目录
前期准备:
1 开启三层转发
修改/etc/sysctl.conf文件 ,添加以下:
net.ipv4.ip_forward=1输入命令生效:
# sysctl -p2 安装iptables
#yum -y install iptables-services iptables一、内网NAT
本例iptables服务器外网地址为192.168.3.54,192.168.3.52,内网为192.168.4.1,内网web服务器为192.168.4.54(物理端口最好有192.168.3.54,52这2个地址)
修改vi /etc/sysconfig/iptables为以下内容:
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d 192.168.3.54 -j DNAT --to-destination 192.168.4.54 -A PREROUTING -d 192.168.3.52 -p tcp --dport 80 -j DNAT --to 192.168.4.54 -A POSTROUTING -s 192.168.4.54 -j SNAT --to-source 192.168.3.54 #-A PREROUTING -d 192.168.2.88 -j DNAT --to 192.168.3.53 #-A PREROUTING -d 192.168.2.52 -p tcp --dport 80 -j DNAT --to 192.168.3.53 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A FORWARD -p tcp --syn -s 192.168.4.54/32 -j TCPMSS --set-mss 1356 #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT其实这2条的效果是一样的:
-A PREROUTING -d 192.168.3.54 -j DNAT --to-destination 192.168.4.54 -A PREROUTING -d 192.168.3.52 -p tcp --dport 80 -j DNAT --to 192.168.4.54启动iptables服务,注意提前
备注:要将centos7原生的firewalld关闭。
# systemctl start iptables二 、公网NAT
修改vi /etc/sysconfig/iptables为以下内容:
配置iptables *nat :PREROUTING ACCEPT [9:496] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d 高防电信IP/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 源站IP:源站web端口 -A PREROUTING -d 高防联通IP/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 源站IP:源站web端口 -A POSTROUTING -p tcp -m tcp --dport 源站web端口 -j SNAT --to-source 高防电信IP -A POSTROUTING -p tcp -m tcp --dport 源站web端口 -j SNAT --to-source 高防联通IP COMMIT # Generated by iptables-save v1.4.7 on Wed Feb 22 11:49:17 2017 *filter :INPUT DROP [79:4799] :FORWARD ACCEPT [37:2232] :OUTPUT ACCEPT [150:21620] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 公司机房网段/24 -p tcp -m multiport --dports 22,10050 -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT COMMIT生产环境例子如下:
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d 61.174.253.183 -p tcp --dport 80 -j DNAT --to-destination 14.17.96.72:80 -A POSTROUTING -p tcp -m tcp --dport 80 -j SNAT --to-source 61.174.253.183 -A PREROUTING -d 61.174.253.183 -p tcp --dport 443 -j DNAT --to-destination 14.17.96.72:443 -A POSTROUTING -p tcp -m tcp --dport 443 -j SNAT --to-source 61.174.253.183 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p tcp -m state --state NEW -m tcp -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT三、反向代理
/etc/haproxy/haproxy.cfg 编写如下:
[root@nat haproxy]# vi haproxy.cfg global log 127.0.0.1 local0 info #[err warning info debug] //日志位置 maxconn 4096 cookieJSESSIONID prefix daemon #设置成后台运行 nbproc 1 #进程数量 # pidfile /home/admin/haproxy/logs/haproxy.pid defaults log global modehttp #默认模式 optionhttplog #http日志格式 optiondontlognull retries 3#三次失败后认为服务器不可用 optionredispatch#如果cookie写入了serverId而客户端不会刷新cookie,当serverId对应的服务器挂掉后,强制定向到其他健康的服务器 maxconn 2000 #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接默认的最大连接数 contimeout 5000 #连接超时 clitimeout 30000 #客户端超时 srvtimeout 30000 #服务器超时 frontend web_in mode http maxconn 1000 bind :80 acl is_a hdr_beg(host) -i www.wangjinxiong.com acl is_b hdr_beg(host) -i www.wangfeng.com use_backend a_server if is_a use_backend b_server if is_b backend a_server mode http #http 模式 stats uri/haproxy balance roundrobin cookieJSESSIONID prefix stats hide-version optionhttpclose server web1 192.168.6.2:80 check backend b_server mode http #http 模式 stats uri/haproxy balance roundrobin cookieJSESSIONID prefix stats hide-version optionhttpclose server web1 192.168.6.3:80 check