從拓撲圖可以看到,公司和機房的服務器上各有一個內網IP和外部IP。gre隧道的原理就是把兩臺服務器的外網IP進行綁定,在兩個外網IP直接建立一條隧道tunnel2。tunnel2對服務器看來,就像一個網口,直連著隧道的另一邊。
這里給tunnel配置一個新的IP段:172.16.33.1/2 具體配置 218.188.152.11: 開啟路由轉發(fā),加載gre協議模塊 # echo 1 > /proc/sys/net/ipv4/ip_forward # modprobe ip_gre 創(chuàng)建隧道tunnel2,添加一虛擬網段172.16.33.0/24 # ip tunnel add tunnel2 mode gre local 218.188.152.11 remote 144.22.1.176 ttl 255 dev eth1 # ip addr add 172.16.33.2 dev tunnel2 peer 172.16.33.1/32 # ip link set dev tunnel2 up 添加一條路由到通過隧道到機房內網的路由 # ip route add 10.65.3.0/24 dev tunnel2 144.22.1.176: 開啟路由轉發(fā),加載gre協議模塊 # echo 1 > /proc/sys/net/ipv4/ip_forward # modprobe ip_gre 創(chuàng)建隧道tunnel2,添加一虛擬網段172.16.33.0/24 # ip tunnel add tunnel2 mode gre local 144.22.1.176 remote 218.188.152.11 ttl 255 dev em1 # ip addr add 172.16.33.1 dev tunnel2 peer 172.16.33.2/32 # ip link set dev tunnel2 up 添加一條路由到通過隧道到公司內網的路由 # ip route add 192.168.1.0/24 dev tunnel2 查看路由 218.188.152.11: # netstat -nr Kernel IP routing table Destination???? Gateway???????? Genmask???????? Flags?? MSS Window? irtt Iface 172.16.33.1???? 0.0.0.0???????? 255.255.255.255 UH??????? 0 0????????? 0 tunnel2 192.168.1.0???? 0.0.0.0???????? 255.255.255.0?? U???????? 0 0????????? 0 eth0 10.65.3.0?????? 0.0.0.0???????? 255.255.255.0?? U???????? 0 0????????? 0 tunnel2 0.0.0.0???????? xx.xx.xx.xx??? 0.0.0.0???????? UG??????? 0 0????????? 0 eth0 內網服務器多了172.16.33.1,10.65.3.0/24的兩條路由,網關為gre隧道,通過隧道到達機房服務器。 144.22.1.176: # netstat -nr Kernel IP routing table Destination???? Gateway???????? Genmask???????? Flags?? MSS Window? irtt Iface 172.16.33.2???? 0.0.0.0???????? 255.255.255.255 UH??????? 0 0????????? 0 tunnel2 192.168.1.0???? 0.0.0.0???????? 255.255.255.0?? U???????? 0 0????????? 0 tunnel2 10.65.3.0?????? 0.0.0.0???????? 255.255.255.0?? U???????? 0 0????????? 0 em2 0.0.0.0???????? xx.xx.xx.xx??? 0.0.0.0???????? UG??????? 0 0????????? 0 em1 機房服務器多了172.16.33.2,192.168.1.0/24的兩條路由,網關為gre隧道,通過隧道到達機房服務器。 測試網絡連通: 218.188.152.11: # ping 172.16.33.2 PING 172.16.33.2 (172.16.33.2) 56(84) bytes of data. 64 bytes from 172.16.33.2: icmp_seq=1 ttl=64 time=0.048 ms 64 bytes from 172.16.33.2: icmp_seq=2 ttl=64 time=0.059 ms — 172.16.33.2 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1021ms rtt min/avg/max/mdev = 0.048/0.053/0.059/0.009 ms ——————————————— # ping 10.65.3.194 PING 10.65.3.194 (10.65.3.194) 56(84) bytes of data. 64 bytes from 10.65.3.194: icmp_seq=1 ttl=64 time=7.96 ms 64 bytes from 10.65.3.194: icmp_seq=2 ttl=64 time=7.63 ms — 10.65.3.194 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1100ms rtt min/avg/max/mdev = 7.638/7.799/7.960/0.161 ms 公司服務器可以直接ping通對端機房服務器的gre ip以及內網IP。 144.22.1.176: # ping 172.16.33.1 PING 172.16.33.1 (172.16.33.1) 56(84) bytes of data. 64 bytes from 172.16.33.1: icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from 172.16.33.1: icmp_seq=2 ttl=64 time=0.016 ms — 172.16.33.1 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1274ms rtt min/avg/max/mdev = 0.016/0.017/0.018/0.001 ms ——————————————— # ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. 64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=7.81 ms 64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=7.97 ms — 192.168.1.254 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1232ms rtt min/avg/max/mdev = 7.810/7.894/7.978/0.084 ms 反過來,機房服務器也可以直接ping通對端公司服務器的gre ip以及內網IP。 小結 實現本文中的場景的方法絕不止今天說的這一種,還可以是VPN、SSH隧道等??傊?,在運維童鞋的手里,沒有啥不可能的,要上天絕不入地~~~o(∩_∩)o 哈哈,你說呢?~~