CentOS7+Openvpn+quagga+dnsmasq配置记录
时间:2016-06-16 01:37 来源:linux.it.net.cn 作者:IT
最近买了台便宜VPS使用,在这里记录一下配置流程。万一商家跑路了,就再找另外一家照着流程刷刷刷就好了。
我买的是OpenVZ的机器,便宜嘛。首先后台面板打开tun支持,然后可以直接登录了。
查看CentOS版本,修改主机名
cat /etc/redhat-release
hostnamectl –static set-hostname D2O-VPS
CentOS7默认没有ifconfig nslookup等工具,安装之
yum install -y bind-utils net-tools htop mlocate
updatedb
修改ssh端口
vi /etc/ssh/sshd_config
Port xx22
CentOS7默认使用firewalld作为防火墙,这玩意不懂怎么用,故把他停掉,继续使用原来熟悉的iptables
systemctl stop firewalld
systemctl mask firewalld
yum install -y iptables-services policycoreutils
systemctl enable iptables
打开ssh端口
vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
改为
-A INPUT -p tcp -m state –state NEW -m tcp –dport xx22 -j ACCEPT
打开常用服务端口允许所有内网IP访问
iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 1723 -j ACCEPT
iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 53 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 161 -j ACCEPT
iptables -I INPUT -s 198.18.0.0/16 -d 198.18.0.0/16 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 11990:12000 -j ACCEPT
打开转发
iptables -I FORWARD -j ACCEPT
开启ip伪装、端口重定向、mss fix
iptables -t nat -I POSTROUTING -o venet0 -j MASQUERADE
iptables -t mangle -I POSTROUTING -o venet0 -p tcp -m tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t nat -I PREROUTING -p udp -m udp –dport 5352 -j REDIRECT –to-ports 53
别忘了ip6tables
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp –dport 8622 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
ip6tables -A INPUT -p udp -m udp –dport 161 -j ACCEPT
ip6tables -A INPUT -p udp -m udp –dport 11990:12000 -j ACCEPT
ip6tables -A INPUT -j REJECT –reject-with icmp6-port-unreachable
保存iptables规则
service iptables save
service ip6tables save
开启内核转发、关闭rp_filter
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
导入epel源,安装openvpn quagga net-snmp
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install -y openvpn quagga net-snmp
dnsmasq先yum安装,然后编译替换改过的dnsmasq。autovpn-for-openwrt这个项目修改过的dnsmasq可以执行自定义的脚本,具体的意义就不多说了。
#yum安装dnsmasq,安装编译器及各种依赖包
yum install -y gcc make automake patch dnsmasq
mkdir src
cd src
#下载源码及补丁、打补丁、编译、替换可执行文件
wget https://github.com/conupefox/autovpn-for-openwrt/blob/master/packages/dnsmasq-14.07-2.71-src-autovpn.tar.gz
wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.71.tar.gz
tar xvf dnsmasq-14.07-2.71-src-autovpn.tar.gz
tar xvf dnsmasq-2.71.tar.gz
cd dnsmasq-2.71
../dnsmasq/patches/autovpn.patch ./
patch -p1 \< autovpn.patch
make
mv /usr/sbin/dnsmasq /usr/sbin/dnsmasq.bak
cp src/dnsmasq /usr/sbin/dnsmasq
配置snmp
cd ~
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
vi /etc/snmp/snmpd.conf
com2sec notConfigUser default d2o
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
access notConfigGroup “” any noauth exact all none none
view all included .1 80
syslocation HongKong
syscontact D2O
dontLogTCPWrappersConnects yes
extend .1.3.6.1.4.1.2021.54 active_connects /bin/cat /proc/sys/net/netfilter/nf_conntrack_count
extend .1.3.6.1.4.1.2021.55 Route /bin/sh /etc/snmp/route_prefixes.sh
systemctl enable snmpd
(责任编辑:IT)
| 最近买了台便宜VPS使用,在这里记录一下配置流程。万一商家跑路了,就再找另外一家照着流程刷刷刷就好了。 我买的是OpenVZ的机器,便宜嘛。首先后台面板打开tun支持,然后可以直接登录了。 查看CentOS版本,修改主机名 cat /etc/redhat-release hostnamectl –static set-hostname D2O-VPS CentOS7默认没有ifconfig nslookup等工具,安装之 yum install -y bind-utils net-tools htop mlocate updatedb 修改ssh端口 vi /etc/ssh/sshd_config Port xx22 CentOS7默认使用firewalld作为防火墙,这玩意不懂怎么用,故把他停掉,继续使用原来熟悉的iptables systemctl stop firewalld systemctl mask firewalld yum install -y iptables-services policycoreutils systemctl enable iptables 打开ssh端口 vi /etc/sysconfig/iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT 改为 -A INPUT -p tcp -m state –state NEW -m tcp –dport xx22 -j ACCEPT 打开常用服务端口允许所有内网IP访问 iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 1723 -j ACCEPT iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT iptables -I INPUT -p udp -m udp –dport 53 -j ACCEPT iptables -I INPUT -p udp -m udp –dport 161 -j ACCEPT iptables -I INPUT -s 198.18.0.0/16 -d 198.18.0.0/16 -j ACCEPT iptables -I INPUT -p udp -m udp –dport 11990:12000 -j ACCEPT 打开转发 iptables -I FORWARD -j ACCEPT 开启ip伪装、端口重定向、mss fix iptables -t nat -I POSTROUTING -o venet0 -j MASQUERADE iptables -t mangle -I POSTROUTING -o venet0 -p tcp -m tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu iptables -t nat -I PREROUTING -p udp -m udp –dport 5352 -j REDIRECT –to-ports 53 别忘了ip6tables ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -p tcp -m tcp –dport 8622 -j ACCEPT ip6tables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT ip6tables -A INPUT -p udp -m udp –dport 161 -j ACCEPT ip6tables -A INPUT -p udp -m udp –dport 11990:12000 -j ACCEPT ip6tables -A INPUT -j REJECT –reject-with icmp6-port-unreachable 保存iptables规则 service iptables save service ip6tables save 开启内核转发、关闭rp_filter vi /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 导入epel源,安装openvpn quagga net-snmp rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm yum install -y openvpn quagga net-snmp dnsmasq先yum安装,然后编译替换改过的dnsmasq。autovpn-for-openwrt这个项目修改过的dnsmasq可以执行自定义的脚本,具体的意义就不多说了。 #yum安装dnsmasq,安装编译器及各种依赖包 yum install -y gcc make automake patch dnsmasq mkdir src cd src #下载源码及补丁、打补丁、编译、替换可执行文件 wget https://github.com/conupefox/autovpn-for-openwrt/blob/master/packages/dnsmasq-14.07-2.71-src-autovpn.tar.gz wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.71.tar.gz tar xvf dnsmasq-14.07-2.71-src-autovpn.tar.gz tar xvf dnsmasq-2.71.tar.gz cd dnsmasq-2.71 ../dnsmasq/patches/autovpn.patch ./ patch -p1 \< autovpn.patch make mv /usr/sbin/dnsmasq /usr/sbin/dnsmasq.bak cp src/dnsmasq /usr/sbin/dnsmasq 配置snmp cd ~ mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak vi /etc/snmp/snmpd.conf com2sec notConfigUser default d2o group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 access notConfigGroup “” any noauth exact all none none view all included .1 80 syslocation HongKong syscontact D2O dontLogTCPWrappersConnects yes extend .1.3.6.1.4.1.2021.54 active_connects /bin/cat /proc/sys/net/netfilter/nf_conntrack_count extend .1.3.6.1.4.1.2021.55 Route /bin/sh /etc/snmp/route_prefixes.sh systemctl enable snmpd (责任编辑:IT) |