lvs tun模式
LVS/TUN的连接调度和管理与 LVS/NAT 中的一样,只是它的报文转发方法不同。调度器根据各个服务器的负载情况,动态地选择一台服务器,将请求报文封装在另一个IP报文中,再将封装后的IP报文转发给选出的服务器;服务器收到报文后,先将报文解封获得原来目标地址为VIP的报文,服务器发现VIP地址被配置在本地的IP隧道设备上,所以就处理这个请求,然后根据路由表将响应报文直接返回给客户。以上介绍来自于互联网
看一下我们的测试小案例:
tun_server:
eth0:192.168.1.241
eth1: 10.0.2.20
vip:192.168.1.204
real_server1:
eth0:192.168.1.229
eth1:10.0.2.22
real_server2:
eth0:192.168.1.224
eth1:10.0.2.23
对vip访问通过点对点的方式传递给realserver,然后由realserver直接返回给客户端
tun_server配置:
XML/HTML代码
[*] # cat lvs_tun.sh
[*] #!/bin/bash
[*] vip=192.168.1.204
[*] RS1=192.168.1.229
[*] RS2=192.168.1.224
[*] ifconfig tunl0 $vip broadcast $vip netmask 255.255.255.255
[*] route add -host $vip dev tunl0
[*] echo "0" >/proc/sys/net/ipv4/ip_forward
[*] echo "1" >/proc/sys/net/ipv4/conf/all/send_redirects
[*] echo "1" >/proc/sys/net/ipv4/conf/default/send_redirects
[*] echo "1" >/proc/sys/net/ipv4/conf/eth0/send_redirects
[*] ipvsadm -C
[*] ipvsadm -A -t $vip:80 -s wlc
[*] ipvsadm -a -t $vip:80 -r $RS1 -i
[*] ipvsadm -a -t $vip:80 -r $RS2 -i
[*] /etc/init.d/ipvsadm save
[*] /etc/init.d/ipvsadm restart
real_server配置:
XML/HTML代码
[*] # cat tun.sh
[*] #!/bin/bash
[*] vip=192.168.1.204
[*] ifconfig tunl0 $vip broadcast $vip netmask 255.255.255.255 up
[*] echo '0' > /proc/sys/net/ipv4/ip_forward
[*] echo '1' > /proc/sys/net/ipv4/conf/tunl0/arp_ignore
[*] echo '2' > /proc/sys/net/ipv4/conf/tunl0/arp_announce
[*] echo '1' > /proc/sys/net/ipv4/conf/all/arp_ignore
[*] echo '2' > /proc/sys/net/ipv4/conf/all/arp_announce
[*] echo '0' > /proc/sys/net/ipv4/conf/tunl0/rp_filter
[*] echo '0' > /proc/sys/net/ipv4/conf/all/rp_filter
注意,虚拟机上测试时,realserver的防火墙一定要关闭!
测试:
XML/HTML代码
[*] # ipvsadm -lcn
[*] IPVS connection entries
[*] pro expire state source virtual destination
[*] TCP 14:52ESTABLISHED 192.168.1.228:59864 192.168.1.204:80 192.168.1.224:80
[*] TCP 00:01CLOSE 192.168.1.228:59863 192.168.1.204:80 192.168.1.224:80
[*] TCP 00:01CLOSE 192.168.1.228:59861 192.168.1.204:80 192.168.1.224:80
[*] TCP 00:02CLOSE 192.168.1.228:59862 192.168.1.204:80 192.168.1.229:80
[*] TCP 14:52ESTABLISHED 192.168.1.228:59865 192.168.1.204:80 192.168.1.229:80
[*] # ipvsadm -ln --rate
[*] IP Virtual Server version 1.2.1 (size=4096)
[*] Prot LocalAddress:Port CPS InPPS OutPPS InBPS OutBPS
[*] -> RemoteAddress:Port
[*] TCP192.168.1.204:80 0 3 0 450 0
[*] -> 192.168.1.224:80 0 1 0 228 0
[*] -> 192.168.1.229:80 0 1 0 222 0
[*] # ipvsadm -l
[*] IP Virtual Server version 1.2.1 (size=4096)
[*] Prot LocalAddress:Port Scheduler Flags
[*] -> RemoteAddress:Port Forward Weight ActiveConn InActConn
[*] TCP192.168.1.204:http wlc
[*] -> 192.168.1.224:http Tunnel1 1 1
[*] -> 192.168.1.229:http Tunnel1 1 1
本来想打realserver的防火墙,结果还是杯具了,操作是这样的:
XML/HTML代码
[*] iptables -I INPUT -i tun+ -j ACCEPT
[*] iptables -I OUTPUT -o tun+ -j ACCEPT
[*] iptables -I FORWARD -i tun+ -j ACCEPT
[*] iptables -I FORWARD -o tun+ -j ACCEPT
XML/HTML代码
[*] # iptables -vnL
[*] Chain INPUT (policy DROP 318 packets, 37640 bytes)
[*] pkts bytes target prot opt in out source destination
[*] 0 0 ACCEPT all--tun+ * 0.0.0.0/0 0.0.0.0/0
[*] 0 0 ACCEPT all--* * 127.0.0.1 127.0.0.1
[*] 1148928 ACCEPT all--* * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[*] 0 0 ACCEPT tcp--eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
[*] 0 0 ACCEPT tcp--* * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[*] 0 0 ACCEPT tcp--* * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
[*] 0 0 ACCEPT icmp --* * 0.0.0.0/0 0.0.0.0/0
[*] Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[*] pkts bytes target prot opt in out source destination
[*] 0 0 ACCEPT all--* tun+ 0.0.0.0/0 0.0.0.0/0
[*] 0 0 ACCEPT all--tun+ * 0.0.0.0/0 0.0.0.0/0
[*] 0 0 ACCEPT all--* * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[*] 0 0 ACCEPT tcp--* * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
[*] 0 0 ACCEPT icmp --* * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
[*] 0 0 ACCEPT tcp--* * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
[*] Chain OUTPUT (policy ACCEPT 1 packets, 108 bytes)
[*] pkts bytes target prot opt in out source destination
[*] 0 0 ACCEPT all--* tun+ 0.0.0.0/0 0.0.0.0/0
[*] 96 13576 ACCEPT all--* * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[*] 0 0 ACCEPT tcp--* * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
[*] 0 0 ACCEPT icmp --* * 0.0.0.0/0 0.0.0.0/0
[*] Chain icmp_allowed (0 references)
[*] pkts bytes target prot opt in out source destination
[*] 0 0 ACCEPT icmp --* * 0.0.0.0/0 0.0.0.0/0 icmp type 11
[*] 0 0 ACCEPT icmp --* * 0.0.0.0/0 0.0.0.0/0 icmp type 8
[*] 0 0 DROP icmp --* * 0.0.0.0/0 0.0.0.0/0
测试后,结果发现还是有问题:
XML/HTML代码
[*] # ipvsadm -lcn
[*] IPVS connection entries
[*] pro expire state source virtual destination
[*] TCP 00:32SYN_RECV 192.168.1.228:60069 192.168.1.204:80 192.168.1.229:80
[*] TCP 14:48ESTABLISHED 192.168.1.228:60070 192.168.1.204:80 192.168.1.224:80
[*] TCP 00:32SYN_RECV 192.168.1.228:60068 192.168.1.204:80 192.168.1.229:80
[*] TCP 00:53SYN_RECV 192.168.1.228:60077 192.168.1.204:80 192.168.1.229:80
[*] TCP 00:32SYN_RECV 192.168.1.228:60066 192.168.1.204:80 192.168.1.229:80
[*] TCP 00:32SYN_RECV 192.168.1.228:60067 192.168.1.204:80 192.168.1.229:80
[*] TCP 01:25FIN_WAIT 192.168.1.228:60065 192.168.1.204:80 192.168.1.224:80
[*] TCP 00:32SYN_RECV 192.168.1.228:60064 192.168.1.204:80 192.168.1.229:80
页:
[1]