Load Balance

adyfeitosa
(usa Outra)

Enviado em 30/04/2014 - 21:08h

Caros,

Boa noite!

Gostaria de uma ajuda para efetuar esse loadbalance.

Trabalho com Ubuntu 12.04.

O compartilhamento da internet no rc.local e uso o squid, este é o meu cenario.

**************************************************************
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.


# eth0 -> Sem
# eth1 -> Velox (192.168.2.100/24)
# eth2 -> GVT (192.168.254.100/24)
# eth3 -> Rede Interna (192.168.1.100/24)



# Limpando o Cache
service squid3 stop
rm -rf /var/cache/squid3/*
cd /var/cache/
chown proxy /var/cache/squid3
chgrp proxy /var/cache/squid3
squid3 -z
service squid3 start

cd /etc/


# Carregando os modulos basicos:

echo -n "Carregando os modulos..."
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE

echo " [OK]"

# Resetando o Firewall:

echo -n "Resetando o firewall..."
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

echo " [OK]"

# Habilitando o roteamento de pacotes:

echo -n "Habilitando o roteamento..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo " [OK]"

## Estabelece relação de confiança entre maquinas da rede local eth1(rede local)

iptables -A INPUT -i eth3 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth3 -m state --state NEW -j ACCEPT

echo " [OK]"

# Liberando resposta dos servidores DNS:

echo -n "Liberando servidores DNS..."
iptables -A INPUT -p udp -s 192.168.1.0/24 --sport 53 -d 200.222.145.84 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.0/24 --sport 53 -d 200.175.5.139 -j ACCEPT
# iptables -A INPUT -p udp -s 192.168.0.0/24 --sport 53 -d $DNS2 -j ACCEPT

echo " [OK]"

######################## "liberando o INPUT externo" ##########################
iptables -A INPUT -i eth1 -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp -m multiport --dport 80,443 -j ACCEPT

############################ Redirecionamentos #################################
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2:3389

iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2:3389

############################ Compartilhamento Internet #########################
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth2 -j MASQUERADE


iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT

iptables -A FORWARD -i eth2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 443 -j REDIRECT --to-port 3128

echo -n "Liberando DNS para rede interna..."
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.222.145.84 --dport 53 -j ACCEPT
# iptables -A FORWARD -p udp -s 192.168.254.0/24 -d $DNS2 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.222.145.84 --sport 53 -d 192.168.1.0/24 -j ACCEPT

iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.175.5.139 --dport 53 -j ACCEPT
# iptables -A FORWARD -p udp -s 192.168.254.0/24 -d $DNS2 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.175.5.139 --sport 53 -d 192.168.1.0/24 -j ACCEPT


echo " [OK]"

# Manter Conexões Estabelecidas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Liberando o Tráfego na Interface loopback
iptables -A INPUT -i lo -j ACCEPT

################################## LOG ###################################

iptables -A INPUT -p tcp -m multiport ! --dports 0:1056 -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-prefix "LOG-FW: "

############################ Drop Input #################################
## Fechando portas não abertas acima ##"

iptables -A INPUT -i eth1 -j REJECT
iptables -A INPUT -i eth2 -j REJECT

###################"Firewall Ativo" ######################################
#echo nameserver 192.168.254.200 > /etc/resolv.conf
echo nameserver 8.8.8.8 > /etc/resolv.conf
echo nameserver 8.8.4.4 >> /etc/resolv.conf
echo nameserver 200.222.145.84 >> /etc/resolv.conf
echo nameserver 200.175.5.139 >> /etc/resolv.conf


exit 0


**************************************************************
Configuração do SQUID
************************************

######################### Autor: Ady Feitosa ###############
http_port 192.168.1.100:3128 transparent

visible_hostname assempnet

##############Configuração do Cache###############

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
hosts_file /etc/hosts

##############Configuração do Cache###############

cache_mgr adyfeitosa@yahoo.com.br
cache_effective_user proxy
cache_effective_group proxy

mail_program mail
httpd_suppress_version_string off

cache_mem 1024 MB
maximum_object_size_in_memory 128 kb
maximum_object_size 1024 MB
minimum_object_size 0 kb
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid3/squid1 4000 16 256
cache_dir ufs /var/cache/squid3/squid2 4000 16 256
cache_dir ufs /var/cache/squid3/squid3 4000 16 256
cache_dir ufs /var/cache/squid3/squid4 4000 16 256
cache_dir ufs /var/cache/squid3/squid5 4000 16 256
cache_dir diskd /var/cache/squid3 20480 64 256 Q1=64 Q2=72

# O cache dividido ganha um pouco de desempenho, pois tem menos subdiretórios para gravar/ler


###############Logs do SQUID##################

error_directory /usr/share/squid3/errors/Portuguese
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log

#############Atualização do cache#################

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 10080

################## DNS ###########################
dns_nameservers 8.8.8.8 8.8.4.4 200.175.5.139
##################################################
# rede interna = 5rcc
acl minharede src 192.168.1.0/255.255.255.0

# rede sem fio = 5rcc
acl redesemfio src 192.168.254.0/255.255.255.0

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025 65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8999 # serpro
acl Safe_ports port 23000 # serpro
acl Safe_ports port 8443 # serpro
acl Safe_ports port 443 # telnet serpro
acl Safe_ports port 23 # telnet serpro
acl Safe_ports port 8880 # hpopenview embratel
acl Safe_ports port 5222 # msn do expresso (jabber)
acl Safe_ports port 13000 13005 # sites do dgp
acl Safe_ports port 500 # vpn
acl Safe_ports port 1194 # vpn
acl Safe_ports port 4500 # vpn
acl Safe_ports port 8080 # localhost
acl Safe_ports port 8081 # baixaki
acl Safe_ports port 1863 7001 # MSN
acl Safe_ports port 12005 # Agenda
acl Safe_ports port 10122 # SITE RGT
acl Safe_ports port 3142 # serv rep
acl Safe_ports port 49245
acl Safe_ports port 2631 # Caixa
acl Safe_ports port 81 # Dominio Sistemas
acl Safe_ports port 25 # pop/smtp
acl Safe_ports port 110 # pop/smtp
acl Safe_ports port 587 # pop/smtp
acl Safe_ports port 465 # pop/smtp
acl Safe_ports port 587 # pop/smtp
acl Safe_ports port 20080 #
acl Safe_ports port 3456 #
acl Safe_ports port 8181 #MetropolisWEB
acl Safe_ports port 8183 #
acl Safe_ports port 8185 #
acl Safe_ports port 8187 #
acl Safe_ports port 8189 #
acl Safe_ports port 8000 8999 #
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost


#http_access deny !minharede


# horarios
#acl manha time MTWHF 08:00-12:00
#acl tarde time MTWH 13:00-18:00

# Para final de semana Usar AS (S = Domingo e A = Sabado)


# ACL de liberacao e Negacao de acesso aos usuario
#acl dominiosliberados dstdomain "/etc/squid3/arquivos/dominios_liberados.txt"
acl dominiosbloqueados dstdomain "/etc/squid3/arquivos/dominios_bloqueados.txt"
acl palavrasbloqueadas dstdom_regex "/etc/squid3/arquivos/palavras_bloqueadas.txt"
acl extensaobloqueadas url_regex -i "/etc/squid3/arquivos/extensao_bloqueadas.txt"
acl radioOnlinebloqueados rep_mime_type -i "/etc/squid3/arquivos/radioOnline_bloqueados.txt"

# Privilegios e Permissoes
#sites pribidos sempre PARA TODOS
acl proibidao url_regex "/etc/squid3/arquivos/proibidao.txt"

#sites pribidos sempre PARA ALGUNS
acl msn_bloq url_regex "/etc/squid3/arquivos/msn_bloqueado.txt"

# Libera IPs para Acesso MSN
acl msn_liberaip src "/etc/squid3/arquivos/libera_msn_ip.txt"

#libera site exceções
acl exceto dstdomain .caixa.gov.br/* www.caixa.gov.br/* .internetbanking.caixa.gov.br/* .domicioimveis.com.br/* .goldencross.com.br/*

# proibe acesso simultaneo do usuario com a mesma conta em mais de uma maquina e desativa navegacao por um minuto
authenticate_ip_ttl 1 minutes
#acl usuariodup max_user_ip -s 1

# libera site por meio de IP destino ex: 200.193.140.78
acl ips_dst_liberados dst "/etc/squid3/arquivos/ips_dst_liberados.txt"

acl chat_liberado url_regex "/etc/squid3/arquivos/chat_liberado.txt"


# bloqueia acesso de sites por meio de IP ex: http://200.193.140.98
#acl todos_ips url_regex -i ^(http|https|ftp)+://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

http_access allow exceto
http_access allow chat_liberado
http_access deny proibidao
http_access deny extensaobloqueadas
http_access deny palavrasbloqueadas
http_access deny radioOnlinebloqueados
http_access deny dominiosbloqueados
http_access deny msn_bloq !msn_liberaip !exceto !chat_liberado !ips_dst_liberados

http_access allow minharede
#http_access deny minharede redesemfio

http_reply_access allow all
http_access deny all


**************************************************************

Carlos_Cunha
(usa Linux Mint)

Enviado em 02/05/2014 - 02:42h

Beleza amigo, isso e Proxy e Firewall , o que vc ja tem para para fazer o balanceamento e no que vc quer balancear ???

mattos_gru
(usa Debian)

Enviado em 02/05/2014 - 04:07h

Olá Carlos!

Já esta lá no começo do script dele:

# eth1 -> Velox (192.168.2.100/24)
# eth2 -> GVT (192.168.254.100/24)

Ele quer balancear esses dois links.

Ps.: só tentando ajudar, eu nunca fiz balanceamento, não entendo disso.

Abraço!

Carlos_Cunha
(usa Linux Mint)

Enviado em 04/05/2014 - 15:36h

Não, ele pode quere balancemaneto interno e não de links .....

Se for de link, procure sobre Roteamento avançado com "iproute2", isso ira fazer isso....