linux企业实战 --lvs/tun(ip隧道)

1. LVS/TUN（ip隧道）原理和特点

在原有的ip报文外再封装多一层ip首部，内部ip首部（源地址为cip，目标ip为vip），外层ip首部（源地址为dip，目标ip为rip）
  

• 当用户请求到达Director Server,此时请求的数据报文会先到内核空间的PREROUTING链。此时报文的源IP为CIP，目标IP为VIP。
• PREROUTING检查发现数据包的目标IP是本机，将数据包送至INPUT链
• IPVS比对数据包请求的服务是否为集群服务，若是，在请求报文的首部再次封装一层IP报文， 封装源IP为DIP,目标IP为RIP。然后发至POSTROUTING链。此时源IP为DIP、目标| P为R IP
• POSTROUTING链根据最新封装的IP报文，将数据包发至RS (因为在外层封装多了- -层IP首部，所以可以理解为此时通过隧道传输)。此时源IP为DIP， 目标IP为RIP
• RS接收到报文后发现是自己的IP地址，就将报文接收下来，拆除掉最外层的IP后，会发现里面还有-层IP首部,而且目标是自己的lo接口VIP，那么此时RS开始处理此请求，处理完成之后，通过Io接口送给eth0卡，然后向外传递。此时的源IP地址为VIP， 目标IP为CIP
• 响应报文最终送达至客户端

2.LVS-Tun模型特性

• RIP、VIP、DIP全是公网地址
• RS的网关不会也不可能指向DIP
• 所有的请求报文经由Director Server,但响应报文必须不能进过Director S erver
• 不支持端口映射
• RS的系统必须支持隧道
• 其实企业中最常用的是DR实现方式，而NAT配置上比较简单和方便

3.实现lvs调度器的TUN模式

步骤一：清除上一个实验影响在server1执行lpvsadm -C

[root@server1 ~]# ipvsadm -C
[root@server1 ~]# ipvsadm -ln

步骤二：添加隧道模式

[root@server1 ~]# modprobe ipip
[root@server1 ~]# ip addr show

[root@server1 ~]# ip addr del 172.25.42.100/32 dev eth0
[root@server1 ~]# ip addr add 172.25.42.100/32 dev tunl0
[root@server1 ~]# ipvsadm -A -t 172.25.42.100:80 -s rr
[root@server1 ~]# ipvsadm -a -t 172.25.42.100:80 -r 172.25.42.2:80 -i
[root@server1 ~]# ipvsadm -a -t 172.25.42.100:80 -r 172.25.42.3:80 -i
[root@server1 ~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  server1:http rr
  -> server2:http                 Tunnel  1      0          0         
  -> server3:http                 Tunnel  1      0          0         

步骤三：对server2和server3同时进行步骤二

步骤四：激活隧道模式

[root@server1 ~]# ip link set up tunl0
[root@server2 html]# ip link set up tunl0
[root@server3 ~]# ip link set up tunl0

步骤五：关闭限制(server2 和server3)
仅以server2为例。server3同下

[root@server2 ~]# sysctl -a |grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.tunl0.arp_filter = 0
net.ipv4.conf.tunl0.rp_filter = 1
[root@server2 ~]# sysctl -w net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.rp_filter = 0
[root@server2 ~]# sysctl -w net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.rp_filter = 0
[root@server2 ~]# sysctl -w net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.eth0.rp_filter = 0
[root@server2 ~]# sysctl -w net.ipv4.conf.tunl0.rp_filter=0
net.ipv4.conf.tunl0.rp_filter = 0
[root@server2 ~]# sysctl -a |grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.tunl0.arp_filter = 0
net.ipv4.conf.tunl0.rp_filter = 0

测试

[root@foundation42 ~]#  arp -d 172.25.42.100
[root@foundation42 ~]# curl 172.25.42.100
server3
[root@foundation42 ~]# curl 172.25.42.100
server2