在Linux上配置高可用NAT网关通常使用Keepalived + VRRP协议实现,确保在主节点故障时自动切换到备用节点。以下是详细配置步骤:
在两台服务器上执行以下操作:
# 安装必要软件包
sudo apt-get update
sudo apt-get install -y keepalived iptables-persistent netfilter-persistent
# 对于CentOS/RHEL
# sudo yum install -y keepalived iptables-services
确保两台服务器: - 有相同的网络接口配置 - 能互相通信 - 有独立的公网IP和内部网络IP
在两台服务器上配置相同的NAT规则:
# 启用IP转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
# 配置SNAT规则(替换为你的公网接口和内部网络)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
# 保存iptables规则
netfilter-persistent save
vrrp_instance VI_1 {
state MASTER
interface eth1 # 用于VRRP通信的接口
virtual_router_id 51
priority 100 # 主节点优先级更高
advert_int 1
authentication {
auth_type PASS
auth_pass yourpassword
}
virtual_ipaddress {
192.168.1.254/24 # 虚拟IP地址
}
# 当成为主节点时执行的脚本
notify_master "/etc/keepalived/master.sh"
}
vrrp_instance VI_1 {
state BACKUP
interface eth1
virtual_router_id 51
priority 90 # 备用节点优先级较低
advert_int 1
authentication {
auth_type PASS
auth_pass yourpassword
}
virtual_ipaddress {
192.168.1.254/24
}
notify_master "/etc/keepalived/master.sh"
}
在两台服务器上创建/etc/keepalived/master.sh:
#!/bin/bash
# 启用NAT转发
sysctl -w net.ipv4.ip_forward=1
iptables-restore < /etc/iptables/rules.v4
# 可选:记录切换事件
logger "This node has become the MASTER NAT gateway"
设置脚本可执行权限:
chmod +x /etc/keepalived/master.sh
在两台服务器上启动并启用服务:
systemctl enable keepalived
systemctl start keepalived
systemctl enable netfilter-persistent
检查虚拟IP是否在主节点上:
ip addr show eth1
测试故障转移:
健康检查:可以配置Keepalived检查NAT服务是否正常运行
vrrp_script chk_nat {
script "/usr/bin/ping -c 1 8.8.8.8"
interval 2
weight -20
}
track_script {
chk_nat
}
多VIP支持:可以为不同网络配置多个虚拟IP
日志监控:配置Keepalived日志到单独文件便于排查问题
检查Keepalived日志:
journalctl -u keepalived -f
验证VRRP通信:
tcpdump -i eth1 vrrp
检查防火墙规则是否阻止了VRRP通信(协议号112)
通过以上配置,您将拥有一个高可用的Linux NAT网关,能够在主节点故障时自动切换到备用节点,确保网络服务的连续性。