GRE隧道是一种IP-OVER-IP的隧道,可以让封装的网络层数据包能够进行传输,用到的tunnel虚拟设备两端分别对封装的数据包进行封装和解封
下面是两台虚拟机里创建隧道通信,虚拟机网络均设置为Host-Only
首先两台虚拟里linux需要加载内核模块,是ip_gre
lihui@2015:~$ lsmod | grep gre gre 13796 1 openvswitch lihui@2015:~$ modprobe ip_gre modprobe: ERROR: could not insert 'ip_gre': Operation not permitted lihui@2015:~$ sudo modprobe ip_gre lihui@2015:~$ lsmod | grep gre ip_gre 18245 0 ip_tunnel 23809 1 ip_gre gre 13796 2 ip_gre,openvswitch lihui@Debian8:~$ lsmod | grep gre gre 12777 1 openvswitch lihui@Debian8:~$ modprobe ip_gre -bash: modprobe: command not found lihui@Debian8:~$ sudo modprobe ip_gre [sudo] password for lihui: lihui@Debian8:~$ lsmod | grep gre ip_gre 17563 0 ip_tunnel 21463 1 ip_gre gre 12777 2 ip_gre,openvswitch
两个虚拟机里都创建两个虚拟网卡
lihui@2015:~$ sudo ifconfig eth0:0 1.1.1.1/24 up lihui@2015:~$ sudo ifconfig eth0:1 2.2.2.2/24 up lihui@Debian8:~$ sudo ifconfig eth0:0 1.1.1.2/24 up lihui@Debian8:~$ sudo ifconfig eth0:1 3.3.3.3/24 up
这个时候1.1.1.1和1.1.1.2可以通信,但2.2.2.2和3.3.3.3无法通信,下面就通过IP隧道来实现通信
先在lihui@2015上创建隧道
lihui@2015:~$ sudo ip tunnel add tun0 mode gre remote 1.1.1.2 local 1.1.1.1 ttl 255 lihui@2015:~$ sudo ip link set tun0 up lihui@2015:~$ sudo ip addr add 2.2.2.2 peer 3.3.3.3 dev tun0
然后是lihui@Debian8上
lihui@Debian8:~$ sudo ip tunnel add tun0 mode gre remote 1.1.1.1 local 1.1.1.2 ttl 255 lihui@Debian8:~$ sudo ip link set tun0 up lihui@Debian8:~$ sudo ip addr add 3.3.3.3 peer 2.2.2.2 dev tun0
步骤都一样,创建一个隧道设备tun0,隧道数据包从1.1.1.X发起,我的理解就是需要进行通信的两个IP都会封装一层能够进行通信的IP层,然后再经过GRE隧道来进行传输,从最后数据包的信息也可以看出来
一边ping,一边抓包
lihui@2015:~$ sudo tshark -i eth0:1 -R "ip.src==3.3.3.3" Running as user "root" and group "root". This could be dangerous. Capturing on 'eth0:1' 1 0.000000 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=232/59392, ttl=64 1 7 0.999931 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=233/59648, ttl=64 2 13 1.999847 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=234/59904, ttl=64 3 21 2.999838 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=235/60160, ttl=64 4 27 3.999222 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=236/60416, ttl=64 5 33 4.999192 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=237/60672, ttl=64 6 37 5.998874 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=238/60928, ttl=64 7 43 6.999886 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=239/61184, ttl=64
这样,就能通信了,但是,还没完,抓包
lihui@2015:~$ sudo tcpdump -i eth0:1 -w ping.pcap -vv tcpdump: listening on eth0:1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C28 packets captured 33 packets received by filter 0 packets dropped by kernel lihui@2015:~$ ls -l ping.pcap -rw-r--r-- 1 root root 3456 Jul 25 20:52 ping.pcap
首先查看下ICMP包的序号
lihui@2015:~$ tshark -r ping.pcap | grep ICMP 7 0.224468 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=410/39425, ttl=64 8 0.224549 2.2.2.2 -> 3.3.3.3 ICMP 122 Echo (ping) reply id=0x0726, seq=410/39425, ttl=64 (request in 7) 11 1.225024 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=411/39681, ttl=64 12 1.225109 2.2.2.2 -> 3.3.3.3 ICMP 122 Echo (ping) reply id=0x0726, seq=411/39681, ttl=64 (request in 11) 15 2.224947 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=412/39937, ttl=64 16 2.224999 2.2.2.2 -> 3.3.3.3 ICMP 122 Echo (ping) reply id=0x0726, seq=412/39937, ttl=64 (request in 15) 19 3.224804 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=413/40193, ttl=64 20 3.224884 2.2.2.2 -> 3.3.3.3 ICMP 122 Echo (ping) reply id=0x0726, seq=413/40193, ttl=64 (request in 19) 23 4.224324 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=414/40449, ttl=64 24 4.224418 2.2.2.2 -> 3.3.3.3 ICMP 122 Echo (ping) reply id=0x0726, seq=414/40449, ttl=64 (request in 23) 27 5.224998 3.3.3.3 -> 2.2.2.2 ICMP 122 Echo (ping) request id=0x0726, seq=415/40705, ttl=64 28 5.225084 2.2.2.2 -> 3.3.3.3 ICMP 122 Echo (ping) reply id=0x0726, seq=415/40705, ttl=64 (request in 27)
解析第7个包,从前面两层协议的确可以看到是通过GRE来传输的
lihui@2015:~$ sudo tshark -r ping.pcap frame.number==7 -V > ping.txt
lihui@2015:~$ cat ping.txt
Frame 7: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
中间省略......
Internet Protocol Version 4, Src: 1.1.1.2 (1.1.1.2), Dst: 1.1.1.1 (1.1.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 108
Identification: 0x19cd (6605)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: GRE (47)
Header checksum: 0x5d91 [validation disabled]
[Good: False]
[Bad: False]
Source: 1.1.1.2 (1.1.1.2)
Destination: 1.1.1.1 (1.1.1.1)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Generic Routing Encapsulation (IP)
Flags and Version: 0x0000
0... .... .... .... = Checksum Bit: No
.0.. .... .... .... = Routing Bit: No
..0. .... .... .... = Key Bit: No
...0 .... .... .... = Sequence Number Bit: No
.... 0... .... .... = Strict Source Route Bit: No
.... .000 .... .... = Recursion control: 0
.... .... 0000 0... = Flags (Reserved): 0
.... .... .... .000 = Version: GRE (0)
Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: 3.3.3.3 (3.3.3.3), Dst: 2.2.2.2 (2.2.2.2)
Version: 4
Header length: 20 bytes
