1.服务端在server1,server2,server3上添加隧道(三个都要添加,在虚拟服务器和真实服务器之间是直接通过隧道交换包的)
[[email protected] ~]# modprobe ipip [[email protected] ~]# ip link set up tunl0 将三台服务器隧道全部激活 [[email protected] ~]# ip addr add 172.25.254.100/24 dev tunl0 在server1,2,3上通过隧道添加对外暴露的VIP [[email protected] ~]# ipvsadm -C 在server上清除之前的策略重新添加新的策略 [[email protected] ~]# ipvsadm -A -t 172.25.254.100:80 -s rr [[email protected] ~]# ipvsadm -a -t 172.25.254.100:80 -r 172.25.254.2:80 -i [[email protected] ~]# ipvsadm -a -t 172.25.254.100:80 -r 172.25.254.3:80 -i [[email protected] ~]# ipvsadm -l IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 172.25.254.100:http rr -> server2:http Tunnel 1 0 0 -> server3:http Tunnel 1 0 0
2.server2和server3上打开arptables_jf,添加DROP策略,在server2和server3上修改rp_filter参数
[[email protected] ~]# modprobe ipip [[email protected] ~]# ip link set up tunl0 [[email protected] ~]# ip addr add 172.25.254.100/24 dev tunl0 [[email protected] ~]# /etc/init.d/arptables_jf start Starting arptables_jf [ OK Flushing all current rules and user defined chains: [ OK ] Clearing all current rules and user defined chains: [ OK ] Applying arptables firewall rules: [ OK ] [[email protected] ~]# arptables -A IN -d 172.25.254.100 -j DROP IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 172.25.254.100:http rr -> server2:http Tunnel 1 0 0 -> server3:http Tunnel 1 0 0
server3 [[email protected] ~]# modprobe ipip [[email protected] ~]# ip link set up tunl0 [[email protected] ~]# ip addr add 172.25.254.100/24 dev tunl0 [[email protected] ~]# /etc/init.d/arptables_jf start Starting arptables_jf [ OK Flushing all current rules and user defined chains: [ OK ] Clearing all current rules and user defined chains: [ OK ] Applying arptables firewall rules: [ OK ] [[email protected] ~]# arptables -A IN -d 172.25.254.100 -j DROP [[email protected] ~]# sysctl -w net.ipv4.conf.tunl0.rp_filter=0 net.ipv4.conf.tunl0.rp_filter = 0 [[email protected] ~]# /etc/init.d/httpd start Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 172.25.254.3 for ServerName [ OK ]
测试:
[[email protected] ~]# curl 172.25.254.100 <h1>bbs.westos.org-server3</h1> [[email protected] ~]# curl 172.25.254.100 <h1>www.westos.org-server2</h1> [[email protected] ~]# curl 172.25.254.100 <h1>bbs.westos.org-server3</h1> [[email protected] ~]# curl 172.25.254.100 <h1>www.westos.org-server2</h1> [[email protected] ~]# curl 172.25.254.100 <h1>bbs.westos.org-server3</h1> [[email protected] ~]# curl 172.25.254.100 <h1>www.westos.org-server2</h1> [[email protected] ~]# ipvsadm -l IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 172.25.254.100:http rr -> server2:http Route 1 0 4 -> server3:http Route 1 0 3