LVS/TUN的连接调度和管理与 LVS/NAT 中的一样,只是它的报文转发方法不同。调度器根据各个服务器的负载情况,动态地选择一台服务器,将请求报文封装在另一个IP报文中,再将封装后的IP报文转发给选出的服务器;服务器收到报文后,先将报文解封获得原来目标地址为VIP的报文,服务器发现VIP地址被配置在本地的IP隧道设备上,所以就处理这个请求,然后根据路由表将响应报文直接返回给客户。
以上介绍来自于互联网
看一下我们的测试小案例:
tun_server:
eth0:192.168.1.241
eth1: 10.0.2.20
vip:192.168.1.204
real_server1:
eth0:192.168.1.229
eth1:10.0.2.22
real_server2:
eth0:192.168.1.224
eth1:10.0.2.23
对vip访问通过点对点的方式传递给realserver,然后由realserver直接返回给客户端
tun_server配置:
XML/HTML代码
- # cat lvs_tun.sh
- #!/bin/bash
- vip=192.168.1.204
- RS1=192.168.1.229
- RS2=192.168.1.224
- ifconfig tunl0 $vip broadcast $vip netmask 255.255.255.255
- route add -host $vip dev tunl0
- echo "0" >/proc/sys/net/ipv4/ip_forward
- echo "1" >/proc/sys/net/ipv4/conf/all/send_redirects
- echo "1" >/proc/sys/net/ipv4/conf/default/send_redirects
- echo "1" >/proc/sys/net/ipv4/conf/eth0/send_redirects
- ipvsadm -C
- ipvsadm -A -t $vip:80 -s wlc
- ipvsadm -a -t $vip:80 -r $RS1 -i
- ipvsadm -a -t $vip:80 -r $RS2 -i
- /etc/init.d/ipvsadm save
- /etc/init.d/ipvsadm restart
real_server配置:
XML/HTML代码
- # cat tun.sh
- #!/bin/bash
- vip=192.168.1.204
- ifconfig tunl0 $vip broadcast $vip netmask 255.255.255.255 up
- echo '0' > /proc/sys/net/ipv4/ip_forward
- echo '1' > /proc/sys/net/ipv4/conf/tunl0/arp_ignore
- echo '2' > /proc/sys/net/ipv4/conf/tunl0/arp_announce
- echo '1' > /proc/sys/net/ipv4/conf/all/arp_ignore
- echo '2' > /proc/sys/net/ipv4/conf/all/arp_announce
- echo '0' > /proc/sys/net/ipv4/conf/tunl0/rp_filter
- echo '0' > /proc/sys/net/ipv4/conf/all/rp_filter
注意,虚拟机上测试时,realserver的防火墙一定要关闭!
测试:
XML/HTML代码
- [root@localhost ~]# ipvsadm -lcn
- IPVS connection entries
- pro expire state source virtual destination
- TCP 14:52 ESTABLISHED 192.168.1.228:59864 192.168.1.204:80 192.168.1.224:80
- TCP 00:01 CLOSE 192.168.1.228:59863 192.168.1.204:80 192.168.1.224:80
- TCP 00:01 CLOSE 192.168.1.228:59861 192.168.1.204:80 192.168.1.224:80
- TCP 00:02 CLOSE 192.168.1.228:59862 192.168.1.204:80 192.168.1.229:80
- TCP 14:52 ESTABLISHED 192.168.1.228:59865 192.168.1.204:80 192.168.1.229:80
- [root@localhost ~]# ipvsadm -ln --rate
- IP Virtual Server version 1.2.1 (size=4096)
- Prot LocalAddress:Port CPS InPPS OutPPS InBPS OutBPS
- -> RemoteAddress:Port
- TCP 192.168.1.204:80 0 3 0 450 0
- -> 192.168.1.224:80 0 1 0 228 0
- -> 192.168.1.229:80 0 1 0 222 0
- [root@localhost ~]# ipvsadm -l
- IP Virtual Server version 1.2.1 (size=4096)
- Prot LocalAddress:Port Scheduler Flags
- -> RemoteAddress:Port Forward Weight ActiveConn InActConn
- TCP 192.168.1.204:http wlc
- -> 192.168.1.224:http Tunnel 1 1 1
- -> 192.168.1.229:http Tunnel 1 1 1
本来想打realserver的防火墙,结果还是杯具了,操作是这样的:
XML/HTML代码
- iptables -I INPUT -i tun+ -j ACCEPT
- iptables -I OUTPUT -o tun+ -j ACCEPT
- iptables -I FORWARD -i tun+ -j ACCEPT
- iptables -I FORWARD -o tun+ -j ACCEPT
XML/HTML代码
- # iptables -vnL
- Chain INPUT (policy DROP 318 packets, 37640 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
- 114 8928 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
- Chain OUTPUT (policy ACCEPT 1 packets, 108 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
- 96 13576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- Chain icmp_allowed (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
- 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
测试后,结果发现还是有问题:
XML/HTML代码
- # ipvsadm -lcn
- IPVS connection entries
- pro expire state source virtual destination
- TCP 00:32 SYN_RECV 192.168.1.228:60069 192.168.1.204:80 192.168.1.229:80
- TCP 14:48 ESTABLISHED 192.168.1.228:60070 192.168.1.204:80 192.168.1.224:80
- TCP 00:32 SYN_RECV 192.168.1.228:60068 192.168.1.204:80 192.168.1.229:80
- TCP 00:53 SYN_RECV 192.168.1.228:60077 192.168.1.204:80 192.168.1.229:80
- TCP 00:32 SYN_RECV 192.168.1.228:60066 192.168.1.204:80 192.168.1.229:80
- TCP 00:32 SYN_RECV 192.168.1.228:60067 192.168.1.204:80 192.168.1.229:80
- TCP 01:25 FIN_WAIT 192.168.1.228:60065 192.168.1.204:80 192.168.1.224:80
- TCP 00:32 SYN_RECV 192.168.1.228:60064 192.168.1.204:80 192.168.1.229:80
状态:SYN_RECV 都是不成功的,有待进一步研究!
除非特别注明,鸡啄米文章均为原创
发表评论:
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。