[align=center]
[/align]
[align=center]网络示意图[/align]组网要求:
1. 实现双线路策略
2. 防止IP地址盗用
3. 实现ETH3和ETH4的BONDING
4. 实现DNS功能
5. 实现VPN
6. 实现WEB网站的端口影射
首先在开始尝试之前,我们必须得选择一个机子,一般的机子即可,软件系统,我装的是RHEL 4。硬件用的是赛杨D 2.6GHZ的,主板是INTER 865的,主要选它的原因,是因为有5个PCI插槽,这正好可以安装5块TP-LINK的千兆网卡。不过正是因为这5块网卡,差点让我放弃,主要是因为一般机子大都是由一个中断控制器8259来控制系统中每个硬件的IRQ值。目前共有16组IRQ,去掉其中用来做“桥接”的一组IRQ,实际上只有15组IRQ可供硬件使用。因此,千万要注意在BIOS里设置好IRQ,避免因为IRQ冲突造成各个硬件无法正常工作。
IRQ的分配与冲突产生的原因
[table=480][tr][td=3,1]表1 各irq在bios中所对应的硬件设备
[/td][/tr][tr][td=1,1,43]irq 编号
[/td][td=1,1,81]设备
名称
[/td][td=1,1,310]用途
[/td][/tr][tr][td=1,1,43]irq0
[/td][td=1,1,81]time
[/td][td=1,1,310]电脑系统计时器
[/td][/tr][tr][td=1,1,43]irq1
[/td][td=1,1,81]keyboard
[/td][td=1,1,310]键盘
[/td][/tr][tr][td=1,1,43]irq2
[/td][td=1,1,81]redirect irq9
[/td][td=1,1,310]与irq9相接,mpu-401 mdi使用该irq
[/td][/tr][tr][td=1,1,43]irq3
[/td][td=1,1,81]com2
[/td][td=1,1,310]串口设备
[/td][/tr][tr][td=1,1,43]irq4
[/td][td=1,1,81]com1
[/td][td=1,1,310]串口设备
[/td][/tr][tr][td=1,1,43]irq5
[/td][td=1,1,81]lpt2
[/td][td=1,1,310]建议声卡使用该irq
[/td][/tr][tr][td=1,1,43]irq6
[/td][td=1,1,81]fdd
[/td][td=1,1,310]软驱传输控制用
[/td][/tr][tr][td=1,1,43]irq7
[/td][td=1,1,81]lpt1
[/td][td=1,1,310]打印机传输控制用
[/td][/tr][tr][td=1,1,43]irq8
[/td][td=1,1,81]cmos alert
[/td][td=1,1,310]即时时钟
[/td][/tr][tr][td=1,1,43]irq9
[/td][td=1,1,81]redirect irq2
[/td][td=1,1,310]与irq2相接;可设定给其他硬件使用
[/td][/tr][tr][td=1,1,43]irq10
[/td][td=1,1,81]reversed
[/td][td=1,1,310]建议网卡使用该irq
[/td][/tr][tr][td=1,1,43]irq11
[/td][td=1,1,81]reversed
[/td][td=1,1,310]与irq10相同,都是保留给pci硬件使用,建议分配给显卡
[/td][/tr][tr][td=1,1,43]irq12
[/td][td=1,1,81]ps/2mouse
[/td][td=1,1,310]接ps/2鼠标,若无,也可设定给其他硬件使用
[/td][/tr][tr][td=1,1,43]irq13
[/td][td=1,1,81]fpu
[/td][td=1,1,310]协处理器用,例如fpu(浮点运算器)
[/td][/tr][tr][td=1,1,43]irq14
[/td][td=1,1,81]primary ide
[/td][td=1,1,310]主硬盘传输控制器(1号)
[/td][/tr][tr][td=1,1,43]irq15
[/td][td=1,1,81]secondary ide
[/td][td=1,1,310]从硬盘传输控制器(2号)
[/td][/tr][/table]
下面开始进行尝试:
东方鹗 于 2007-09-25 21:17:38发表:
实现双线路策略的LINUX服务器 六
六.实现WEB网站的端口映射
这个比较简单。
我下载了一个安装包ipvsadm-1.24-6.src.rpm安装,然后做了一个脚本
# vi ipvsadm.sh
ipvsadm -C
ipvsadm -A -t 219.150.222.36:80 -s wlc //打开80端口
ipvsadm -A -t 219.150.222.36:21 -s wlc //打开21端口
ipvsadm -A -t 219.150.222.36:25 -s wlc //打开25端口
ipvsadm -A -t 219.150.222.36:110 -s wlc //打开110端口
ipvsadm -A -t 125.42.176.199:80 -s wlc //打开80端口
ipvsadm -A -t 125.42.176.199:25 -s wlc //打开25端口
ipvsadm -A -t 125.42.176.199:110 -s wlc //打开110端口
ipvsadm -a -t 219.150.222.36:80 -r 10.0.0.2:80 -m -w 9 //实现端口映射
ipvsadm -a -t 125.42.176.199:80 -r 10.0.0.2:80 -m -w 99 //实现端口映射
为了更好的让大家理解这份命令手册,将手册里面用到的几个术语先简单的介绍
一下:
1,virtual-service-address:是指虚拟服务器的ip 地址
2,real-service-address:是指真实服务器的ip 地址
3,scheduler:调度方法
(lna@networksbase.com 翻译 ipvsadm v1.21 2004 年4 月)
ipvsadm 的用法和格式如下:
ipvsadm -A|E -t|u|f virutal-service-address:port [-s scheduler] [-p
[timeout]] [-M netmask]
ipvsadm -D -t|u|f virtual-service-address
ipvsadm -C
ipvsadm -R
ipvsadm -S [-n]
ipvsadm -a|e -t|u|f service-address:port -r real-server-address:port
[-g|i|m] [-w weight]
ipvsadm -d -t|u|f service-address -r server-address
ipvsadm -L|l [options]
ipvsadm -Z [-t|u|f service-address]
ipvsadm --set tcp tcpfin udp
ipvsadm --start-daemon state [--mcast-interface interface]
ipvsadm --stop-daemon
ipvsadm -h
命令选项解释:
有两种命令选项格式,长的和短的,具有相同的意思。在实际使用时,两种都可
以。
-A --add-service 在内核的虚拟服务器表中添加一条新的虚拟服务器记录。也
就是增加一台新的虚拟服务器。
-E --edit-service 编辑内核虚拟服务器表中的一条虚拟服务器记录。
-D --delete-service 删除内核虚拟服务器表中的一条虚拟服务器记录。
-C --clear 清除内核虚拟服务器表中的所有记录。
-R --restore 恢复虚拟服务器规则
-S --save 保存虚拟服务器规则,输出为-R 选项可读的格式
-a --add-server 在内核虚拟服务器表的一条记录里添加一条新的真实服务器
记录。也就是在一个虚拟服务器中增加一台新的真实服务器
-e --edit-server 编辑一条虚拟服务器记录中的某条真实服务器记录
-d --delete-server 删除一条虚拟服务器记录中的某条真实服务器记录
-L|-l --list 显示内核虚拟服务器表
-Z --zero 虚拟服务表计数器清零(清空当前的连接数量等)
--set tcp tcpfin udp 设置连接超时值
--start-daemon 启动同步守护进程。他后面可以是master 或backup,用来说
明LVS Router 是master 或是backup。在这个功能上也可以采用keepalived 的
VRRP 功能。
--stop-daemon 停止同步守护进程
-h --help 显示帮助信息
其他的选项:
-t --tcp-service service-address 说明虚拟服务器提供的是tcp 的服务
[vip:port] or [real-server-ip:port]
-u --udp-service service-address 说明虚拟服务器提供的是udp 的服务
[vip:port] or [real-server-ip:port]
-f --fwmark-service fwmark 说明是经过iptables 标记过的服务类型。
-s --scheduler scheduler 使用的调度算法,有这样几个选项
rr|wrr|lc|wlc|lblc|lblcr|dh|sh|sed|nq,
默认的调度算法是: wlc.
-p --persistent [timeout] 持久稳固的服务。这个选项的意思是来自同一个客
户的多次请求,将被同一台真实的服务器处理。timeout 的默认值为300 秒。
-M --netmask netmask persistent granularity mask
-r --real-server server-address 真实的服务器[Real-Server:port]
-g --gatewaying 指定LVS 的工作模式为直接路由模式(也是LVS 默认的模式)
-i --ipip 指定LVS 的工作模式为隧道模式
-m --masquerading 指定LVS 的工作模式为NAT 模式
-w --weight weight 真实服务器的权值
--mcast-interface interface 指定组播的同步接口
-c --connection 显示LVS 目前的连接 如:ipvsadm -L -c
--timeout 显示tcp tcpfin udp 的timeout 值 如:ipvsadm -L --timeout
--daemon 显示同步守护进程状态
--stats 显示统计信息
--rate 显示速率信息
--sort 对虚拟服务器和真实服务器排序输出
--numeric -n 输出IP 地址和端口的数字形式
ipvsadm -L
东方鹗 于 2007-09-25 21:15:50发表:
实现双线路策略的LINUX服务器 五
五.实现VPN
通过网上的资料查证可得,如果在双线路策略的LINUX代理服务器上实现VPN,那么INTERNET中的其他单一线路的机子通过VPN可以实现双线路,类似与统一网关的功能。所以这一句就是为了实现VPN。
查看是否安装PPTPD软件包,如果没有,需要从网上下载并安装。
[root@xxpostnet ~]# rpm -q pptpd
pptpd-1.3.3-1.rhel4
对系统文件进行配置,其中需要修改默认配置的地方都加粗了字体。
[root@xxpostnet etc]# vi pptpd.conf
###########################################################################
# $Id: pptpd.conf,v 1.10 2006/09/04 23:30:57 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###########################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay
# Turns on broadcast relay to clients from interface
#
#bcrelay eth1
# TAG: delegate
# Delegates the allocation of client IP addresses to pppd.
#
# Without this option, which is the default, pptpd manages the list of
# IP addresses for clients and passes the next free address to pppd.
# With this option, pptpd does not pass an address, and so pppd may use
# radius or chap-secrets to allocate an address.
#
#delegate
# TAG: connections
# Limits the number of client connections that may be accepted.
#
# If pptpd is allocating IP addresses (e.g. delegate is not
# used) then the number of connections is also limited by the
# remoteip option. The default is 100.
#connections 100
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# These options are ignored if delegate option is set.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than the value of connections,
# it will start at the beginning of the list and go until it
# gets connections IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.0.1
remoteip 192.168.0.220-238
netmask 255.255.255.0
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
[root@xxpostnet etc]# vi ppp/options.pptpd
###########################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###########################################################################
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
# Network and Routing
auth
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.//设置DNS
ms-dns 219.150.150.150
ms-dns 202.102.224.68
ms-dns 202.102.227.68
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
# Logging
logfile /var/log/pptpd.log
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
[root@xxpostnet etc]# vi ppp/chap-secrets //这是定义客户端密码的配置
# Secrets for authentication using CHAP
# client server secret IP addresses
"xxpostvpn1" * "xxpostvpn1#" 192.168.106.220
"xxpostvpn2" * "xxpostvpn2#" 192.168.106.221
"xxpostvpn3" * "xxpostvpn3#" 192.168.106.222
"xxpostvpn4" * "xxpostvpn4#" 192.168.106.223
"xxpostvpn5" * "xxpostvpn5#" 192.168.106.224
"xxpostvpn6" * "xxpostvpn6#" 192.168.106.225
"xxpostvpn7" * "xxpostvpn7#" 192.168.106.226
"xxpostvpn8" * "xxpostvpn8#" 192.168.106.227
"xxpostvpn9" * "xxpostvpn9#" 192.168.106.228
"xxpostvpn10" * "xxpostvpn10#" 192.168.106.229
"xxpostvpn11" * "xxpostvpn11#" 192.168.106.230
"xxpostvpn12" * "xxpostvpn12#" 192.168.106.231
"xxpostvpn13" * "xxpostvpn13#" 192.168.106.232
"xxpostvpn14" * "xxpostvpn14#" 192.168.106.233
"xxpostvpn15" * "xxpostvpn15#" 192.168.106.234
"xxpostvpn16" * "xxpostvpn16#" 192.168.106.235
"xxpostvpn17" * "xxpostvpn17#" 192.168.106.236
####### redhat-config-network will overwrite this part!!! (begin) ##########
####### redhat-config-network will overwrite this part!!! (end) ############
启动PPTPD服务
/etc/rc.d/init.d/pptpd start
到此LINUX服务器上关于PPTPD的配置也就完成了。
客户端配置如下:
东方鹗 于 2007-09-25 21:14:41发表:
实现双线路策略的LINUX服务器 四
四.实现DNS功能
修改 /etc/hosts
xxpost.com为域名,还有一个xxpost.com域名是一个申请好的国际域名,此处没有写出来。
guangdian.xxpost.com和wangtong.xxpost.com为连接外网的两个ISP提供商的地址。
注意:域名解析的顺序由/etc/host.conf 指定,先从hosts解析, 再从bind解析。
Multi on为多IP域名设置。
修改 /etc/resolv.conf
nameserver xxpost.com
nameserver guangdian.xxpost.com
nameserver wangtong.xxpost.com
先由本机域名服务器xxpost.com搜索,再从其他域名服务器搜索。
修改 /etc/named.conf
这是一个链接文件,原文件位于 /var/named/chroot/etc/)
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-query { any;};
recursion no;
forwarders {202.102.224.68;};
forward only;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
acl "cncip"{//创建访问列表。
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.28.0.0/15;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.21.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.56.0.0/14;
218.60.0.0/15;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;};
view "CNC" { //利用BIND9的特殊功能VIEW(视图),该功能能够对不同的访问对象返回不同的IP。
match-clients {"cncip";125.42.176.199;};
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "xxpost.com" IN {//添加正向解析域
type master;
file "xxpost.com.cnc.hosts";
# allow-transfer {125.42.176.199;};
forwarders{ };
};
zone "176.42.125.in-addr.arpa" IN {//添加反向解析域。
type master;
file "xxpost.com.cnc.local";
};
include "/etc/rndc.key";
};
view "OTHERS" {//创建访问列表。
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "xxpost.com" IN {//添加正向解析域
type master;
file "xxpost.com.hosts";
# allow-transfer {219.150.222.36;};
};
zone "222.150.219.in-addr.arpa" IN {//添加反向解析域。
type master;
file "xxpost.com.local";
};
include "/etc/rndc.key";
};
创建网通正反向解析域文件
xxpost.com.cnc.hosts为网通线路域名正向解析域文件
[root@xxpost named]# vi xxpost.com.cnc.hosts
$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
2007062012
3H
15M
1W
1D)
@ IN NS dns1.xxpost.com.
IN A 125.42.176.199
dns1 IN A 125.42.176.199
www IN CNAME dns1.xxpost.com.
mail IN CNAME dns1.xxpost.com.
ftp IN CNAME dns1.xxpost.com.
dns IN CNAME dns1.xxpost.com.
xxpost.com.cnc.local为网通线路域名反向解析域文件
[root@xxpost named]# vi xxpost.com.cnc.local
$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
20070622;
28800;
14400;
3600000;
86400);
IN NS dns1.xxpost.com.
10 IN PTR dns1.xxpost.com.
10 IN PTR www.xxpost.com.
10 IN PTR mail.xxpost.com.
10 IN PTR ftp.xxpost.com.
100 IN PTR dns.xxpost.com.
创建电信正反向解析域文件
xxpost.com.hosts为电信线路域名正向解析域文件
[root@xxpost named]# vi xxpost.com.hosts
$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
2007062013
3H
15M
1W
1D)
@ IN NS dns2.xxpost.com.
IN A 219.150.222.36
dns2 IN A 219.150.222.36
www IN CNAME dns2.xxpost.com.
mail IN CNAME dns2.xxpost.com.
ftp IN CNAME dns2.xxpost.com.
dns IN CNAME dns2.xxpost.com.
xxpost.com.local为电信线路域名反向解析域文件
[root@xxpost named]# vi xxpost.com.local
$TTL 86400
@ IN SOA xxpost.com. admin.xxpost.com.(
20070621;
28800;
14400;
3600000;
86400);
IN NS dns2.xxpost.com.
10 IN PTR dns2.xxpost.com.
10 IN PTR www.xxpost.com.
10 IN PTR mail.xxpost.com.
10 IN PTR ftp.xxpost.com.
100 IN PTR dns.xxpost.com.
重新启动DNS服务,或重新加载域名解析规则
# /etc/init.d/named stop
# /etc/init.d/named start
或
# /etc/init.d/named restart
或
# /etc/init.d/named reload
查询域名测试
[root@xxpost named]# nslookup
> server
Default server: xxpost.com
Address: 125.42.176.199#53
Default server: guangdian.xxpost.com
Address: 219.150.222.33#53
Default server: wangtong.xxpost.com
Address: 125.42.176.193#53
> www.xxpost.com
Server: xxpost.com
Address: 125.42.176.199#53
www.xxpost.com canonical name = dns1.xxpost.com.
Name: dns1.xxpost.com
Address: 125.42.176.199
> 125.42.176.199
Server: xxpost.com
Address: 125.42.176.199#53
** server can't find 199.176.42.125.in-addr.arpa: NXDOMAIN
测试不是很成功,而且要想让其他地方的网通线路快速登陆网站的话,需要把DNS改成本服务器的地址。
东方鹗 于 2007-09-25 21:13:10发表:
实现双线路策略的LINUX服务器 三
三.实现ETH3和ETH4的BONDING
双网卡绑定实现就是使用两块网卡虚拟成为一块网卡,这个聚合起来的设备看起来是一个单独的以太网接口设备,通俗点讲就是两块网卡具有相同的IP地址而并行链接聚合成一个逻辑链路工作。其实这项技术在Sun和Cisco中早已存在,被称为Trunking和Etherchannel技术,在Linux的2.4.x/2.6.x的内核中也采用这这种技术,被称为bonding。下面我们讨论一下bonding 的原理,什么是bonding需要从网卡的混杂(promisc)模式说起。我们知道,在正常情况下,网卡只接收目的硬件地址(MAC Address)是自身Mac的以太网帧,对于别的数据帧都滤掉,以减轻驱动程序的负担。但是网卡也支持另外一种被称为混杂promisc的模式,可以接收网络上所有的帧,比如说tcpdump,就是运行在这个模式下。bonding也运行在这个模式下,而且修改了驱动程序中的mac地址,将两块网卡的Mac地址改成相同,可以接收特定mac的数据帧。然后把相应的数据帧传送给bond驱动程序处理。 详细信息请参考RedHat中Bonding。
绑定的前提条件:芯片组型号相同,而且网卡应该具备自己独立的BIOS芯片。
1.编辑虚拟网络接口配置文件,指定网卡IP
vi /etc/sysconfig/ network-scripts/ ifcfg-bond0
[root@***** root]# cp /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-bond0
2. 修改ifcfg-bond0
将第一行改成 DEVICE=bond0
# cat ifcfg-bond0
DEVICE=bond0
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
BROADCAST=192.168.0.254
ONBOOT=yes
TYPE=Ethernet
这里要主意,不要指定单个网卡的IP 地址、子网掩码或网卡 ID。将上述信息指定到虚拟适配器(bonding)中即可。
[root@***** network-scripts]# cat ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
[root@***** network-scripts]# cat ifcfg-eth1
DEVICE=eth0
ONBOOT=yes
3 .修改 /etc/modules.conf
编辑 /etc/modules.conf 文件,加入如下一行内容,以使系统在启动时加载bonding模块,对外虚拟网络接口设备为 bond0
加入下列两行
alias bond0 bonding
options bond0 miimon=100 mode=0
说明:miimon是用来进行链路监测的。 比如:miimon=100,那么系统每100ms监测一次链路连接状态,如果有一条线路不通就转入另一条线路;mode的值表示工作模式,他共有0,1,2,3四种模式,常用的为0,1两种。
mode=0表示load balancing (round-robin)为负载均衡方式,两块网卡都工作。
mode=1表示fault-tolerance (active-backup)提供冗余功能,工作方式是主备的工作方式,也就是说默认情况下只有一块网卡工作,另一块做备份.
bonding只能提供链路监测,即从主机到交换机的链路是否接通。如果只是交换机对外的链路down掉了,而交换机本身并没有故障,那么bonding会认为链路没有问题而继续使用
4.修改 /etc/rc.d/rc.local
加入两行
ifenslave bond0 eth0 eth1
route add -net 192.168.0.254 netmask 255.255.255.0 bond0
到这时已经配置完毕重新启动机器.
重启会看见以下信息就表示配置成功了
................
Bringing up interface bond0 OK
Bringing up interface eth0 OK
Bringing up interface eth1 OK
................
通过查看bond0的工作状态查询能详细的掌握bonding的工作状态
[root@***** bonding]# cat /proc/net/bonding/bond0
bonding.c:v2.4.1 (September 15, 2003)
Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0
Multicast Mode: all slaves
Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0e:7f:25:d9:8a
Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0e:7f:25:d9:8b
现在BONGDING 功能也实现了,我用的MODE 0来实现负载均衡,不过在一块网卡失效的情况下,整个BONGDING都无法正常通信。其中一块网卡失效主要是由于中断冲突造成的。至今我没有解决办法。
东方鹗 于 2007-09-25 21:11:30发表:
实现双线路策略的LINUX服务器 二
二.进行内网IP地址绑定
新建文件
vi /etc/ethers
……
192.168.0.4 aa:aa:aa:aa:aa:aa #绑定假MAC地址,不准备别人利用此IP
192.168.0.5 00:10:22:04:86:3B #绑定实际MAC地址,禁止其他人强占此IP
…..
然后执行 arp -f /etc/ethers
常用命令:
查看IPTABLES规则
Iptables -t nat -L -n
查看NAT转发表
Cat -n /proc/net/ip_connetrack
查看路由
IP ROUTE
查看规则
IP RULE
在这里,ETHERS文件里不能绑定网关的MAC地址,而且这样绑定的效果并不明显,最好是在客户机上也进行网关和本机MAC地址的绑定,但是由于绑定客户机的工作量太大。需要另想办法
东方鹗 于 2007-09-25 21:08:17发表:
实现双线路策略的LINUX服务器 一
一. 实现双线路策略
流量分割
让我们先定义一些符号。令第一块网卡的名字叫eth1,而第二块网卡叫做eth2;然后设置网卡1的IP地址为219.150.222.36(CTC分配网址),网卡2 的IP地址为125.42.176.199(CNC分配网址);ISP1(电信)网关地址为219.150.222.33,ISP2(网通)网关地址为125.42.176.193;最后,ISP1(电信)的网络地址为219.150.222.32/27,ISP2(网通)的网络地址为125.42.176.192/27。
额外创建两个路由表,50 和51 ,加入到/etc//iproute2/rt_tables中。然后如下设置两个路由表中的路由:
ip route add 219.150.222.32/27 dev eth1 src 219.150.222.36 table 50
ip route add default via 219.150.222.33 table 50
ip route add 125.42.176.192/27 dev eth2 src 125.42.176.199 table 51
ip route add default via 125.42.176.193 table 51
主机设置
配置如下文件:
Wan1.cong:
interface=eth0
ipaddr=219.150.222.36
gateway=219.150.222.33
network=219.150.222.32/27
routefile=/etc/quick/IP_CTC.list(电信网段)
配置ETH0,用于连接电信链路连接。
wan2.cong:
interface=eth1
ipaddr=125.42.176.199
gateway=125.42.176.193
network=125.42.176.192/27
routefile=/etc/quick/IP_CNC.list(网通网段)
配置ETH1,用于连接网通链路连接。
routefile= 后面填该线路对应的路由表文件。IP_CNC.list 和IP_CTC.list,这两个文件都在/etc/quick 目录下,其中IP_CNC.list 文件是网通路由表文件,IP_CTC.list 为电信路由表文件。
IP_CTC.list的内容如下:
58.32.0.0/13
58.40.0.0/15
58.42.0.0/16
58.43.0.0/16
58.44.0.0/14
58.48.0.0/13
58.56.0.0/14
58.60.0.0/14
58.208.0.0/12
59.32.0.0/13
59.40.0.0/15
59.42.0.0/16
59.43.0.0/16
59.44.0.0/14
59.48.0.0/16
59.49.0.0/17
59.49.128.0/17
59.50.0.0/16
59.51.0.0/17
59.51.128.0/17
59.52.0.0/14
59.56.0.0/14
59.60.0.0/15
59.62.0.0/15
60.160.0.0/15
60.162.0.0/15
60.164.0.0/15
60.166.0.0/15
60.168.0.0/13
60.176.0.0/12
61.130.0.0/15
61.132.0.0/15
61.134.0.0/18
61.134.64.0/19
61.136.128.0/17
61.137.0.0/17
61.138.192.0/18
61.139.0.0/17
61.139.192.0/18
61.140.0.0/14
61.144.0.0/14
61.150.0.0/15
61.152.0.0/14
61.157.0.0/16
61.159.64.0/18
61.159.128.0/17
61.160.0.0/16
61.161.64.0/18
61.164.0.0/15
61.166.0.0/16
61.169.0.0/16
61.170.0.0/15
61.172.0.0/14
61.177.0.0/16
61.178.0.0/16
61.180.0.0/17
61.183.0.0/16
61.184.0.0/14
61.188.0.0/16
61.189.128.0/17
61.190.0.0/15
124.72.0.0/16
124.73.0.0/16
124.74.0.0/15
124.76.0.0/14
124.112.0.0/15
125.64.0.0/13
125.72.0.0/16
125.73.0.0/16
125.74.0.0/15
125.76.0.0/17
125.77.0.0/16
125.78.0.0/15
125.80.0.0/13
125.88.0.0/13
125.104.0.0/13
125.112.0.0/12
202.96.96.0/21
202.96.104.0/21
202.96.112.0/20
202.96.128.0/21
202.96.136.0/21
202.96.144.0/20
202.96.160.0/21
202.96.168.0/21
202.96.176.0/20
202.96.192.0/16
202.97.0.0/19
202.97.32.0/19
202.97.64.0/19
202.97.96.0/19
202.98.32.0/19
202.98.64.0/19
202.98.96.0/21
202.98.104.0/21
202.98.112.0/20
202.98.128.0/19
202.98.160.0/19
202.98.192.0/19
202.98.224.0/19
202.99.192.0/19
202.100.96.0/19
202.100.128.0/19
202.100.160.0/19
202.100.192.0/18
202.101.0.0/18
202.101.64.0/19
202.101.96.0/19
202.101.128.0/18
202.101.192.0/18
202.102.0.0/17
202.103.0.0/16
202.104.0.0/15
202.107.128.0/17
202.109.0.0/16
202.110.128.0/18
202.111.0.0/17
218.0.0.0/14
218.4.0.0/15
218.6.0.0/16
218.13.0.0/16
218.14.0.0/15
218.16.0.0/15
218.18.0.0/16
218.19.0.0/16
218.20.0.0/16
218.21.0.0/17
218.22.0.0/15
218.31.0.0/16
218.32.0.0/16
218.62.128.0/17
218.63.0.0/16
218.64.0.0/15
218.66.0.0/16
218.67.0.0/17
218.70.0.0/15
218.72.0.0/15
218.74.0.0/16
218.75.0.0/16
218.76.0.0/16
218.77.0.0/16
218.78.0.0/15
218.80.0.0/12
219.128.0.0/12
219.144.0.0/13
219.152.0.0/15
219.159.64.0/18
219.159.128.0/17
220.160.0.0/11
221.224.0.0/13
221.232.0.0/14
221.236.0.0/15
221.238.0.0/16
221.239.0.0/17
221.239.128.0/17
222.64.0.0/13
222.72.0.0/15
222.74.0.0/16
222.75.0.0/16
222.76.0.0/14
222.80.0.0/15
222.82.0.0/16
222.83.0.0/17
222.83.128.0/17
222.84.0.0/16
222.85.0.0/17
222.85.128.0/17
222.86.0.0/15
222.88.0.0/15
222.90.0.0/15
222.92.0.0/14
222.168.0.0/15
222.170.0.0/16
222.171.0.0/16
222.172.0.0/17
222.172.128.0/17
222.173.0.0/16
222.174.0.0/15
222.176.0.0/13
222.184.0.0/13
222.208.0.0/13
222.216.0.0/15
222.218.0.0/16
222.219.0.0/16
222.220.0.0/15
222.222.0.0/15
222.240.0.0/13
IP_CNC.list的内容如下:
58.16.0.0/16
58.17.0.0/17
58.17.128.0/17
58.18.0.0/16
58.19.0.0/16
58.20.0.0/16
58.22.0.0/15
58.240.0.0/15
58.242.0.0/15
58.246.0.0/15
58.248.0.0/13
60.0.0.0/13
60.8.0.0/15
60.10.0.0/16
60.11.0.0/16
60.12.0.0/16
60.13.0.0/18
60.13.128.0/17
60.14.0.0/15
60.16.0.0/13
60.24.0.0/14
60.28.0.0/15
60.30.0.0/16
60.31.0.0/16
60.208.0.0/13
60.216.0.0/15
60.218.0.0/15
60.220.0.0/14
61.48.0.0/13
61.133.0.0/17
61.134.96.0/19
61.134.128.0/17
61.135.0.0/16
61.137.128.0/17
61.138.0.0/17
61.138.128.0/18
61.139.128.0/18
61.148.0.0/15
61.156.0.0/16
61.159.0.0/18
61.161.0.0/18
61.161.128.0/17
61.162.0.0/16
61.163.0.0/16
61.167.0.0/16
61.168.0.0/16
61.176.0.0/16
61.179.0.0/16
61.181.0.0/16
61.182.0.0/16
61.189.0.0/17
202.96.0.0/18
202.96.64.0/21
202.96.72.0/21
202.97.128.0/18
202.97.224.0/21
202.97.240.0/20
202.98.0.0/21
202.98.8.0/21
202.99.64.0/19
202.99.96.0/21
202.99.128.0/19
202.99.160.0/21
202.99.168.0/21
202.99.176.0/20
202.99.208.0/20
202.99.224.0/21
202.99.232.0/21
202.99.240.0/20
202.102.128.0/21
202.102.224.0/21
202.102.232.0/21
202.106.0.0/16
202.107.0.0/17
202.108.0.0/16
202.110.0.0/17
202.111.128.0/18
203.93.8.0/24
203.93.192.0/18
210.13.128.0/17
210.14.160.0/19
210.14.192.0/19
210.15.32.0/19
210.15.96.0/19
210.15.128.0/18
210.21.0.0/16
210.52.128.0/17
210.53.0.0/17
210.53.128.0/17
210.74.96.0/19
210.74.128.0/19
210.82.0.0/15
218.8.0.0/14
218.12.0.0/16
218.21.128.0/17
218.24.0.0/14
218.56.0.0/14
218.60.0.0/15
218.67.128.0/17
218.68.0.0/15
218.104.0.0/14
219.154.0.0/15
219.156.0.0/15
219.158.0.0/17
219.158.128.0/17
219.159.0.0/18
220.252.0.0/16
221.0.0.0/15
221.2.0.0/16
221.3.0.0/17
221.3.128.0/17
221.4.0.0/16
221.5.0.0/17
221.5.128.0/17
221.6.0.0/16
221.7.0.0/19
221.7.32.0/19
221.7.64.0/19
221.7.96.0/19
221.8.0.0/15
221.10.0.0/16
221.11.0.0/17
221.11.128.0/18
221.11.192.0/19
221.12.0.0/17
221.12.128.0/18
221.13.0.0/18
221.13.64.0/19
221.13.96.0/19
221.13.128.0/17
221.14.0.0/15
221.192.0.0/15
221.194.0.0/16
221.195.0.0/16
221.196.0.0/15
221.198.0.0/16
221.199.0.0/19
221.199.32.0/20
221.199.128.0/18
221.199.192.0/20
221.200.0.0/14
221.204.0.0/15
221.206.0.0/16
221.207.0.0/18
221.207.64.0/18
221.207.128.0/17
221.208.0.0/14
221.212.0.0/16
221.213.0.0/16
221.216.0.0/13
222.128.0.0/14
222.132.0.0/14
222.136.0.0/13
222.160.0.0/15
222.162.0.0/16
222.163.0.0/19
文件/root/cdkcm,脚本的内容:
. /root/hs
RETVAL=0
start() {
if [ -f "/root/wan1.cong" ] #加载网卡0的配置
then
. /root/wan1.cong
tab=50
wan_cdk
fi
if [ -f "/root/wan2.cong" ] #加载网卡1的配置
then
. /root/wan2.cong
tab=51
wan_cdk
fi
ip route flush cache
return $RETVAL
}
stop() {
if [ -f "/root/wan1.cong" ]
then
. /root/wan1.cong
tab=50
del_wan_cdk
fi
if [ -f "/root/wan2.cong" ]
then
. /root/wan2.cong
tab=51
del_wan_cdk
fi
ip route flush cache
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
restart)
stop
start
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit $RETVAL
/root/hs文件内容(函数存放文件)
wan_cdk() {
ip route add ${network} dev ${interface} src ${ipaddr} table $tab
ip route add default via ${gateway} dev ${interface} table $tab
ip rule add from ${ipaddr} table $tab
for cc in `/bin/cat ${routefile}`; do
ip rule add from all to $cc table $tab
done
}
del_wan_cdk() {
ip rule del from ${ipaddr} table $tab
for cc in `/bin/cat ${routefile}`; do
ip rule del from all to $cc table $tab
done
ip route del ${network} dev ${interface} src ${ipaddr} table $tab
ip route del default via ${gateway} dev ${interface} table $tab
}
Hs主要用于加载路由表,实现流量分隔。
负载均衡
第二个问题就是如何对通过两个ISP流出的数据进行负责均衡。如果你已经成功地实现了流量分割。这件事不难。
与选择两个ISP中的一个作为缺省路由不同,这次是设置缺省路由为多线路路由。在缺省内核中,这会均衡两个ISP的路由。像下面这样做(基于前面的流量分割实验):
ip route add default scope global nexthop via 219.150.222.33 dev eth1 weight 30 nexthop via 125.42.176.193 dev eth2 weight 70 (注意:与上面为同一行命令)
这样可以均衡两个ISP的路由。通过调整“weight”参数我们可以指定其中的一个ISP的优先权高于另一个。(具体:线路1的流量约占30%,线路1占70%)
不过负载均衡有一个不好的地方是,在网上打游戏的时候经常被卡掉,由于路由的智能选择,经常进行线路切换,导致游戏无法正常进行。所以我经常做的方法是把缺省路由改为单一的电信路由ip route add default via 219.150.222.36或者是网通ip route add default via 125.42.176.193。这样既可以实现对不同网络提供商的网站进行有效访问,又不会导致你的游戏经常掉线。当然,假如你现在的缺省路由是电信的,但是你要用QQ与对方的网通网络进行文件传输,这还是很慢的。
设置IP伪装,对内网机子进行NAT转换
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 219.150.222.36
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SNAT --to 125.42.176.199
打开转发功能
Echo “1”>/proc/sys/net/ipv4/ip_forward
或者修改/etc/sysctl.conf文件内容,将:net.ipv4.ip_forward=”设置为1
由于RHEL AS4有防火墙,我们需要清除冲突的规则
A.清除原有防火墙规则
IPTABLES -P INPUT ACCEPT
IPTABLES -P FORWARD ACCEPT
IPTABLES -P OUTPUT ACCEPT
B.清除NAT规则设置
IPTABLES -t nat -P PREROUTING ACCEPT
IPTABLES -t nat -P POSTROUTING ACCEPT
IPTABLES -t nat -P OUTPUT ACCEPT
IPTABLES -t mangle -P PREROUTING ACCEPT
IPTABLES -t mangle -P OUTPUT ACCEPT
C.清除在防火墙和NAT中不是默认的连接
IPTABLES -F
IPTABLES -t nat -F
IPTABLES -t mangle -F
IPTABLES -X
IPTABLES -t nat -X
IPTABLES -t mangle -X
保存iptables配置文件 : /etc/rc.d/init.d/iptables save
或者 service iptables save
至此,既可实现双线路策略。
要注意清除原有的防火墙策略,这有可能导致无法实现NAT转换功能