以下内容经过本人无数次失败摸索出来,可以做一个脚本自动部署。
(markdown用的不太熟练)
首先要修复Linode Centos6.5的iptables (带+号的行是后添加的)
vi /etc/init.d/iptables
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
+++++++++++++++++++
security)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=1
;;
+++++++++++++++++++
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;
安装EPEL源
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum update
修改sysctl
sed -i -e ‘s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g’ /etc/sysctl.conf
sed -i -e ‘s/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g’ /etc/sysctl.conf
sed -i -e ‘s/net.ipv4.tcp_syncookies = 1/net.ipv4.tcp_syncookies = 0/g’ /etc/sysctl.conf
sed -i -e ‘$a # Settings for OpenSwan IPSec implementation’ /etc/sysctl.conf
sed -i -e ‘$a net.ipv4.conf.all.send_redirects = 0’ /etc/sysctl.conf
sed -i -e ‘$a net.ipv4.conf.default.send_redirects = 0’ /etc/sysctl.conf
sed -i -e ‘$a net.ipv4.conf.all.accept_redirects = 0’ /etc/sysctl.conf
sed -i -e ‘$a net.ipv4.conf.default.accept_redirects = 0’ /etc/sysctl.conf
sed -i -e ‘$a net.core.xfrm_larval_drop = 1’ /etc/sysctl.conf
sysctl -p
iptables添加规则(有些可能重了 多多益善)
iptables -t nat -A POSTROUTING -s 192.168.23.0/24 -j SNAT –to-source ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 { print $1}'
iptables -A FORWARD -p tcp –syn -s 192.168.23.0/24 -j TCPMSS –set-mss 1356
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1812 -j ACCEPT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1813 -j ACCEPT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1814 -j ACCEPT
iptables -A POSTROUTING -s 192.168.23.0/255.255.255.0 -o eth0 -j MASQUERADE
iptables -A POSTROUTING -s 192.168.233.0/255.255.255.0 -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 1723 -j ACCEPT
iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT
iptables -I INPUT -p udp -m multiport –dport 1701,4500,500 -j ACCEPT
iptables –table nat –append POSTROUTING –jump MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.233.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.233.0/24 -j SNAT –to-source ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 { print $1}'
service iptables save
service iptables restart
安装PPTP
yum remove -y pptpd ppp
rm -rf /etc/pptpd.conf
rm -rf /etc/ppp
rm -rf /dev/ppp
yum install -y ppp iptables
rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
yum install -y pptpd
mknod /dev/ppp c 108 0
echo “mknod /dev/ppp c 108 0” >> /etc/rc.local
echo “localip 192.168.23.1” >> /etc/pptpd.conf
echo “remoteip 192.168.23.2-254” >> /etc/pptpd.conf
echo “ms-dns 8.8.8.8” >> /etc/ppp/options.pptpd
echo “ms-dns 8.8.4.4” >> /etc/ppp/options.pptpd
/etc/init.d/pptpd restart
chkconfig pptpd on
chkconfig iptables on
安装L2TP(使用了racoon 对IOS WP8支持性比openswan好)
yum install -y lsof libpcap libpcap-devel xl2tpd
rpm -ivh http://repo.nikoforge.org/redhat/el6/x86_64/ipsec-tools-0.8.0-3defpsk.el6.x86_64.rpm
cat > /etc/racoon/init.sh /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.233.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.233.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.233.0/24 -j ACCEPT
EOF
chmod 750 /etc/racoon/init.sh
cat > /etc/racoon/racoon.conf /etc/racoon/psk.txt >/etc/xl2tpd/xl2tpd.conf/etc/ppp/options.xl2tpd /etc/ppp/chap-secrets