LVS之-LAMP搭建wordpress

author：JevonWei
版权声明：原创作品

---

LVS搭建wordpress，涉及的知识点有DNS，LAMP，NFS及LVS

• 网络拓扑图

网络环境

NFS   192.168.198.130mysql 192.168.198.132RS1   192.168.198.138RS2   192.168.198.120LVS：    DIP 192.168.198.128    vip 172.16.253.105DNS   172.16.252.248Client 172.16.254.150RS1,RS2的网关指向192.168.198.128，client的DNS指向DNS服务器172.16.252.248

VS

[root@VS ~]# iptables -F 添加路由转发选项[root@VS ~]# vim /etc/sysctl.d/99-sysctl.conf      net.ipv4.ip_forward=1[root@VS ~]# sysctl -p /etc/sysctl.d/99-sysctl.conf \\刷新生效net.ipv4.ip_forward = 1 配置LVS的调度算法为rr轮询[root@VS ~]# yum -y install ipvsadm [root@VS ~]# ipvsadm -A -t 172.16.253.105:80 -s rr \\-t指定TCP协议，-s指定调度算法为轮询[root@VS ~]# ipvsadm -a -t 172.16.253.105:80 -r 192.168.198.138 -m \\添加192.168.198.138 RS1服务器到LVS调度，-m 为nat类型[root@VS ~]# ipvsadm -a -t 172.16.253.105:80 -r 192.168.198.120 -m [root@VS ~]# ipvsadm -Ln \\查看LVS调度信息IP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  172.16.253.105:80 rr  -> 192.168.198.120:80           Masq    1      0          0           -> 192.168.198.138:80           Masq    1      0          0[root@VS ~]# curl 192.168.198.120welcome to RS2[root@VS ~]# curl 192.168.198.138welcome to RS1修改LVS的调度模式为wrr[root@VS ~]# ipvsadm -E -t 172.16.253.105:80 -s wrr[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  172.16.253.105:80 wrr  -> 192.168.198.120:80           Masq    1      0          0           -> 192.168.198.138:80           Masq    1      0          0[root@VS ~]# ipvsadm -e -t 172.16.253.105:80 -r 192.168.198.138 -m -w 3 \\修改192.168.198.138 RS1主机的权重为3，-w 指定权重，-m为nat算法，192.168.198.120权重仍为1[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  172.16.253.105:80 wrr  -> 192.168.198.120:80           Masq    1      0          0           -> 192.168.198.138:80           Masq    3      0          0   脚本实现lvs-wrr的配置[root@VS ~]# vim lvs_nat.sh       #! /bin/bashvip=172.16.253.105:80rip1=192.168.198.138rip2=192.168.198.120:8080sch=wrrcase $1 instart)    ipvsadm -A -t $vip -s $sch    ipvsadm -a -t $vip -r $rip1 -m -w 3    ipvsadm -a -t $vip -r $rip2 -m -w 1    ;;stop)    ipvsadm -C    ;;*)    echo "Usage:$(basename $0) start|stop"    exit 1    ;;esac

RS1

[root@RS1 ~]# iptables -F[root@RS1 ~]# yum -y install httpd[root@RS1 ~]# vim /var/www/html/index.html     welcome to RS1[root@RS1 ~]# service httpd start

RS2

[root@RS2 ~]# iptables -F[root@RS2 ~]# yum -y install httpd[root@RS2 ~]# vim /var/www/html/index.html     welcome to RS2[root@RS2 ~]# service httpd start

查看LVS的信息

[root@VS ~]# ipvsadm -Ln --statsIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port               Conns   InPkts  OutPkts  InBytes OutBytes  -> RemoteAddress:PortTCP  172.16.253.105:80                  29      158      139    10710    15609  -> 192.168.198.120:80                 15       82       69     5554     7923  -> 192.168.198.138:80                 14       76       70     5156     7686[root@VS ~]# ipvsadm -Ln --connection \\查看网络连接数[root@VS ~]# cut -d " " -f1 /var/log/httpd/access_log | sort -nr | uniq -c| sort -n \\查看网络连接

client

访问rr轮询算法[root@client ~]# for i in {1..10};do curl 172.16.253.105;sleep 1;done welcome to RS2welcome to RS1welcome to RS2welcome to RS1welcome to RS2访问wrr权重算法[root@client ~]# for i in {1..10};do curl 172.16.253.105;sleep 1;donewelcome to RS2welcome to RS1welcome to RS1welcome to RS1welcome to RS2welcome to RS1welcome to RS1welcome to RS1welcome to RS2welcome to RS1

实现HTTPS加密

将VS服务端同时作为CA服务端，即VS同时作为CA服务端

搭建CA服务端环境

[root@VS ~]# cat /etc/pki/tls/openssl.cnf \\查看证书的相关路径[root@VS ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024) \\生成私钥文件Generating RSA private key, 1024 bit long modulus.............++++++.........++++++e is 65537 (0x10001)[root@VS ~]# cd /etc/pki/CA[root@VS CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024 \\生成自签名证书You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:henanLocality Name (eg, city) [Default City]:zhengzhouOrganization Name (eg, company) [Default Company Ltd]:danran.comOrganizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:ca.danran.comEmail Address []:[root@VS CA]# touch index.txt[root@VS CA]# echo 00 > serial

RS1申请CA证书

[root@RS1 ~]# cd /etc/httpd/conf.d/[root@RS1 conf.d]# (umask 077;openssl genrsa -out httpd.key 1024)Generating RSA private key, 1024 bit long modulus........++++++...........++++++e is 65537 (0x10001)[[root@RS1 conf.d]# openssl req -new -key httpd.key -out httpd.csr -days 10You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:henanLocality Name (eg, city) [Default City]:zhengzhouOrganization Name (eg, company) [Default Company Ltd]:danran.comOrganizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:ca.danran.comEmail Address []:Please enter the following 'extra' attributes to be sent with your certificate requestA challenge password []:An optional company name []:[root@RS1 conf.d]# scp httpd.csr 192.168.198.128:/etc/pki/CA \\证书申请文件发送给CA服务端

CA服务端颁发证书

[root@VS CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:    Serial Number: 1 (0x1)    Validity        Not Before: Aug 19 13:00:12 2017 GMT        Not After : Aug 19 13:00:12 2018 GMT    Subject:        countryName               = CN        stateOrProvinceName       = henan        organizationName          = danran.com        organizationalUnitName    = it        commonName                = ca.danran.com    X509v3 extensions:        X509v3 Basic Constraints:             CA:FALSE        Netscape Comment:             OpenSSL Generated Certificate        X509v3 Subject Key Identifier:             BB:DC:5C:85:69:2B:0A:41:98:3B:7F:3E:15:69:1D:2B:C3:81:3E:EF        X509v3 Authority Key Identifier:             keyid:91:15:B3:DB:2D:94:91:2E:12:87:26:ED:05:5E:08:78:E0:10:7C:F8[root@VS CA]# scp certs/httpd.crt 192.168.198.138:/etc/httpd/conf.d \\将证书文件颁发给RS1申请者[root@VS CA]# scp cacert.pem 192.168.198.138:/etc/httpd/conf.d     \\将CA服务端证书发送给申请者

RS1

[root@RS1 conf.d]# scp cacert.pem httpd.crt httpd.key 192.168.198.120:/etc/httpd/conf.d \\将RS1的证书、私钥及CA证书文件发送给RS2[root@RS1 ~]# yum -y install mod_ssl[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf  \\修改如下证书私钥、证书文件及CA证书文件的存放路径     SSLCertificateFile /etc/httpd/conf.d/httpd.crt    SSLCertificateKeyFile /etc/httpd/conf.d/httpd.key    SSLCACertificateFile /etc/httpd/conf.d/cacert.pem        修改后如下所示    #   Server Certificate:    # Point SSLCertificateFile at a PEM encoded certificate.  If    # the certificate is encrypted, then you will be prompted for a    # pass phrase.  Note that a kill -HUP will prompt again.  A new    # certificate can be generated using the genkey(1) command.    SSLCertificateFile /etc/httpd/conf.d/httpd.crt    #   Server Private Key:    #   If the key is not combined with the certificate, use this    #   directive to point at the key file.  Keep in mind that if    #   you've both a RSA and a DSA private key you can configure    #   both in parallel (to also allow the use of DSA ciphers, etc.)    SSLCertificateKeyFile /etc/httpd/conf.d/httpd.key    #   Server Certificate Chain:    #   Point SSLCertificateChainFile at a file containing the    #   concatenation of PEM encoded CA certificates which form the    #   certificate chain for the server certificate. Alternatively    #   the referenced file can be the same as SSLCertificateFile    #   when the CA certificates are directly appended to the server    #   certificate for convinience.    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt    #   Certificate Authority (CA):    #   Set the CA certificate verification path where to find CA    #   certificates for client authentication or alternatively one    #   huge file containing all of them (file must be PEM encoded)    SSLCACertificateFile /etc/httpd/conf.d/cacert.pem[root@RS1 conf.d]# service httpd restart

RS2

[root@RS2 ~]# cd /etc/httpd/conf.d/[root@RS2 conf.d]# lscacert.pem  httpd.key       php.conf  welcome.confhttpd.crt   mod_dnssd.conf  README[root@RS2 conf.d]# yum -y install mod_ssl \\安装软件包[root@RS2 conf.d]# vim ssl.conf \\修改如下证书私钥、证书文件及CA证书文件的存放路径     SSLCertificateFile /etc/httpd/conf.d/httpd.crt    SSLCertificateKeyFile /etc/httpd/conf.d/httpd.key    SSLCACertificateFile /etc/httpd/conf.d/cacert.pem        修改后如下所示    #   Server Certificate:    # Point SSLCertificateFile at a PEM encoded certificate.  If    # the certificate is encrypted, then you will be prompted for a    # pass phrase.  Note that a kill -HUP will prompt again.  A new    # certificate can be generated using the genkey(1) command.    SSLCertificateFile /etc/httpd/conf.d/httpd.crt    #   Server Private Key:    #   If the key is not combined with the certificate, use this    #   directive to point at the key file.  Keep in mind that if    #   you've both a RSA and a DSA private key you can configure    #   both in parallel (to also allow the use of DSA ciphers, etc.)    SSLCertificateKeyFile /etc/httpd/conf.d/httpd.key    #   Server Certificate Chain:    #   Point SSLCertificateChainFile at a file containing the    #   concatenation of PEM encoded CA certificates which form the    #   certificate chain for the server certificate. Alternatively    #   the referenced file can be the same as SSLCertificateFile    #   when the CA certificates are directly appended to the server    #   certificate for convinience.    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt    #   Certificate Authority (CA):    #   Set the CA certificate verification path where to find CA    #   certificates for client authentication or alternatively one    #   huge file containing all of them (file must be PEM encoded)    SSLCACertificateFile /etc/httpd/conf.d/cacert.pem[root@RS2 conf.d]# service httpd restart

VS

[root@VS ~]# vim lvs_nat.sh #! /bin/bashvip=172.16.253.105:443rip1=192.168.198.138rip2=192.168.198.120sch=wrrcase $1 instart)    ipvsadm -A -t $vip -s $sch    ipvsadm -a -t $vip -r $rip1 -m -w 3    ipvsadm -a -t $vip -r $rip2 -m -w 1    ;;stop)    ipvsadm -C    ;;*)    echo "Usage:$(basename $0) start|stop"    exit 1    ;;esac[root@VS ~]# bash lvs_nat.sh stop[root@VS ~]# bash lvs_nat.sh start[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  172.16.253.105:443 wrr  -> 192.168.198.120:443          Masq    1      0          0           -> 192.168.198.138:443          Masq    3      0          0

client客户端

[root@client ~]# for i in {1..10};do curl -k https://172.16.253.105;done  \\-k跳过证书welcome to RS1welcome to RS1welcome to RS1welcome to RS2welcome to RS1welcome to RS1welcome to RS1welcome to RS2welcome to RS1welcome to RS1

LAMP搭建wordpress，并通过NFS共享

搭建DNS服务端

[root@DNS ~]# yum -y install bind[root@DNS ~]# systemctl restart named[root@DNS ~]# systemctl enable named Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.[root@DNS ~]# iptables -F配置DNS[root@DNS ~]# vim /etc/named.conf       options {        listen-on port 53 { localhost; };        allow-query     { any; };    }[root@DNS ~]# vim /etc/named.rfc1912.zones     zone "danran.com" IN {        type master;        file "danran.zone";        allow-update { none; };    };[root@DNS ~]# cd /var/named/[root@DNS named]# vim danran.zone    $TTL 1D    @   IN SOA  dns.danran.com. admin (                                    0       ; serial                                    1D      ; refresh                                    1H      ; retry                                    1W      ; expire                                    3H )    ; minimum            NS      dns.danran.com.    dns     A       172.16.252.248    websrv  A       172.16.253.105    www     CNAME   websrv[root@DNS named]# systemctl restart named

MYSQL

[root@mysql ~]# yum -y install mariadb-server[root@mysql ~]# systemctl start mariadb[root@mysql ~]# systemctl enable mariadbCreated symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.[root@mysql ~]# systemctl disable firewalldRemoved symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@mysql ~]# systemctl stop firewalld[root@mysql ~]# iptables -F 关闭防火墙创建数据库账号[root@mysql ~]# mysql_secure_installation   \\数据库安全初始化MariaDB [(none)]> create database blogdb; \\创建数据库blogdb表MariaDB [(none)]> grant all on blogdb.* to wpuser@'192.168.198.%' identified by 'danran';  \\创建wpuser用户，并授予blogdb表的所有权限登录测试[root@mysql ~]# mysql -uwpuser -h192.168.198.132 -p添加防火墙，仅允许RS1和RS2及自己本身连接数据库[root@mysql ~]# iptables -A INPUT -s 192.168.198.138 -p tcp --dport 3306 -j ACCEPT[root@mysql ~]# iptables -A INPUT -s 192.168.198.120 -p tcp --dport 3306 -j ACCEPT  [root@mysql ~]# iptables -A INPUT -s 192.168.198.1 -p tcp --dport 3306 -j ACCEPT   [root@mysql ~]# iptables -A INPUT -j REJECT

NFS

[root@NFS app]# setenforce 0[root@NFS ~]# iptables -F[root@mysql ~]# systemctl disable firewalldRemoved symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@mysql ~]# systemctl stop firewalld[root@NFS ~]# rpm -q nfs-utilsnfs-utils-1.3.0-0.33.el7.x86_64将wordpress上传到服务器，并配置wordpress[root@NFS app]# tar xvf wordpress-4.8-zh_CN.tar.gz \\解压wordpress[root@NFS app]# mv wordpress blog[root@NFS app]# cd blog/[root@NFS blog]# cp wp-config-sample.php wp-config.php        [root@NFS blog]# vim wp-config.php    // ** MySQL 设置 - 具体信息来自您正在使用的主机 ** //    /** WordPress数据库的名称 */    define('DB_NAME', 'blogdb');    /** MySQL数据库用户名 */    define('DB_USER', 'wpuser');    /** MySQL数据库密码 */    define('DB_PASSWORD', 'danran');    /** MySQL主机 */    define('DB_HOST', '192.168.198.132');创建与RS1和RS2主机上相同UID的apache用户    [root@NFS blog]# useradd -u 48 -r -s /sbin/nologin apache    \\RS1和RS2的apache用户UID为48修改blog目录的属组，从而使apache用户对blog有读写权限[root@NFS app]# chown -R apache.apache blog/[root@NFS app]# ll -d blog/drwxr-xr-x. 5 apache apache 4096 Aug 20 13:03 blog/配置NFS[root@NFS app]# vim /etc/exports    /app/blog  192.168.198.0/24(rw,all_squash,anonuid=48,anongid=48) \\all_squash为压缩所有用户名，anonuid意为压缩为UID为48的用户，anongid组压缩为GID为48的组[root@NFS app]# systemctl restart nfs-server

RS1挂载NFS共享目录

[root@RS1 html]# setenforce 0[root@RS1 ~]# cd /var/www/html/[root@RS1 html]# mkdir blog[root@RS1 html]# chmod o+w blog/   [root@RS1 html]# vim /etc/fstab     192.168.198.130:/app/blog       /var/www/html/blog      nfs     defaults 0 0[root@RS1 html]# yum -y install nfs-utils \\使RS1支持NFS格式的文件[root@RS1 html]# mount -a[root@RS1 html]# df | grep /blog192.168.198.130:/app/blog   30705024   62208  30642816   1% /var/www/html/blog

RS2挂载NFS共享目录

[root@RS2 html]# setenforce 0[root@RS2 ~]# cd /var/www/html/[root@RS2 html]# mkdir blog[root@RS2 html]# chmod o+w blog/   [root@RS2 html]# vim /etc/fstab     192.168.198.130:/app/blog       /var/www/html/blog      nfs     defaults 0 0[root@RS2 html]# yum -y install nfs-utils \\使RS1支持NFS格式的文件[root@RS2 html]# mount -a[root@RS2 html]# df | grep /blog192.168.198.130:/app/blog   30705024   62208  30642816   1% /var/www/html/blog

RS1安装PHP

[root@RS1 html]# yum -y install php php-mysql[root@RS1 html]# service httpd restart

RS2安装PHP

[root@RS2 html]# yum -y install php php-mysql[root@RS2 html]# service httpd restart

VS使用sh调度算法

[root@VS ~]# vim lvs_nat.sh#! /bin/bashvip=172.16.253.105:80rip1=192.168.198.138rip2=192.168.198.120:8080sch=shcase $1 instart)    ipvsadm -A -t $vip -s $sch    ipvsadm -a -t $vip -r $rip1 -m -w 3    ipvsadm -a -t $vip -r $rip2 -m -w 1    ;;stop)    ipvsadm -C    ;;*)    echo "Usage:$(basename $0) start|stop"    exit 1    ;;esac[root@VS ~]# bash lvs_nat.sh stop[root@VS ~]# bash lvs_nat.sh start

client

修改DNS[root@client ~]# vim /etc/resolv.conf    # Generated by NetworkManager    search danran.com    nameserver 172.16.252.248[root@client ~]# for i in {1..10};do curl -k https://172.16.253.105;done        welcome to RS1welcome to RS1welcome to RS2[root@client ~]# for i in {1..10};do curl -k https://www.danran.com;done        welcome to RS1welcome to RS2welcome to RS1welcome to RS1welcome to RS2客户端图形化或浏览器firefox www.danran.com/blog \\安装wordpress

实现一个LVS调用一组不同服务

即一个LVS同时调用http和https两种不同的服务

VS

搭建https的LVS_nat

[root@VS ~]# vim lvs_nat.sh #! /bin/bashvip=172.16.253.105:443rip1=192.168.198.138rip2=192.168.198.120sch=wrrcase $1 instart)    ipvsadm -A -t $vip -s $sch    ipvsadm -a -t $vip -r $rip1 -m -w 3    ipvsadm -a -t $vip -r $rip2 -m -w 1    ;;stop)    ipvsadm -C    ;;*)    echo "Usage:$(basename $0) start|stop"    exit 1    ;;esac[root@VS ~]# bash lvs_nat.sh stop[root@VS ~]# bash lvs_nat.sh start[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  172.16.253.105:443 wrr  -> 192.168.198.120:443          Masq    1      0          0           -> 192.168.198.138:443          Masq    3      0          0[root@VS ~]# bash lvs_nat.sh start  

搭建http的LVS_nat

[root@VS ~]# vim lvs_nat2.sh #! /bin/bashvip=172.16.253.105:80rip1=192.168.198.138rip2=192.168.198.120:8080sch=wrrcase $1 instart)    ipvsadm -A -t $vip -s $sch    ipvsadm -a -t $vip -r $rip1 -m -w 3    ipvsadm -a -t $vip -r $rip2 -m -w 1    ;;stop)    ipvsadm -C    ;;*)    echo "Usage:$(basename $0) start|stop"    exit 1    ;;esac[root@VS ~]# bash lvs_nat.sh stop[root@VS ~]# bash lvs_nat.sh start[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  172.16.253.105:443 wrr  -> 192.168.198.120:443          Masq    1      0          0           -> 192.168.198.138:443          Masq    3      0          0[root@VS ~]# bash lvs_nat2.sh start[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn  TCP  172.16.253.105:80 wrr  -> 192.168.198.120:8080         Masq    1      0          0           -> 192.168.198.138:80           Masq    3      0          0           TCP  172.16.253.105:443 wrr  -> 192.168.198.120:443          Masq    1      0          0           -> 192.168.198.138:443          Masq    3      0          0    

client

[root@client ~]# for i in {1..10};do curl -k https://172.16.253.105;done welcome to RS2welcome to RS1welcome to RS1welcome to RS2welcome to RS1welcome to RS1welcome to RS2welcome to RS1welcome to RS1welcome to RS2[root@client ~]# for i in {1..10};do curl -k http://172.16.253.105;done  welcome to RS2welcome to RS1welcome to RS1welcome to RS1welcome to RS2welcome to RS1welcome to RS1welcome to RS1welcome to RS2welcome to RS1

ipvsadm策略的保存

[root@VS ~]# ipvsadm-save > lvs[root@VS ~]# ipvsadm -C[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn[root@VS ~]# ipvsadm-restore < lvs[root@VS ~]# ipvsadm -LnIP Virtual Server version 1.2.1 (size=4096)Prot LocalAddress:Port Scheduler Flags  -> RemoteAddress:Port           Forward Weight ActiveConn InActConnTCP  185.53.178.7:443 sh  -> 192.168.198.120:443          Masq    1      0          0           -> 192.168.198.138:443          Masq    2      0          0   将ipvsadm保存在/etc/sysconfig/ipvsadm文件中，将会开机自启动  [root@VS ~]# ipvsadm-save > /etc/sysconfig/ipvsadm