3.4. 多端口服务和 LVS
LVS routers under any topology require extra configuration when creating multi-port LVS services. Multi-port services can be created artificially by using firewall marks to bundle together different, but related protocols, such as HTTP (port 80) and HTTPS (port 443), or when LVS is used with true multi-port protocols, such as FTP. In either case, the LVS router uses firewall marks to recognize that packets destined for different ports, but bearing the same firewall mark, should be handled identically. Also, when combined with persistence, firewall marks ensure connections from the client machine are routed to the same host, as long as the connections occur within the length of time specified by the persistence parameter. For more on assigning persistence to a virtual server, see 第 4.6.1 节 “子界面”.
遗憾的是,用来平衡真实服务器中负载的机制 — IPVS — 可以识别为数据包分配的防火墙标记,但无法自己分配防火墙标记。分配防火墙标记的工作必须由网络数据包过滤器
iptables 在 Piranha Configuration Tool之外执行。
3.4.1. 分配防火墙标记
要为目的地址为特定端口的数据包分配防火墙标记,管理员必须使用
iptables。
This section illustrates how to bundle HTTP and HTTPS as an example; however, FTP is another commonly clustered multi-port protocol. If an LVS is used for FTP services, refer to 第 3.5 节 “配置 FTP” for configuration details.
在使用防火墙标记时要记住的最基本规则就是在 Piranha Configuration Tool使用的每一个防火墙标记都必须有一个相应的
iptables 规则来将标记分配给网络数据包。
在创建网络数据包过滤器规则前,请确定没有规则在运行。要做到这一点,请在 shell 提示符后以根用户身份登录,并输入:
/sbin/service iptables status
如果没有运行
iptables,提示符会马上重新出现。
如果激活了
iptables,它会显示一组规则。如果显示了规则,请输入以下命令:
/sbin/service iptables stop
如果正在运行的规则很重要,请检查
/etc/sysconfig/iptables 中的内容并在操作前将有保留价值的规则复制到一个安全的地方。
以下是分配了相同防火墙标记 80 的规则,它们在端口 80 和 443 接收目的地址为浮动 IP 地址 n.n.n.n 的进入流量。
/sbin/modprobe ip_tables
/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 80 -j MARK --set-mark 80
/sbin/iptables -t mangle-A PREROUTING -p tcp -d n.n.n.n/32 --dport 443 -j MARK --set-mark 80
For instructions on assigning the VIP to the public network interface, see 第 4.6.1 节 “子界面”. Also note that you must log in as root and load the module for
iptables before issuing rules for the first time.
在以上的
iptables 中,应该使用虚拟服务器的浮动 IP 替换您的 HTTP 和 HTTPS n.n.n.n。这些命令具有为在防火墙标记为 80 的适当端口将所有流量分配到 VIP 地址的网络效应,这些流量可依次由 IPVS 识别并进行正确转发。
警告
The commands above will take effect immediately, but do not persist through a reboot of the system. To ensure network packet filter settings are restored upon reboot, refer to 第 3.6 节 “保存网络数据包过滤设置”
