0.0/15

58.42.0.0/16

58.43.0.0/16

58.44.0.0/14

58.48.0.0/13

58.56.0.0/14

58.60.0.0/14

58.208.0.0/12

59.32.0.0/13

59.40.0.0/15

59.42.0.0/16

59.43.0.0/16

59.44.0.0/14

59.48.0.0/16

59.49.0.0/17

59.49.128.0/17

59.50.0.0/16

59.51.0.0/17

59.51.128.0/17

59.52.0.0/14

59.56.0.0/14

59.60.0.0/15

59.62.0.0/15

60.160.0.0/15

60.162.0.0/15

60.164.0.0/15

60.166.0.0/15

60.168.0.0/13

60.176.0.0/12

61.130.0.0/15

61.132.0.0/15

61.134.0.0/18

61.134.64.0/19

61.136.128.0/17

61.137.0.0/17

61.138.192.0/18

61.139.0.0/17

61.139.192.0/18

61.140.0.0/14

61.144.0.0/14

61.150.0.0/15

61.152.0.0/14

61.157.0.0/16

61.159.64.0/18

61.159.128.0/17

61.160.0.0/16

61.161.64.0/18

61.164.0.0/15

61.166.0.0/16

61.169.0.0/16

61.170.0.0/15

61.172.0.0/14

61.177.0.0/16

61.178.0.0/16

61.180.0.0/17

61.183.0.0/16

61.184.0.0/14

61.188.0.0/16

61.189.128.0/17

61.190.0.0/15

124.72.0.0/16

124.73.0.0/16

124.74.0.0/15

124.76.0.0/14

124.112.0.0/15

125.64.0.0/13

125.72.0.0/16

125.73.0.0/16

125.74.0.0/15

125.76.0.0/17

125.77.0.0/16

125.78.0.0/15

125.80.0.0/13

125.88.0.0/13

125.104.0.0/13

125.112.0.0/12

202.96.96.0/21

202.96.104.0/21

202.96.112.0/20

202.96.128.0/21

202.96.136.0/21

202.96.144.0/20

202.96.160.0/21

202.96.168.0/21

202.96.176.0/20

202.96.192.0/16

202.97.0.0/19

202.97.32.0/19

202.97.64.0/19

202.97.96.0/19

202.98.32.0/19

202.98.64.0/19

202.98.96.0/21

202.98.104.0/21

202.98.112.0/20

202.98.128.0/19

202.98.160.0/19

202.98.192.0/19

202.98.224.0/19

202.99.192.0/19

202.100.96.0/19

202.100.128.0/19

202.100.160.0/19

202.100.192.0/18

202.101.0.0/18

202.101.64.0/19

202.101.96.0/19

202.101.128.0/18

202.101.192.0/18

202.102.0.0/17

202.103.0.0/16

202.104.0.0/15

202.107.128.0/17

202.109.0.0/16

202.110.128.0/18

202.111.0.0/17

218.0.0.0/14

218.4.0.0/15

218.6.0.0/16

218.13.0.0/16

218.14.0.0/15

218.16.0.0/15

218.18.0.0/16

218.19.0.0/16

218.20.0.0/16

218.21.0.0/17

218.22.0.0/15

218.31.0.0/16

218.32.0.0/16

218.62.128.0/17

218.63.0.0/16

218.64.0.0/15

218.66.0.0/16

218.67.0.0/17

218.70.0.0/15

218.72.0.0/15

218.74.0.0/16

218.75.0.0/16

218.76.0.0/16

218.77.0.0/16

218.78.0.0/15

218.80.0.0/12

219.128.0.0/12

219.144.0.0/13

219.152.0.0/15

219.159.64.0/18

219.159.128.0/17

220.160.0.0/11

221.224.0.0/13

221.232.0.0/14

221.236.0.0/15

221.238.0.0/16

221.239.0.0/17

221.239.128.0/17

222.64.0.0/13

222.72.0.0/15

222.74.0.0/16

222.75.0.0/16

222.76.0.0/14

222.80.0.0/15

222.82.0.0/16

222.83.0.0/17

222.83.128.0/17

222.84.0.0/16

222.85.0.0/17

222.85.128.0/17

222.86.0.0/15

222.88.0.0/15

222.90.0.0/15

222.92.0.0/14

222.168.0.0/15

222.170.0.0/16

222.171.0.0/16

222.172.0.0/17

222.172.128.0/17

222.173.0.0/16

222.174.0.0/15

222.176.0.0/13

222.184.0.0/13

222.208.0.0/13

222.216.0.0/15

222.218.0.0/16

222.219.0.0/16

222.220.0.0/15

222.222.0.0/15

222.240.0.0/13

IP_CNC.list的内容如下：

58.16.0.0/16

58.17.0.0/17

58.17.128.0/17

58.18.0.0/16

58.19.0.0/16

58.20.0.0/16

58.22.0.0/15

58.240.0.0/15

58.242.0.0/15

58.246.0.0/15

58.248.0.0/13

60.0.0.0/13

60.8.0.0/15

60.10.0.0/16

60.11.0.0/16

60.12.0.0/16

60.13.0.0/18

60.13.128.0/17

60.14.0.0/15

60.16.0.0/13

60.24.0.0/14

60.28.0.0/15

60.30.0.0/16

60.31.0.0/16

60.208.0.0/13

60.216.0.0/15

60.218.0.0/15

60.220.0.0/14

61.48.0.0/13

61.133.0.0/17

61.134.96.0/19

61.134.128.0/17

61.135.0.0/16

61.137.128.0/17

61.138.0.0/17

61.138.128.0/18

61.139.128.0/18

61.148.0.0/15

61.156.0.0/16

61.159.0.0/18

61.161.0.0/18

61.161.128.0/17

61.162.0.0/16

61.163.0.0/16

61.167.0.0/16

61.168.0.0/16

61.176.0.0/16

61.179.0.0/16

61.181.0.0/16

61.182.0.0/16

61.189.0.0/17

202.96.0.0/18

202.96.64.0/21

202.96.72.0/21

202.97.128.0/18

202.97.224.0/21

202.97.240.0/20

202.98.0.0/21

202.98.8.0/21

202.99.64.0/19

202.99.96.0/21

202.99.128.0/19

202.99.160.0/21

202.99.168.0/21

202.99.176.0/20

202.99.208.0/20

202.99.224.0/21

202.99.232.0/21

202.99.240.0/20

202.102.128.0/21

202.102.224.0/21

202.102.232.0/21

202.106.0.0/16

202.107.0.0/17

202.108.0.0/16

202.110.0.0/17

202.111.128.0/18

203.93.8.0/24

203.93.192.0/18

210.13.128.0/17

210.14.160.0/19

210.14.192.0/19

210.15.32.0/19

210.15.96.0/19

210.15.128.0/18

210.21.0.0/16

210.52.128.0/17

210.53.0.0/17

210.53.128.0/17

210.74.96.0/19

210.74.128.0/19

210.82.0.0/15

218.8.0.0/14

218.12.0.0/16

218.21.128.0/17

218.24.0.0/14

218.56.0.0/14

218.60.0.0/15

218.67.128.0/17

218.68.0.0/15

218.104.0.0/14

219.154.0.0/15

219.156.0.0/15

219.158.0.0/17

219.158.128.0/17

219.159.0.0/18

220.252.0.0/16

221.0.0.0/15

221.2.0.0/16

221.3.0.0/17

221.3.128.0/17

221.4.0.0/16

221.5.0.0/17

221.5.128.0/17

221.6.0.0/16

221.7.0.0/19

221.7.32.0/19

221.7.64.0/19

221.7.96.0/19

221.8.0.0/15

221.10.0.0/16

221.11.0.0/17

221.11.128.0/18

221.11.192.0/19

221.12.0.0/17

221.12.128.0/18

221.13.0.0/18

221.13.64.0/19

221.13.96.0/19

221.13.128.0/17

221.14.0.0/15

221.192.0.0/15

221.194.0.0/16

221.195.0.0/16

221.196.0.0/15

221.198.0.0/16

221.199.0.0/19

221.199.32.0/20

221.199.128.0/18

221.199.192.0/20

221.200.0.0/14

221.204.0.0/15

221.206.0.0/16

221.207.0.0/18

221.207.64.0/18

221.207.128.0/17

221.208.0.0/14

221.212.0.0/16

221.213.0.0/16

221.216.0.0/13

222.128.0.0/14

222.132.0.0/14

222.136.0.0/13

222.160.0.0/15

222.162.0.0/16

222.163.0.0/19

文件/root/cdkcm，脚本的内容：

. /root/hs

RETVAL=0

start() {

if [ -f "/root/wan1.cong" ] #加载网卡0的配置

then

. /root/wan1.cong

tab=50

wan_cdk

fi

if [ -f "/root/wan2.cong" ] #加载网卡1的配置

then

. /root/wan2.cong

tab=51

wan_cdk

fi

ip route flush cache

return $RETVAL

}

stop() {

if [ -f "/root/wan1.cong" ]

then

. /root/wan1.cong

tab=50

del_wan_cdk

fi

if [ -f "/root/wan2.cong" ]

then

. /root/wan2.cong

tab=51

del_wan_cdk

fi

ip route flush cache

return $RETVAL

}

# See how we were called.

case "$1" in

start)

start

RETVAL=$?

;;

stop)

stop

RETVAL=$?

;;

restart)

stop

start

RETVAL=$?

;;

*)

echo $"Usage: $0 {start|stop|restart}"

exit 1

esac

exit $RETVAL

/root/hs文件内容（函数存放文件）

wan_cdk() {

ip route add ${network} dev ${interface} src ${ipaddr} table $tab

ip route add default via ${gateway} dev ${interface} table $tab

ip rule add from ${ipaddr} table $tab

for cc in `/bin/cat ${routefile}`; do

ip rule add from all to $cc table $tab

done

}

del_wan_cdk() {

ip rule del from ${ipaddr} table $tab

for cc in `/bin/cat ${routefile}`; do

ip rule del from all to $cc table $tab

done

ip route del ${network} dev ${interface} src ${ipaddr} table $tab

ip route del default via ${gateway} dev ${interface} table $tab

}

Hs主要用于加载路由表，实现流量分隔。

负载均衡

第二个问题就是如何对通过两个ISP流出的数据进行负责均衡。如果你已经成功地实现了流量分割。这件事不难。

与选择两个ISP中的一个作为缺省路由不同，这次是设置缺省路由为多线路路由。在缺省内核中，这会均衡两个ISP的路由。像下面这样做（基于前面的流量分割实验）：

ip route add default scope global nexthop via 219.150.222.33 dev eth1 weight 30 nexthop via 125.42.176.193 dev eth2 weight 70 （注意：与上面为同一行命令）

这样可以均衡两个ISP的路由。通过调整“weight”参数我们可以指定其中的一个ISP的优先权高于另一个。（具体：线路1的流量约占30％，线路1占70％）

不过负载均衡有一个不好的地方是，在网上打游戏的时候经常被卡掉，由于路由的智能选择，经常进行线路切换，导致游戏无法正常进行。所以我经常做的方法是把缺省路由改为单一的电信路由ip route add default via 219.150.222.36或者是网通ip route add default via 125.42.176.193。这样既可以实现对不同网络提供商的网站进行有效访问，又不会导致你的游戏经常掉线。当然，假如你现在的缺省路由是电信的，但是你要用QQ与对方的网通网络进行文件传输，这还是很慢的。

设置IP伪装，对内网机子进行NAT转换

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 219.150.222.36

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SNAT --to 125.42.176.199

打开转发功能

Echo “1”>/proc/sys/net/ipv4/ip_forward

或者修改/etc/sysctl.conf文件内容，将:net.ipv4.ip_forward=”设置为1

由于RHEL AS4有防火墙，我们需要清除冲突的规则

A.清除原有防火墙规则

IPTABLES -P INPUT ACCEPT

IPTABLES -P FORWARD ACCEPT

IPTABLES -P OUTPUT ACCEPT

B.清除NAT规则设置

IPTABLES -t nat -P PREROUTING ACCEPT

IPTABLES -t nat -P POSTROUTING ACCEPT

IPTABLES -t nat -P OUTPUT ACCEPT

IPTABLES -t mangle -P PREROUTING ACCEPT

IPTABLES -t mangle -P OUTPUT ACCEPT

C.清除在防火墙和NAT中不是默认的连接

IPTABLES -F

IPTABLES -t nat -F

IPTABLES -t mangle -F

IPTABLES -X

IPTABLES -t nat -X

IPTABLES -t mangle -X

保存iptables配置文件 : /etc/rc.d/init.d/iptables save

或者 service iptables save

至此，既可实现双线路策略。

要注意清除原有的防火墙策略，这有可能导致无法实现NAT转换功能

实现双线路策略的LINUX服务器及其一些拓展应用

共有 6 条评论

频道文章

最新教程

随机推荐