使用iptables进行内网主机服务的映射

 未分类  No Responses »
5 月 192014
 

dual-nic-iptables主机A
外网IP地址:182.92.78.105
内网IP地址:10.162.220.104
主机B
内网iP地址:10.162.221.118
查看接口信息
[root@AY1405161625122035baZ ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:37:B6
inet addr:10.162.220.104 Bcast:10.162.223.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27730 errors:0 dropped:0 overruns:0 frame:0
TX packets:4894 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1722333 (1.6 MiB) TX bytes:356206 (347.8 KiB)
Interrupt:165

eth1 Link encap:Ethernet HWaddr 00:16:3E:00:37:B7
inet addr:182.92.78.105 Bcast:182.92.79.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4147415 errors:0 dropped:0 overruns:0 frame:0
TX packets:15476 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:206913746 (197.3 MiB) TX bytes:1928149 (1.8 MiB)
Interrupt:164

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[root@AY1405161625122035baZ ~]#

修改IP包转发
[root@AY1405161625122035baZ ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@AY1405161625122035baZ ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@AY1405161625122035baZ ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@AY1405161625122035baZ ~]#
[root@AY1405161625122035baZ ~]# vi /etc/rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward

修改配置文件
[root@AY1405161625122035baZ ~]# vi /etc/sysctl.conf
# Controls IP packet forwarding
#net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
将iptables加入服务启动
root@AY1405161625122035baZ ~]# chkconfig –list iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@AY1405161625122035baZ ~]# chkconfig –level 35 iptables on

无法启动
[root@AY1405161625122035baZ ~]# service iptables status
iptables: Firewall is not running.
[root@AY1405161625122035baZ ~]# service iptables start
[root@AY1405161625122035baZ ~]# service iptables status
iptables: Firewall is not running.
[root@AY1405161625122035baZ ~]#
添加规则后启动
[root@AY1405161625122035baZ ~]# iptables -I INPUT -p tcp –dport 80 -j ACCEPT
[root@AY1405161625122035baZ ~]# iptables -I INPUT -p tcp –dport 22 -j ACCEPT
[root@AY1405161625122035baZ ~]# iptables -t nat -A PREROUTING -p tcp –dport 41022 -j DNAT –to-destination 10.162.221.118:22
[root@AY1405161625122035baZ ~]# iptables -t nat -A POSTROUTING -d 10.162.221.118 -p tcp –dport 22 -j SNAT –to 10.162.220.104

源地址发送数据->{PREROUTING->路由规则->POSTROUTING}->目的地址接收到数据

–table -t table table to manipulate (default: `filter’)
–append -A chain Append to chain
-d, –destination address[/mask][,…]

[root@AY1405161625122035baZ ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@AY1405161625122035baZ ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
[root@AY1405161625122035baZ ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:41022 to:10.162.221.118:22

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT tcp — 0.0.0.0/0 10.162.221.118 tcp dpt:22 to:10.162.220.104

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@AY1405161625122035baZ ~]#
在内网主机上查看网络连接状态
[root@AY140518164554406132Z ~]# netstat -tun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 232 10.162.221.118:22 10.162.220.104:53408 ESTABLISHED
tcp 0 1 10.162.221.118:44338 110.75.102.62:80 SYN_SENT
[root@AY140518164554406132Z ~]#

使用ClamAV对用户文件进行病毒扫描

 未分类  No Responses »
4 月 232014
 

安装顺序

不能先安装clamav
Error: Package: clamav-0.98.1-1.el6.rf.x86_64 (/clamav-0.98.1-1.el6.rf.x86_64)
Requires: clamav-db
[root@ftp ~]# yum install clamav-db-0.98.1-1.el6.rf.x86_64.rpm

再安装clamav
[root@ftp ~]# yum install clamav-0.98.1-1.el6.rf.x86_64.rpm

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
clamav x86_64 0.98.1-1.el6.rf /clamav-0.98.1-1.el6.rf.x86_64 7.1
Installing for dependencies:
libtool-ltdl x86_64 2.2.6-15.5.el6 base 44 k

Transaction Summary
================================================================================
Install 2 Package(s)

在安装clamd
[root@ftp ~]# yum install clamd-0.98.1-1.el6.rf.x86_64.rpm

[root@ftp ~]# chkconfig –list clamd
clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@ftp ~]#

编辑
启动clamd服务
[root@ftp ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root@ftp ~]#
负责病毒库更新的配置文件
[root@ftp ~]# vi /etc/freshclam.conf

执行首次病毒库更新
[root@ftp ~]# freshclam
ClamAV update process started at Wed Apr 23 11:37:39 2014
Downloading main-55.cdiff [ 92%]
[root@ftp ~]# freshclam
ClamAV update process started at Wed Apr 23 11:55:26 2014
main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
daily.cvd is up to date (version: 18847, sigs: 904742, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 236, sigs: 43, f-level: 63, builder: dgoddard)
[root@ftp ~]#

首次扫描
[root@ftp ~]# clamscan install.log
install.log: OK

———– SCAN SUMMARY ———–
Known viruses: 3323604
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 42.104 sec (0 m 42 s)
[root@ftp ~]#

[root@ftp ~]# clamscan -r /ftpmount/hoyopay/www/
递归子目录

病毒扫描程序 CPU密集型操作
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
9060 root 20 0 290m 153m 332 R 26.4 64.2 0:10.72 clamscan
RPM二进制包 五个
[root@ftp ~]# rpm -lpq clamav-0.98.1-1.el6.rf.x86_64.rpm
warning: clamav-0.98.1-1.el6.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
/etc/freshclam.conf
/usr/bin/clambc
/usr/bin/clamscan
/usr/bin/freshclam
/usr/bin/sigtool
/usr/lib64/libclamav.so
/usr/lib64/libclamav.so.6
/usr/lib64/libclamav.so.6.1.20
/usr/lib64/libclamunrar.so
/usr/lib64/libclamunrar.so.6
/usr/lib64/libclamunrar.so.6.1.20
/usr/lib64/libclamunrar_iface.so
/usr/lib64/libclamunrar_iface.so.6
/usr/lib64/libclamunrar_iface.so.6.1.20
/usr/share/doc/clamav-0.98.1
/usr/share/doc/clamav-0.98.1/AUTHORS
/usr/share/doc/clamav-0.98.1/BUGS
/usr/share/doc/clamav-0.98.1/COPYING
/usr/share/doc/clamav-0.98.1/ChangeLog
/usr/share/doc/clamav-0.98.1/FAQ
/usr/share/doc/clamav-0.98.1/INSTALL
/usr/share/doc/clamav-0.98.1/NEWS
/usr/share/doc/clamav-0.98.1/README
/usr/share/doc/clamav-0.98.1/clamav-mirror-howto.pdf
/usr/share/doc/clamav-0.98.1/clamdoc.pdf
/usr/share/doc/clamav-0.98.1/freshclam.conf.sample
/usr/share/doc/clamav-0.98.1/phishsigs_howto.pdf
/usr/share/doc/clamav-0.98.1/signatures.pdf
/usr/share/man/man1/clambc.1.gz
/usr/share/man/man1/clamscan.1.gz
/usr/share/man/man1/freshclam.1.gz
/usr/share/man/man1/sigtool.1.gz
/usr/share/man/man5/freshclam.conf.5.gz

[root@ftp ~]# rpm -lpq clamav-db-0.98.1-1.el6.rf.x86_64.rpm
warning: clamav-db-0.98.1-1.el6.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
/etc/cron.daily/freshclam
/etc/logrotate.d/freshclam
/var/clamav
/var/clamav/daily.cvd
/var/clamav/main.cvd
/var/log/clamav
/var/log/clamav/freshclam.log

[root@ftp ~]# rpm -lpq clamav-devel-0.98.1-1.el6.rf.x86_64.rpm
warning: clamav-devel-0.98.1-1.el6.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
/usr/bin/clamav-config
/usr/include/clamav.h
/usr/lib64/pkgconfig/libclamav.pc

[root@ftp ~]# rpm -lpq clamav-milter-0.98.1-1.el6.rf.x86_64.rpm
warning: clamav-milter-0.98.1-1.el6.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
/etc/clamav-milter.conf
/etc/rc.d/init.d/clamav-milter
/etc/sysconfig/clamav-milter
/usr/sbin/clamav-milter
/usr/share/doc/clamav-milter-0.98.1
/usr/share/doc/clamav-milter-0.98.1/clamav-milter.conf.sample
/usr/share/man/man5/clamav-milter.conf.5.gz
/usr/share/man/man8/clamav-milter.8.gz

[root@ftp ~]# rpm -lpq clamd-0.98.1-1.el6.rf.x86_64.rpm
warning: clamd-0.98.1-1.el6.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
/etc/clamd.conf
/etc/logrotate.d/clamav
/etc/rc.d/init.d/clamd
/usr/bin/clamconf
/usr/bin/clamdscan
/usr/bin/clamdtop
/usr/sbin/clamd
/usr/share/doc/clamd-0.98.1
/usr/share/doc/clamd-0.98.1/clamd.conf.sample
/usr/share/man/man1/clambc.1.gz
/usr/share/man/man1/clamconf.1.gz
/usr/share/man/man1/clamdscan.1.gz
/usr/share/man/man1/clamdtop.1.gz
/usr/share/man/man5/clamd.conf.5.gz
/usr/share/man/man8/clamd.8.gz
/var/clamav
/var/log/clamav
/var/log/clamav/clamd.log
/var/run/clamav
递归扫描指定文件夹和文件且只显示可疑的文件
[root@ftp ~]# clamscan -ir /ftpmount/company/www/

———– SCAN SUMMARY ———–
Known viruses: 3323604
Engine version: 0.98.1
Scanned directories: 66
Scanned files: 790
Infected files: 0
Data scanned: 13.83 MB
Data read: 9.53 MB (ratio 1.45:1)
Time: 40.235 sec (0 m 40 s)
[root@ftp ~]#

增补 2014-06-20

手动执行指定目录及其文件的扫描

#/usr/local/clamav/bin/clamscan -r /usr/local/apache/htdocs
定时扫描并生成独立扫描日志(仅记录可疑文件及汇总)

05 2 */2 * * clamav /usr/local/clamav/bin/clamscan -r -i

/usr/local/apache/htdocs > /usr/local/clamav/log/scan. $(date +\%Y\%m\%d)
CRON [ $(date +\%Y\%m\%d) = `date +\%Y\%m\%d` ]

 

使用Heartbeat实现主机高可用性HA

 未分类  No Responses »
3 月 262014
 

heartbeat – Messaging and membership subsystem for High-Availability Linux
heartbeat-devel – Heartbeat development package
heartbeat-libs – Heartbeat libraries

修改主机名和hosts指向
[root@localhost ~]# vi /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=localhost.localdomain
HOSTNAME=ha01

[root@localhost ~]# vi /etc/hosts
192.168.2.217 ha01
192.168.2.218 ha02

[root@localhost ~]# init 6

[root@ha01 ~]# yum install httpd mysql-server
[root@ha01 ~]# yum install epel-release-6-8.noarch.rpm
[root@ha01 ~]# yum install heartbeat

查看说明文档并复制示例配置文件
[root@ha01 ~]# ls /usr/share/doc/heartbeat-3.0.4/
apphbd.cf AUTHORS COPYING ha.cf README
authkeys ChangeLog COPYING.LGPL haresources
[root@ha01 ~]#

[root@ha01 ~]# cd /usr/share/doc/heartbeat-3.0.4/
[root@ha01 heartbeat-3.0.4]# cp authkeys /etc/ha.d/
[root@ha01 heartbeat-3.0.4]# cp ha.cf /etc/ha.d/
[root@ha01 heartbeat-3.0.4]# cp haresources /etc/ha.d/
[root@ha02 ~]# vi /etc/ha.d/ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 30
warntime 10
initdead 120
udpport 694
bcast eth0
auto_failback on
watchdog /dev/watchdog
node ha01
node ha02
ping 192.168.1.254
respawn hacluster /usr/lib64/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster

[root@ha01 ~]# vi /etc/ha.d/haresources
ha01 192.168.2.100 mysqld httpd

[root@ha02 ~]# vi /etc/ha.d/authkeys
#auth 1
#1 crc
#2 sha1 HI!
#3 md5 Hello!
auth 1
1 crc
[root@ha02 ~]# chmod 600 /etc/ha.d/authkeys
错误分析

heartbeat: udpport setting must precede media statementsheartbeat[1495]: 2014/03/28_17:24:50 ERROR: Bad permissions on keyfile
[/etc/ha.d//authkeys], 600 recommended.

[root@ha01 ~]# echo “hello ha01 is here” >/var/www/html/index.html
[root@ha02 ~]# echo “hello ha02 is here” >/var/www/html/index.html

启动heartbeat服务
[root@ha01 log]# service heartbeat start
Starting High-Availability services: INFO: Resource is stopped
Done.

[root@ha01 log]#

确认虚拟IP的生成和服务的启动
C:\Users\Harvey Mei>ping 192.168.2.100 -t

正在 Ping 192.168.2.100 具有 32 字节的数据:
来自 192.168.3.10 的回复: 无法访问目标主机。
来自 192.168.3.10 的回复: 无法访问目标主机。
来自 192.168.3.10 的回复: 无法访问目标主机。
来自 192.168.3.10 的回复: 无法访问目标主机。
来自 192.168.3.10 的回复: 无法访问目标主机。

来自 192.168.2.100 的回复: 字节=32 时间=2478ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.100 的回复: 字节=32 时间<1ms TTL=64

192.168.2.100 的 Ping 统计信息:
数据包: 已发送 = 46,已接收 = 46,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 2478ms,平均 = 247ms
Control-C
^C
C:\Users\Harvey Mei>

通过日志确认heartbeat工作状态
[root@ha01 ~]# less /var/log/ha-debug

获取虚拟IP和启动后台服务
Mar 28 16:26:41 ha01 heartbeat: [2605]: debug: notify_world: setting SIGCHLD Han
dler to SIG_DFL
harc(default)[2605]: 2014/03/28_16:26:41 info: Running /etc/ha.d//rc.d/ip-req
uest-resp ip-request-resp
ip-request-resp(default)[2605]: 2014/03/28_16:26:41 received ip-request-resp 192.168.2.100 OK yes
ResourceManager(default)[2628]: 2014/03/28_16:26:41 info: Acquiring resource group: ha01 192.168.2.100 mysqld httpd
Mar 28 16:26:41 ha01 ipfail: [2449]: debug: Setting message filter mode
/usr/lib/ocf/resource.d//heartbeat/IPaddr(IPaddr_192.168.2.100)[2656]: 2014/03/28_16:26:41 INFO: Resource is stopped
ResourceManager(default)[2628]: 2014/03/28_16:26:41 info: Running /etc/ha.d/resource.d/IPaddr 192.168.2.100 start
IPaddr(IPaddr_192.168.2.100)[2754]: 2014/03/28_16:26:42 INFO: Adding inet address 192.168.2.100/22 with broadcast address
192.168.3.255 to device eth0
IPaddr(IPaddr_192.168.2.100)[2754]: 2014/03/28_16:26:42 INFO: Bringing device eth0 up
IPaddr(IPaddr_192.168.2.100)[2754]: 2014/03/28_16:26:42 INFO: /usr/libexec/heartbeat/send_arp -i 200 -r 5 -p
/var/run/resource-agents/send_arp-192.168.2.100 eth0 192.168.2.100 auto not_used not_used
/usr/lib/ocf/resource.d//heartbeat/IPaddr(IPaddr_192.168.2.100)[2740]: 2014/03/28_16:26:42 INFO: Success
INFO: Success
ResourceManager(default)[2628]: 2014/03/28_16:26:42 info: Running /etc/init.d/mysqld start
Mar 28 16:26:42 ha01 ipfail: [2449]: debug: Starting node walk
Mar 28 16:26:42 ha01 ipfail: [2449]: debug: Cluster node: 192.168.1.254: status: ping
Starting mysqld: [ OK ]
ResourceManager(default)[2628]: 2014/03/28_16:26:43 info: Running /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using 192.168.2.217 for
ServerName
[ OK ]

在启动ha01后检测h01与ha02状态
Mar 28 16:26:43 ha01 ipfail: [2449]: debug: Cluster node: ha02: status: dead
Mar 28 16:26:43 ha01 ipfail: [2449]: debug: [They are ha02]
Mar 28 16:26:44 ha01 ipfail: [2449]: debug: Cluster node: ha01: status: active

启动Ha02后通过日志查看对ha01的检测状态
Mar 28 17:25:17 ha02 ipfail: [1635]: debug: [We are ha02]
Mar 28 17:25:18 ha02 heartbeat: [1624]: info: Status update for node ha01: status active
Mar 28 17:25:18 ha02 heartbeat: [1624]: info: ha01 wants to go standby [foreign]
Mar 28 17:25:20 ha02 ipfail: [1635]: debug: [They are ha01]
Mar 28 17:25:20 ha02 ipfail: [1635]: debug: Setting message signal
Mar 28 17:25:21 ha02 ipfail: [1635]: debug: Waiting for messages…
Mar 28 17:25:22 ha02 ipfail: [1635]: debug: Other side is now stable.
Mar 28 17:25:22 ha02 ipfail: [1635]: info: Status update: Node ha01 now has status active
切换测试
持续ping 192.168.2.100并切断ha01网络连接

[root@ha01 ~]# ifdown eth0

通过日志确认ha02发现ha01不可达并接管服务
Mar 28 17:34:16 ha02 heartbeat: [1624]: WARN: node ha01: is dead
Mar 28 17:34:16 ha02 heartbeat: [1624]: WARN: No STONITH device configured.
Mar 28 17:34:16 ha02 heartbeat: [1624]: WARN: Shared disks are not protected.
Mar 28 17:34:16 ha02 heartbeat: [1624]: info: Resources being acquired from ha01.
Mar 28 17:34:16 ha02 heartbeat: [1624]: info: Link ha01:eth0 dead.
Mar 28 17:34:16 ha02 ipfail: [1635]: info: Status update: Node ha01 now has status dead
harc(default)[2130]: 2014/03/28_17:34:16 info: Running /etc/ha.d//rc.d/status status
mach_down(default)[2167]: 2014/03/28_17:34:16 info: /usr/share/heartbeat/mach_down: nice_failback: foreign resources
acquired
mach_down(default)[2167]: 2014/03/28_17:34:16 info: mach_down takeover complete for node ha01.
Mar 28 17:34:16 ha02 heartbeat: [1624]: info: mach_down takeover complete.
Mar 28 17:34:16 ha02 ipfail: [1635]: info: NS: We are still alive!
/usr/lib/ocf/resource.d//heartbeat/IPaddr(IPaddr_192.168.2.100)[2198]: 2014/03/28_17:34:16 INFO: Running OK
Mar 28 17:34:16 ha02 heartbeat: [2131]: info: Local Resource acquisition completed.
Mar 28 17:34:16 ha02 ipfail: [1635]: info: Link Status update: Link ha01/eth0 now has status dead
Mar 28 17:34:18 ha02 ipfail: [1635]: info: Asking other side for ping node count.
Mar 28 17:34:18 ha02 ipfail: [1635]: info: Checking remote count of ping nodes.

ha01的日志记录
Mar 28 17:34:23 ha01 heartbeat: [2446]: ERROR: glib: Error sending packet: Network is unreachable
Mar 28 17:34:23 ha01 heartbeat: [2446]: info: glib: euid=0 egid=0
Mar 28 17:34:23 ha01 heartbeat: [2446]: ERROR: write_child: write failure on ping 192.168.1.254.: Network is unreachable
Mar 28 17:34:25 ha01 heartbeat: [2446]: ERROR: glib: Error sending packet: Network is unreachable

 

IP route 默认路由故障分析

 未分类  No Responses »
3 月 202014
 

[root@localhost ~]# ping 192.168.197.200 -c 4
PING 192.168.197.200 (192.168.197.200) 56(84) bytes of data.
64 bytes from 192.168.197.200: icmp_seq=0 ttl=255 time=0.496 ms
64 bytes from 192.168.197.200: icmp_seq=1 ttl=255 time=1.17 ms
64 bytes from 192.168.197.200: icmp_seq=2 ttl=255 time=0.483 ms
64 bytes from 192.168.197.200: icmp_seq=3 ttl=255 time=1.36 ms

— 192.168.197.200 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.483/0.879/1.368/0.397 ms, pipe 2
[root@localhost ~]#
[root@localhost ~]# ping 113.106.92.180 -c 4
connect: Network is unreachable
[root@localhost ~]#
[root@localhost ~]# ping www.qq.com
ping: unknown host www.qq.com
[root@localhost ~]#

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=192.168.197.200
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:1a:64:6f:4f:33
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.197.5
[root@localhost ~]#
[root@localhost ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
[root@localhost ~]#

[root@localhost ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=localhost.com.hk
[root@localhost ~]#
[root@localhost ~]# ip route
192.168.197.0/24 dev eth0 proto kernel scope link src 192.168.197.5
[root@localhost ~]#
[root@lb01 conf]# ip route
192.168.197.0/24 dev eth0 proto kernel scope link src 192.168.197.65
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.197.200 dev eth0
[root@lb01 conf]#

[root@localhost ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@localhost ~]#
[root@localhost ~]# ip route
192.168.197.0/24 dev eth0 proto kernel scope link src 192.168.197.5
169.254.0.0/16 dev eth0 scope link
default via 192.168.197.200 dev eth0
[root@localhost ~]#
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1A:64:6F:4F:33
inet addr:192.168.197.5 Bcast:192.168.197.255 Mask:255.255.255.0
inet6 addr: fe80::21a:64ff:fe6f:4f33/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:670 errors:0 dropped:0 overruns:0 frame:0
TX packets:690 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:174196 (170.1 KiB) TX bytes:428433 (418.3 KiB)
Interrupt:169

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:266497 errors:0 dropped:0 overruns:0 frame:0
TX packets:266497 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:39985115 (38.1 MiB) TX bytes:39985115 (38.1 MiB)

[root@localhost ~]#

 

Nginx反向代理的用户IP传递配置

 未分类  No Responses »
3 月 192014
 

使用IP 192.168.197.111主机上的浏览器访问
非正常前端与后端日志

192.168.197.111 - - [20/Mar/2014:16:11:47 +0800] "GET /tools/ajax/getNaviImgImage.ajax.php?file=19253527240ec31dd4a650e190f66cc28551d973.jpg HTTP/1.1" 200 24571 "http://hk.linuxcache.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
192.168.197.65 - - [20/Mar/2014:16:11:40 +0800] "GET /tools/ajax/getNaviImgImage.ajax.php?file=19253527240ec31dd4a650e190f66cc28551d973.jpg HTTP/1.0" 200 24558 "http://hk.linuxcache.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"

正常前端与后端日志

192.168.197.111 - - [20/Mar/2014:17:52:42 +0800] "GET /fav2.ico HTTP/1.1" 200 3638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
192.168.197.111 - - [20/Mar/2014:17:52:35 +0800] "GET /fav2.ico HTTP/1.0" 200 3638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"

Nginx主机配置文件部分

location / {
   #root html;
   #index index.html index.htm;
   proxy_pass http://apache;
   proxy_set_header Host $host;

   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 }

下载

http://www.stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz

[root@http02 mod_rpaf-0.6]# yum install httpd-devel
[root@http02 mod_rpaf-0.6]# apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

[root@http02 mod_rpaf-0.6]# ls /usr/lib64/httpd/modules/mod_rpaf-2.0.so
/usr/lib64/httpd/modules/mod_rpaf-2.0.so
[root@http02 mod_rpaf-0.6]#
RPAFenable On
# Enable reverse proxy add forward
RPAFproxy_ips 127.0.0.1 10.0.0.1
# which ips are forwarding requests to us
RPAFsethostname On
# let rpaf update vhost settings
# allows to have the same hostnames as in the “real”
# configuration for the forwarding Apache
RPAFheader X-Forwarded-For
# Allows you to change which header mod_rpaf looks
# for when trying to find the ip the that is forwarding
# our requests

#201403191741 nginx proxy
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1 10.0.0.1
RPAFsethostname On
RPAFheader X-Forwarded-For

RPAFenable On
RPAFproxy_ips 192.168.197.65
RPAFsethostname On
RPAFheader X-Forwarded-For
[root@http02 mod_rpaf-0.6]# apachectl graceful
httpd: Could not reliably determine the server’s fully qualified domain name, using http02.hk.linuxcache-cloud.net for ServerName
[root@http02 mod_rpaf-0.6]#

 Older Entries  Newer Entries