TUN配置

1.服务端在server1，server2，server3上添加隧道(三个都要添加，在虚拟服务器和真实服务器之间是直接通过隧道交换包的)

[[email protected] ~]# modprobe ipip
[[email protected] ~]# ip link set up tunl0 将三台服务器隧道全部激活
[[email protected] ~]# ip addr add 172.25.254.100/24 dev tunl0  在server1，2，3上通过隧道添加对外暴露的VIP
[[email protected] ~]# ipvsadm -C 在server上清除之前的策略重新添加新的策略
[[email protected] ~]# ipvsadm -A -t 172.25.254.100:80 -s rr
[[email protected] ~]# ipvsadm -a -t 172.25.254.100:80 -r 172.25.254.2:80 -i
[[email protected] ~]# ipvsadm -a -t 172.25.254.100:80 -r 172.25.254.3:80 -i
[[email protected] ~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.25.254.100:http rr
  -> server2:http                 Tunnel  1      0          0         
  -> server3:http                 Tunnel  1      0          0

2.server2和server3上打开arptables_jf，添加DROP策略，在server2和server3上修改rp_filter参数

[[email protected] ~]# modprobe ipip
[[email protected] ~]# ip link set up tunl0
[[email protected] ~]# ip addr add 172.25.254.100/24 dev tunl0
[[email protected] ~]# /etc/init.d/arptables_jf start
Starting arptables_jf                                      [  OK  Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying arptables firewall rules:                         [  OK  ]
[[email protected] ~]# arptables -A IN -d 172.25.254.100 -j DROP
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.25.254.100:http rr
  -> server2:http                 Tunnel  1      0          0         
  -> server3:http                 Tunnel  1      0          0

server3
[[email protected] ~]# modprobe ipip
[[email protected] ~]# ip link set up tunl0
[[email protected] ~]# ip addr add 172.25.254.100/24 dev tunl0
[[email protected] ~]# /etc/init.d/arptables_jf start
Starting arptables_jf                                      [  OK  Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying arptables firewall rules:                         [  OK  ]
[[email protected] ~]# arptables -A IN -d 172.25.254.100 -j DROP
[[email protected] ~]# sysctl -w net.ipv4.conf.tunl0.rp_filter=0
net.ipv4.conf.tunl0.rp_filter = 0
[[email protected] ~]#  /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 172.25.254.3 for ServerName
                                                           [  OK  ]

测试：

[[email protected] ~]# curl 172.25.254.100
<h1>bbs.westos.org-server3</h1>
[[email protected] ~]# curl 172.25.254.100
<h1>www.westos.org-server2</h1>
[[email protected] ~]# curl 172.25.254.100
<h1>bbs.westos.org-server3</h1>
[[email protected] ~]# curl 172.25.254.100
<h1>www.westos.org-server2</h1>
[[email protected] ~]# curl 172.25.254.100
<h1>bbs.westos.org-server3</h1>
[[email protected] ~]# curl 172.25.254.100
<h1>www.westos.org-server2</h1>

[[email protected] ~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.25.254.100:http rr
  -> server2:http                 Route   1      0          4         
  -> server3:http                 Route   1      0          3