I've forgotten a lot because the network has been around for a long time. After a long time, I reviewed the network and learned more. Make a note of its contents here. If you make a mistake or have any advice, it would be helpful if you kindly tell me ~
TCP Thanks to L3, it is possible to send packets to the other party, but I do not know if it actually arrived. So, the other party received the packet when it arrived! It is TCP. (Details are omitted) that has a rule to teach
You need to specify the PORT number when sending the packet. In the case of TCP, it is also necessary to receive packets from the other party, so the requester also specifies the PORT number used for this communication. The source PORT number is selected from [Dynamic / Private port number (49152–65535)]. In other words, if you do not devise a simultaneous TCP connection to the outside that exceeds 65535-49152 = 16383, which exceeds the port number for this out, it is basically impossible. Source PORT is also required for UDP.
ARP http://www5e.biglobe.ne.jp/aji/3min/26.html
ARP is an L3 protocol, and by broadcasting an ARP Request, you can receive the ARP Reply included in the ARP Request. It arrives with the requested MAC address included in the ARP Reply. By using this, packets can be delivered even if the ARP table does not have a destination mac address.
If you have never communicated externally with the static ip address set manually, the mac address is not recorded in the ARP table of the bridge or Router. In such a situation, Router uses ARP to find out the Mac Address of the received destination IP.
firewall I often open only port 80 with a firewall. In that case, if all packets with ports other than port 80 are set to be lost, even packets with dynamic port numbers will be discarded. In that case, you will not be able to communicate using TCP. So, of course, it's basically for in and out, and security considerations and settings change. By the way, in the case of UDP, it is not necessary to secure a port for response with a dynamic port number, so if there is a client that is guaranteed to only make UDP requests, data can be sent to the outside even if all ports are closed. Masu.
NIC eh0 is the 0th nic and eth1 is the 1st nic Basically it's okay to recognize ethN == nic When sending a packet to the physical layer, send a packet to eth, and eth sends it to eth's peer. (Nic is connected to a paired nic such as bridge or router through a basic Ethernet cable etc. The pair is called peer.
http://redhatlinux.kt.fc2.com/cont/router.htm
This site is detailed.
If you don't know how to read route -n
, take a look at this site.
https://xtech.nikkei.com/it/article/COLUMN/20080520/303086/
http://linux.kororo.jp/cont/intro/dgate.php
The simplest Router, which has been set aside for convergence, can be realized only by ip forward, which is a technology that sends packets received from one NIC to another NIC.
To enable ip forward on linux, add net.ipv4.ip_forward = 1
to /etc/sysctl.conf
and restart the network to enable the ip forward feature.
ifconfig vs ip command ifconfig is a command included in the net-tools package. Other frequently used commands such as route, netstat, and arp are also included in the net-tools package. The net-tools package is currently deprecated.
bridge can be created from any of the following
Real devices such as eth0 and virtual devices such as veth can be connected to the bridge.
If you create a virtual nic and connect it to a virtual bridge, you can create a virtual private network.
However, at this rate, the private network cannot communicate with the Internet. If you connect directly to eth0, eth0 will be occupied this time, and those who do not belong to the private network will not be able to connect to the Internet. So you can do it by using iptables and ip masquerading. So, if you delete the ip masquerade setting of bridge such as docker, you can completely disconnect from the network.
You can use ip masquerade by using iptables. If you use ip masquerade, you can do port forwarding and security as well as NAPT functions.
port forward https://qiita.com/Ayaka14/items/449e2236af4b8c2beb81 Like this You can also do it with iptables Packets arriving at a specific port can be forwarded to a port with a specific ip address. Can be used as a proxy for L2. It can also be used to connect network segments. You can build VXLAN by connecting network segments.
VXLAN https://tech.uzabase.com/entry/2017/08/23/175813 This site is detailed.
Since we want to place a single microservice on multiple hosts, basically because of fault tolerance, we deploy one microservice on multiple network segments.
After all, it felt like a routing setting. It feels like I'm giving various special names such as port forward to the setting of specific items of routing.
VRRP When scaling out an application, put a load balancer in front and have it sort it out later. However, if there is only one load balancer, that is a single point of failure. Therefore, in order to make the load balancer redundant, keepalived etc. that implements VRRP is used. With this, multiple hosts were given the same virtual IP and virtual MAC address (derived from the virtual IP), and if the host with the highest priority did not contact for 3 seconds, the next highest priority was waiting. The host becomes the holder of that IP and MAC and handles the request. For more information on how the VRRP protocol works, see this article or google it appropriately.
In the case of Master Slave configuration, HAProxy is the major proxy for load balancing to master or slave by looking at the contents of Query. Or, in client load balancing, if you want to issue a series of queries including update, issue it to Master, and if it is only Read, pass Query to Slave. In that case, there are various methods of load balancing of Slave, but the redundant configuration of Loadbalancer with TCP Loadbalancer + keepalive of NGINX seems to be good. It can be done and it seems to be simple.
Recommended Posts