IP Tunneling 基础案例错误日志

特长腿特长2026-04-21 13:06

主机规划

主机角色 ip
rs1 RIP:192.168.122.7 tunl0: 192.168.122.100
rs2 RIP:192.168.122.17 tunl0:192.168.122.100
client IP: 192.168.197.100
lvs DIP: 192.168.122.8 VIP: 192.168.122.100
router enp1s0: 192.168.122.200 enp7s0:192.168.197.200

内核参数修改

1. rs1 和 rs2 的内核参数修改

shell 复制代码 
[root@rs1 ~]# vim /etc/sysctl.conf
...
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.tunl0.rp_filter=0
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.tunl0.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.tunl0.arp_announce=2

[root@rs2 ~]# vim /etc/sysctl.conf
...
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.tunl0.rp_filter=0
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.tunl0.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.tunl0.arp_announce=2

使上面的配置生效

shell 复制代码 
sysctl -p

启用内核的ipip功能

shell 复制代码 
modprobe ipip
lsmod | grep ipip

2. 启用router直连路由功能.

shell 复制代码 
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 
sysctl -p

3. 启用lvs的ipip功能。

shell 复制代码 
lsmod | grep ipip
modprobe ipip
lsmod | grep ipip

lvs 主机配置

shell 复制代码 
ipvsadm-save /etc/sysconfig/ipvsadm
ipvsadm -A -t 192.168.122.100:80 -s rr
ipvsadm -a -t 192.168.122.100:80 -r 192.168.122.7:80 -i
ipvsadm -a -t 192.168.122.100:80 -r 192.168.122.17:80 -i

ipvsadm -Ln

rs1 和 rs2 的配置

两台rs都配置了nginx服务并启动。

全局配置

  1. 所有的主机都已经关闭了防火墙
  2. 所有主机的selinux 都是permission模式。

异常描述

  1. client主机 curl 192.168.122.100 时报出错误:
shell 复制代码 
curl: (7) Failed to connect to 192.168.122.100 port 80: 拒绝连接
  1. lvs 查看ipvsadm -Ln时,发现字段ActiveConn的数字会因为客户端的请求轮询的增加
shell 复制代码 
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.122.100:80 rr
  -> 192.168.122.7:80             Tunnel  1      1          0         
  -> 192.168.122.17:80            Tunnel  1      1          0         
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.122.100:80 rr
  -> 192.168.122.7:80             Tunnel  1      2          0         
  -> 192.168.122.17:80            Tunnel  1      1          0

从这里可以判断出流量从客户端到rs时,路线是没有问题的,问题是在流量返回时。

问题排查

网络连通性检查

shell 复制代码 
[root@client ~]# curl 192.168.122.17
nginxrs2 192.168.122.17 
[root@client ~]# curl 192.168.122.7
nginxrs1 192.168.122.7 
[root@client ~]# curl 192.168.122.100
curl: (7) Failed to connect to 192.168.122.100 port 80: 拒绝连接

三层网络是没有问题的。

检查内核的信息

shell 复制代码 
[root@nginxrs1 ~]# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
# 然后再验证一下
sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.enp1s0.arp_filter = 0
net.ipv4.conf.enp1s0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.tunl0.arp_filter = 0
net.ipv4.conf.tunl0.rp_filter = 0

[root@nginxrs2 ~]# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
# 然后再验证一下
sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.enp1s0.arp_filter = 0
net.ipv4.conf.enp1s0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.tunl0.arp_filter = 0
net.ipv4.conf.tunl0.rp_filter = 0

检查nginx到底在监听什么?

shell 复制代码 
[root@nginxrs2 ~]# ss -ntlp | grep :80
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=914,fd=6),("nginx",pid=913,fd=6),("nginx",pid=912,fd=6))
LISTEN 0      511             [::]:80           [::]:*    users:(("nginx",pid=914,fd=7),("nginx",pid=913,fd=7),("nginx",pid=912,fd=7))

[root@nginxrs1 ~]# ss -ntlp | grep :80
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=931,fd=6),("nginx",pid=930,fd=6),("nginx",pid=929,fd=6))
LISTEN 0      511             [::]:80           [::]:*    users:(("nginx",pid=931,fd=7),("nginx",pid=930,fd=7),("nginx",pid=929,fd=7))

检查rs的tunl0网卡

shell 复制代码 
[root@nginxrs2 ~]# ip addr show 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:d9:4a:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.17/24 brd 192.168.122.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fed9:4ae0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
    inet 192.168.122.100/32 scope global tunl0
       valid_lft forever preferred_lft forever
[root@nginxrs1 ~]# ip addr show 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:e8:1a:c6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.7/24 brd 192.168.122.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fee8:1ac6/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
    inet 192.168.122.100/32 scope global tunl0
       valid_lft forever preferred_lft forever

定位问题:

shell 复制代码 
3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
    inet 192.168.122.100/32 scope global tunl0
       valid_lft forever preferred_lft forever

tunlo网卡的状态是DOWN ,这意味着虽然包到了rs但是解包到三层网络层时,linux发现请求包的目的ip在tunlo网卡上,但是tunlo网卡的状态时down,于是就直接丢包了。

shell 复制代码 
p link set tunl0 up

client上进行测试

shell 复制代码 
[root@client ~]# curl 192.168.122.100
curl: (7) Failed to connect to 192.168.122.100 port 80: 拒绝连接
[root@client ~]# curl 192.168.122.100
curl: (7) Failed to connect to 192.168.122.100 port 80: 拒绝连接
[root@client ~]# curl 192.168.122.100
nginxrs2 192.168.122.17 
[root@client ~]# curl 192.168.122.100
nginxrs1 192.168.122.7 
[root@client ~]# curl 192.168.122.100
nginxrs2 192.168.122.17 
[root@client ~]# curl 192.168.122.100
nginxrs1 192.168.122.7 
[root@client ~]# curl 192.168.122.100
nginxrs2 192.168.122.17 
[root@client ~]# curl 192.168.122.100
nginxrs1 192.168.122.7 
[root@client ~]# curl 192.168.122.100
nginxrs2 192.168.122.17 
[root@client ~]# curl 192.168.122.100
nginxrs1 192.168.122.7
相关推荐
段一凡-华北理工大学16 小时前
2026 高炉炼铁智能化技术全景与演进路径~系列文章11:演进路径与行业未来
大数据·网络·人工智能·算法·工业智能体·高炉炼铁智能化
leoFY12318 小时前
STM32H750配置LAN PHY芯片LAN8742
网络·stm32·嵌入式硬件
阿部多瑞 ABU19 小时前
AI红队攻防演化史(2023-2026):从虚拟角色到RLHF劫持——所有攻击方法全景总结与最新趋势分析
网络·人工智能·安全
博客-小覃19 小时前
Zabbix之华为交换机的日志记录信息操作详细教程
服务器·网络·华为·zabbix
stolentime19 小时前
FreeDomain 本地开发环境快速搭建指南
运维·服务器·网络
ytdbc20 小时前
OSPF综合实验
网络
kaisun6421 小时前
Docker 构建网络问题排查
网络·docker·eureka
雪度娃娃21 小时前
存储器层次结构——磁盘硬盘存储
服务器·网络·数据库·计算机组成原理
YUANQIANG20241 天前
通信领域进行蒙特卡洛仿真的思路和步骤
网络
eam0511231 天前
OSPF综合实验
网络
热门推荐
01GitHub 镜像站点02【AI】2026 年具身智能模型和世界模型总结03【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法042026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf05Codex 接入 DeepSeek API 完整配置文档06裂开!ChatGPT 居然开始要手机号验证,附详细解决方法07DeepSeek V4 + Claude Code thinking mode 400 错误修复方案08CC-Switch & Claude 基于 Linux 服务器安装使用指南09几个好用的ip纯净度检测网站10API Key 登录 Codex 也能用插件了,还支持会话删除和导出