CentOS PPTP服务搭建
时间:2015-06-06 03:55 来源:linux.it.net.cn 作者:IT
操作系统:CentOS 6.2
外网IP:192.168.101.168
部署操作:
1、检查系统内核是否支持MPPE补丁
# modprobe ppp-compress-18 && echo ok
# 显示ok则系统支持MPPE补丁,如不支持,需先安装kernel-devel
# yum install kernel-devel
2、检查系统是否开启TUN/TAP支持
# cat /dev/net/tun
# 如果显示以下信息,则表明通过
cat: /dev/net/tun: File descriptor in bad state
3、检查系统是否开启ppp支持
# cat /dev/ppp
# 如果显示以下信息,则表明通过
cat: /dev/ppp: No such device or address
# 注意:上面三条必须同时满足,否则不能安装pptp vpn。
4、安装pptp依赖包ppp
# yum install ppp
5、安装pptpd
# 也可以直接使用EPEL源
# yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/pptpd-1.4.0-3.el6.x86_64.rpm
6、配置pptp
# vim /etc/ppp/options.pptpd
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 202.96.128.166
ms-dns 114.114.114.114
lock
nobsdcomp
novj
novjccomp
nologfd
# vim /etc/pptpd.conf
option /etc/ppp/options.pptpd
logwtmp
localip 10.0.0.1-100 # vpn拨入用户服务器IP地址
remoteip 10.0.0.101-200 # vpn拨入用户客户端动态分配地址池
# vim /etc/ppp/chap-secrets
# 客户端用户名 服务器 认证密码 *为自动分配IP
# clientserver server secret IP addresses
test1@redhat.com pptpd 123456 *
test2@redhat.com pptpd 123456 *
7、开启服务器系统路由模式,支持包转发
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
# /sbin/sysctl -p
# 注意:遇到以下错误
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
# 解决方法
# modprobe bridge
# lsmod | grep bridge
8、启动pptpd
# service pptpd start
# chkconfig pptpd on
9、开启1723防火墙端口并设置防火墙相应规则
# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 1723 -j ACCEPT
# iptables -A INPUT -p gre -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 1723 -j ACCEPT
# iptables -A OUTPUT -p gre -m state --state NEW,ESTABLISHED -j ACCEPT
# 开启转发规则和MTU控制规则
# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.101.168
# iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356
# 开启ssh、icmp、loopback
# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# 开启服务器可访问web
# iptables -I OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 80,443 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -I OUTPUT 5 -p udp --dport 53 -j ACCEPT
# 修改INPUT和OUTPUT链默认策略为DROP
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD ACCEPT
# 重启iptables
# service iptables save
10、设置开机自动建立ppp设备节点(系统重新启动后有可能会丢失此文件,导致pptp客户端拨号出现错误619)
vim /etc/rc.d/rc.local
mknod /dev/ppp c 108 0
(责任编辑:IT)
| 操作系统:CentOS 6.2 外网IP:192.168.101.168 部署操作: 1、检查系统内核是否支持MPPE补丁 # modprobe ppp-compress-18 && echo ok # 显示ok则系统支持MPPE补丁,如不支持,需先安装kernel-devel # yum install kernel-devel 2、检查系统是否开启TUN/TAP支持 # cat /dev/net/tun # 如果显示以下信息,则表明通过 cat: /dev/net/tun: File descriptor in bad state 3、检查系统是否开启ppp支持 # cat /dev/ppp # 如果显示以下信息,则表明通过 cat: /dev/ppp: No such device or address # 注意:上面三条必须同时满足,否则不能安装pptp vpn。 4、安装pptp依赖包ppp # yum install ppp 5、安装pptpd # 也可以直接使用EPEL源 # yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/pptpd-1.4.0-3.el6.x86_64.rpm 6、配置pptp # vim /etc/ppp/options.pptpd name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 202.96.128.166 ms-dns 114.114.114.114 lock nobsdcomp novj novjccomp nologfd # vim /etc/pptpd.conf option /etc/ppp/options.pptpd logwtmp localip 10.0.0.1-100 # vpn拨入用户服务器IP地址 remoteip 10.0.0.101-200 # vpn拨入用户客户端动态分配地址池 # vim /etc/ppp/chap-secrets # 客户端用户名 服务器 认证密码 *为自动分配IP # clientserver server secret IP addresses test1@redhat.com pptpd 123456 * test2@redhat.com pptpd 123456 * 7、开启服务器系统路由模式,支持包转发 # vim /etc/sysctl.conf net.ipv4.ip_forward = 1 # /sbin/sysctl -p # 注意:遇到以下错误 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key # 解决方法 # modprobe bridge # lsmod | grep bridge 8、启动pptpd # service pptpd start # chkconfig pptpd on 9、开启1723防火墙端口并设置防火墙相应规则 # iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 1723 -j ACCEPT # iptables -A INPUT -p gre -m state --state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 1723 -j ACCEPT # iptables -A OUTPUT -p gre -m state --state NEW,ESTABLISHED -j ACCEPT # 开启转发规则和MTU控制规则 # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.101.168 # iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356 # 开启ssh、icmp、loopback # iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT # iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT # iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # 开启服务器可访问web # iptables -I OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 80,443 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -I OUTPUT 5 -p udp --dport 53 -j ACCEPT # 修改INPUT和OUTPUT链默认策略为DROP # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD ACCEPT # 重启iptables # service iptables save 10、设置开机自动建立ppp设备节点(系统重新启动后有可能会丢失此文件,导致pptp客户端拨号出现错误619) vim /etc/rc.d/rc.local mknod /dev/ppp c 108 0 (责任编辑:IT) |