1. 防火墙高可用架构
方案1:Keepalived + iptables/nftables
拓扑:
- 主备节点通过VRRP协议实现IP漂移(Virtual IP: 192.168.1.100) - 实时同步防火墙规则(rsync/cron)
Keepalived配置示例
# 主节点配置(/etc/keepalived/keepalived.conf)
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
virtual_ipaddress {
192.168.1.100
}
# 防火墙服务健康检测
track_script {
chk_firewall
}
}
vrrp_script chk_firewall {
script "/usr/bin/systemctl is-active nftables" # 检测防火墙服务状态
interval 2
weight -20 # 服务失败时降低优先级触发切换
}规则同步脚本
# 主节点通过rsync推送规则到备节点
#!/bin/bash
nft list ruleset > /etc/nftables.conf
rsync -avz /etc/nftables.conf backup-node:/etc/nftables.conf
ssh backup-node "nft -f /etc/nftables.conf"2. 四层负载均衡(L4)
iptables实现流量分发
# 随机分发HTTP请求到3台后端
iptables -t nat -A PREROUTING -p tcp --dport 80 \
-m statistic --mode random --probability 0.33 \
-j DNAT --to-destination 10.0.1.101:80
iptables -t nat -A PREROUTING -p tcp --dport 80 \
-m statistic --mode random --probability 0.5 \
-j DNAT --to-destination 10.0.1.102:80
iptables -t nat -A PREROUTING -p tcp --dport 80 \
-j DNAT --to-destination 10.0.1.103:80nftables高级负载均衡
# 定义后端服务器集合
nft add set inet load_balance backend_ips { type ipv4_addr; flags constant; elements = { 10.0.1.101, 10.0.1.102, 10.0.1.103 } }
# 轮询模式分发流量
nft add rule nat prerouting tcp dport 80 \
dnat to jhash ip saddr . tcp dport mod 3 map { \
0 : 10.0.1.101, \
1 : 10.0.1.102, \
2 : 10.0.1.103 \
}3. 七层负载均衡(L7)集成
HAProxy透明代理配置
# /etc/haproxy/haproxy.cfg
frontend http-in
bind 192.168.1.100:80 transparent
mode http
default_backend web_servers
backend web_servers
balance leastconn
server web1 10.0.1.101:80 check
server web2 10.0.1.102:80 check
# 防火墙放行并标记流量
nft add rule inet filter forward tcp dport 80 meta mark set 1 accept
sysctl -w net.ipv4.ip_forward=1Nginx流量管理
# 加权轮询配置
upstream backend {
server 10.0.1.101 weight=3;
server 10.0.1.102 weight=2;
server 10.0.1.103 weight=1;
}
# 联动防火墙限制连接数
limit_conn_zone $binary_remote_addr zone=per_ip:10m;
server {
location / {
limit_conn per_ip 50;
proxy_pass http://backend;
}
}4. 性能调优与监控
连接跟踪优化
# 调整内核参数(/etc/sysctl.conf)
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
# 监控工具
conntrack -L -o extended | grep ESTABLISHED | wc -l
nft monitor | grep "new flow"规则集性能评估
# 测试规则匹配速度(nftables)
nft --debug=netlink add rule inet filter input tcp dport 80 counter
# 输出示例:...[ evaluate ] tcp dport 80 => 80 ...
# iptables规则排序优化
iptables -L -n --line-numbers | grep ACCEPT | sort -k 45. 实战任务
任务1:构建双机热备集群
- 在两台节点部署Keepalived和nftables
- 配置虚拟IP 192.168.1.100,实现主备切换
- 模拟主节点故障(systemctl stop nftables),验证IP漂移
任务2:配置七层负载均衡
- 使用Nginx实现基于URI的流量分发:
location /api {
proxy_pass http://api_servers;
}
location /static {
proxy_pass http://static_servers;
}- 联动防火墙限制每个客户端IP每秒最多10个请求:
nft add rule inet filter input tcp dport 80 \
meter http_ratelimit { ip saddr limit rate 10/second } \
counter accept6. 注意事项
- 脑裂(Split-Brain)风险:使用多播检测或第三方仲裁服务配置冗余心跳线(eth1专用于VRRP通信)
- 会话保持(Session Persistence):四层使用hashlimit模块源IP哈希七层通过Cookie或JWT实现粘性会话
- 监控告警:
# 统计被拒绝的负载均衡请求
nft list counters | grep "counter packets"
# 监控Keepalived状态
journalctl -u keepalived -f