码蚁

打码改变人生

基于 Centos 7 在阿里云自建高可用 SNAT

Posted at — Jun 6, 2018

阿里云提供 NAT 网关服务,但那价格只有土豪用得起。自建 NAT 网关一般是 VPC 默认路由指向一台有公网的 ECS,这样的架构容易出现单点故障,影响业务正常运行。下面是利用高可用虚拟 vip 搭建一个具备主备切换能力的高可用 SNAT 网关。

环境

  1. 两台 ECS,CentOS 7;
  2. VPC 网络环境;
  3. 两个 EIP;
  4. 一个 HaVip,并指定好内网地址;

配置安装

keepalived 安装配置

提前准备的两个 EIP 分别绑定在两台 ECS,以便 yum 安装 keepalived,安装过以后解绑 EIP。

$ yum install keepalived

首先准备两个脚本(不要忘记给脚本添加执行权限)

获取到 VIP 执行的脚本,用于主备切换时让新的 Master 机自动开启IP转发、加载 SNAT 规则,实现 SNAT 转发。

$ vi /etc/keepalived/scripts/ha_vip_start.sh 
#!/bin/bash

echo "start; `date`" >> /tmp/log
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -d 100.64.0.0/10 -j RETURN
iptables -t nat -A POSTROUTING -d 10.0.0.0/8 -j RETURN
iptables -t nat -A POSTROUTING -s 172.22.32.0/20 ! -p vrrp -j SNAT --to-source 172.22.46.254
# 我这边 VPC 环境的网段是  172.22.32.0/20,上面的网段根据实际情况更改

失去 VIP 执行的脚本,用于主机切换成备机时或者主机 keepalived 出错时去除 SNAT 转发规则(不去除的话,这台机器上网会有问题)。

$ vi /etc/keepalived/scripts/ha_vip_stop.sh 
#!/bin/bash

echo "stop; `date`" >> /tmp/log
iptables -t nat -F

Master keepalived 配置文件

$ vi /etc/keepalived/keepalived.conf 
! Configuration File for keepalived

global_defs {

}

vrrp_instance VI_1 {
    unicast_src_ip 172.22.37.226
    unicast_peer {
        172.22.37.225
    }
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        172.22.46.254
    }
    notify_master /etc/keepalived/scripts/ha_vip_start.sh
    notify_backup /etc/keepalived/scripts/ha_vip_stop.sh
    notify_fault  /etc/keepalived/scripts/ha_vip_stop.sh
    notify_stop   /etc/keepalived/scripts/ha_vip_stop.sh
}

BACKUP keepalived 配置文件

$ vi /etc/keepalived/keepalived.conf 
! Configuration File for keepalived

global_defs {

}

vrrp_instance VI_1 {
    unicast_src_ip 172.22.37.225
    unicast_peer {
        172.22.37.226
    }
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 99
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        172.22.46.254
    }
    notify_master /etc/keepalived/scripts/ha_vip_start.sh
    notify_backup /etc/keepalived/scripts/ha_vip_stop.sh
    notify_fault  /etc/keepalived/scripts/ha_vip_stop.sh
    notify_stop   /etc/keepalived/scripts/ha_vip_stop.sh
}

启动 keepalived 并设置开机自启动

$ systemctl start keepalived
$ systemctl enable keepalived

查看 Master 是否获取到 vip

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:16:3e:00:44:50 brd ff:ff:ff:ff:ff:ff
    inet 172.22.37.226/20 brd 172.22.47.255 scope global dynamic eth0
       valid_lft 315349926sec preferred_lft 315349926sec
    inet 172.22.46.254/32 scope global eth0
       valid_lft forever preferred_lft forever

查看 Master iptables 关于 SNAT 的规则

$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
RETURN     all  --  anywhere             100.64.0.0/10       
RETURN     all  --  anywhere             10.0.0.0/8          
SNAT      !vrrp --  172.22.32.0/20       anywhere             to:172.22.46.254

主备切换:Master 关闭后观察 Backup 是否获取到 vip 以及创建 SNAT 规则

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:16:3e:00:08:93 brd ff:ff:ff:ff:ff:ff
    inet 172.22.37.225/20 brd 172.22.47.255 scope global dynamic eth0
       valid_lft 315349336sec preferred_lft 315349336sec
    inet 172.22.46.254/32 scope global eth0
       valid_lft forever preferred_lft forever

高可用虚拟 IP 绑定实例

高可用虚拟 IP 绑定上面创建得 ECS,并且绑定一个 EIP。

VPC 创建路由条目

创建一条 0.0.0.0/0 的路由,下一跳指向上面我们创建高可用虚拟 IP。

这样这个 VPC 网络下的其他没有公网地址的 ECS 就能访问公网了。

comments powered by Disqus