Linux GRE隧道

GRE隧道是一种IP-OVER-IP的隧道,可以让封装的网络层数据包能够进行传输,用到的tunnel虚拟设备两端分别对封装的数据包进行封装和解封

下面是两台虚拟机里创建隧道通信,虚拟机网络均设置为Host-Only

首先两台虚拟里linux需要加载内核模块,是ip_gre

lihui@2015:~$ lsmod | grep gre
gre                    13796  1 openvswitch
lihui@2015:~$ modprobe ip_gre
modprobe: ERROR: could not insert 'ip_gre': Operation not permitted
lihui@2015:~$ sudo modprobe ip_gre
lihui@2015:~$ lsmod | grep gre
ip_gre                 18245  0
ip_tunnel              23809  1 ip_gre
gre                    13796  2 ip_gre,openvswitch

lihui@Debian8:~$ lsmod | grep gre
gre                    12777  1 openvswitch
lihui@Debian8:~$ modprobe ip_gre
-bash: modprobe: command not found
lihui@Debian8:~$ sudo modprobe ip_gre
[sudo] password for lihui:
lihui@Debian8:~$ lsmod | grep gre
ip_gre                 17563  0
ip_tunnel              21463  1 ip_gre
gre                    12777  2 ip_gre,openvswitch

 

两个虚拟机里都创建两个虚拟网卡

lihui@2015:~$ sudo ifconfig eth0:0 1.1.1.1/24 up
lihui@2015:~$ sudo ifconfig eth0:1 2.2.2.2/24 up

lihui@Debian8:~$ sudo ifconfig eth0:0 1.1.1.2/24 up
lihui@Debian8:~$ sudo ifconfig eth0:1 3.3.3.3/24 up

 

这个时候1.1.1.1和1.1.1.2可以通信,但2.2.2.2和3.3.3.3无法通信,下面就通过IP隧道来实现通信

先在lihui@2015上创建隧道

lihui@2015:~$ sudo ip tunnel add tun0 mode gre remote 1.1.1.2 local 1.1.1.1 ttl 255
lihui@2015:~$ sudo ip link set tun0 up
lihui@2015:~$ sudo ip addr add 2.2.2.2 peer 3.3.3.3 dev tun0

然后是lihui@Debian8

lihui@Debian8:~$ sudo ip tunnel add tun0 mode gre remote 1.1.1.1 local 1.1.1.2 ttl 255
lihui@Debian8:~$ sudo ip link set tun0 up
lihui@Debian8:~$ sudo ip addr add 3.3.3.3 peer 2.2.2.2 dev tun0

步骤都一样,创建一个隧道设备tun0,隧道数据包从1.1.1.X发起,我的理解就是需要进行通信的两个IP都会封装一层能够进行通信的IP层,然后再经过GRE隧道来进行传输,从最后数据包的信息也可以看出来

 

一边ping,一边抓包

lihui@2015:~$ sudo tshark -i eth0:1 -R "ip.src==3.3.3.3"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0:1'
1       0.000000      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=232/59392, ttl=64
1   7   0.999931      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=233/59648, ttl=64
2  13   1.999847      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=234/59904, ttl=64
3  21   2.999838      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=235/60160, ttl=64
4  27   3.999222      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=236/60416, ttl=64
5  33   4.999192      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=237/60672, ttl=64
6  37   5.998874      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=238/60928, ttl=64
7  43   6.999886      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=239/61184, ttl=64

这样,就能通信了,但是,还没完,抓包

lihui@2015:~$ sudo tcpdump -i eth0:1 -w ping.pcap -vv
tcpdump: listening on eth0:1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C28 packets captured
33 packets received by filter
0 packets dropped by kernel

lihui@2015:~$ ls -l ping.pcap
-rw-r--r-- 1 root root 3456 Jul 25 20:52 ping.pcap

首先查看下ICMP包的序号

lihui@2015:~$ tshark -r ping.pcap | grep ICMP
  7   0.224468      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=410/39425, ttl=64
  8   0.224549      2.2.2.2 -> 3.3.3.3      ICMP 122 Echo (ping) reply    id=0x0726, seq=410/39425, ttl=64 (request in 7)
 11   1.225024      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=411/39681, ttl=64
 12   1.225109      2.2.2.2 -> 3.3.3.3      ICMP 122 Echo (ping) reply    id=0x0726, seq=411/39681, ttl=64 (request in 11)
 15   2.224947      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=412/39937, ttl=64
 16   2.224999      2.2.2.2 -> 3.3.3.3      ICMP 122 Echo (ping) reply    id=0x0726, seq=412/39937, ttl=64 (request in 15)
 19   3.224804      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=413/40193, ttl=64
 20   3.224884      2.2.2.2 -> 3.3.3.3      ICMP 122 Echo (ping) reply    id=0x0726, seq=413/40193, ttl=64 (request in 19)
 23   4.224324      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=414/40449, ttl=64
 24   4.224418      2.2.2.2 -> 3.3.3.3      ICMP 122 Echo (ping) reply    id=0x0726, seq=414/40449, ttl=64 (request in 23)
 27   5.224998      3.3.3.3 -> 2.2.2.2      ICMP 122 Echo (ping) request  id=0x0726, seq=415/40705, ttl=64
 28   5.225084      2.2.2.2 -> 3.3.3.3      ICMP 122 Echo (ping) reply    id=0x0726, seq=415/40705, ttl=64 (request in 27)

解析第7个包,从前面两层协议的确可以看到是通过GRE来传输的

lihui@2015:~$ sudo tshark -r ping.pcap frame.number==7 -V > ping.txt

lihui@2015:~$ cat ping.txt
Frame 7: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
中间省略......
Internet Protocol Version 4, Src: 1.1.1.2 (1.1.1.2), Dst: 1.1.1.1 (1.1.1.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 108
    Identification: 0x19cd (6605)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: GRE (47)
    Header checksum: 0x5d91 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 1.1.1.2 (1.1.1.2)
    Destination: 1.1.1.1 (1.1.1.1)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Generic Routing Encapsulation (IP)
    Flags and Version: 0x0000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...0 .... .... .... = Sequence Number Bit: No
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: 3.3.3.3 (3.3.3.3), Dst: 2.2.2.2 (2.2.2.2)
    Version: 4
    Header length: 20 bytes

发表回复