Bartosz Podemski's questions

我已将 Keepalived 设置为负载均衡器，但没有使用主/备用配置 - 只是单个服务器。

启用了防火墙后，就会出现此问题。没有防火墙时，一切都会正常。但是，当防火墙运行时，从真实服务器返回的数据包会被 STATE_INVALID_DROP 规则阻止。

该设置涉及两个接口：enp2s0（客户端区域）和 enp3s0（服务器区域）。从 enp2s0 流向 enp3s0 的流量正常工作，但问题出现在从 enp3s0 返回 enp2s0 的流量上。

有趣的是，如果我只使用配置了到达真实服务器的路由的firewalld并删除Keepalived，流量就不会出现任何问题。只有当firewalld和Keepalived同时使用时才会出现问题。

这是我的区域配置：

router1@router1:~$ sudo firewall-cmd --zone clients --list-all
clients (active)
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp2s0
  sources:
  services: http
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
router1@router1:~$ sudo firewall-cmd --zone servers --list-all
servers (active)
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: http
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

这是我的政治配置：

router1@router1:~$ sudo firewall-cmd --policy fromCliToSrv --list-all
fromCliToSrv (active)
  priority: -1
  target: DROP
  ingress-zones: clients
  egress-zones: servers
  services: http
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
router1@router1:~$ sudo firewall-cmd --policy fromSrvToCli --list-all
fromSrvToCli (active)
  priority: -1
  target: DROP
  ingress-zones: servers
  egress-zones: clients
  services: http
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

这是我的 keepalived 配置：

router1@router1:~$ sudo cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

virtual_server 172.20.241.20 80 {
        lb_algo wrr
        lb_kind NAT
        protocol TCP
        persistence_timeout 600
        persistence_granularity 255.255.255.0

        real_server 10.0.1.5 {
                weight 1
        }
        real_server 10.0.1.6 {
                weight 2
        }
        real_server 10.0.1.7 {
                weight 3
        }
}

我尝试像这样将转发端口添加到客户端区域：

router1@router1:~$ sudo firewall-cmd --permanent --zone clients --add-forward-port=port=80:proto=tcp:toaddr=10.0.1.5:toport=80
success
router1@router1:~$ sudo firewall-cmd --permanent --zone clients --add-forward-port=port=80:proto=tcp:toaddr=10.0.1.6:toport=80
success
router1@router1:~$ sudo firewall-cmd --permanent --zone clients --add-forward-port=port=80:proto=tcp:toaddr=10.0.1.7:toport=80
success
router1@router1:~$ sudo firewall-cmd --reload
success

但此配置将所有请求转发到 10.0.1.5，因为它是添加的第一条规则