|
操作系统:CentOS 6.2 外网IP:192.168.101.168 部署操作: 1、检查系统内核是否支持MPPE补丁 # modprobe ppp-compress-18 && echo ok # 显示ok则系统支持MPPE补丁,如不支持,需先安装kernel-devel # yum install kernel-devel 2、检查系统是否开启TUN/TAP支持 # cat /dev/net/tun # 如果显示以下信息,则表明通过 cat: /dev/net/tun: File descriptor in bad state 3、检查系统是否开启ppp支持 # cat /dev/ppp # 如果显示以下信息,则表明通过 cat: /dev/ppp: No such device or address # 注意:上面三条必须同时满足,否则不能安装pptp vpn。 4、安装pptp依赖包ppp # yum install ppp 5、安装pptpd # 也可以直接使用EPEL源 # yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/pptpd-1.4.0-3.el6.x86_64.rpm 6、配置pptp # vim /etc/ppp/options.pptpd name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 202.96.128.166 ms-dns 114.114.114.114 lock nobsdcomp novj novjccomp nologfd # vim /etc/pptpd.conf option /etc/ppp/options.pptpd logwtmp localip 10.0.0.1-100 # vpn拨入用户服务器IP地址 remoteip 10.0.0.101-200 # vpn拨入用户客户端动态分配地址池 # vim /etc/ppp/chap-secrets # 客户端用户名 服务器 认证密码 *为自动分配IP # clientserver server secret IP addresses test1@redhat.com pptpd 123456 * test2@redhat.com pptpd 123456 * 7、开启服务器系统路由模式,支持包转发 # vim /etc/sysctl.conf net.ipv4.ip_forward = 1 # /sbin/sysctl -p # 注意:遇到以下错误 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key # 解决方法 # modprobe bridge # lsmod | grep bridge 8、启动pptpd # service pptpd start # chkconfig pptpd on 9、开启1723防火墙端口并设置防火墙相应规则 # iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 1723 -j ACCEPT # iptables -A INPUT -p gre -m state --state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 1723 -j ACCEPT # iptables -A OUTPUT -p gre -m state --state NEW,ESTABLISHED -j ACCEPT # 开启转发规则和MTU控制规则 # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.101.168 # iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356 # 开启ssh、icmp、loopback # iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT # iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT # iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # 开启服务器可访问web # iptables -I OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 80,443 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -I OUTPUT 5 -p udp --dport 53 -j ACCEPT # 修改INPUT和OUTPUT链默认策略为DROP # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD ACCEPT # 重启iptables # service iptables save 10、设置开机自动建立ppp设备节点(系统重新启动后有可能会丢失此文件,导致pptp客户端拨号出现错误619) vim /etc/rc.d/rc.local mknod /dev/ppp c 108 0 (责任编辑:IT) |