xl2tp转发
程序员文章站
2022-03-08 21:27:16
...
route add -host 172.217.3.164 dev ppp0
#######################################
#######################################
一。只做客户端:
参考 :
https://blog.csdn.net/loomz/article/details/52955267
https://segmentfault.com/a/1190000014160574
https://www.jianshu.com/p/e772ffc22e77
https://www.iteye.com/blog/haoningabc-2480610
原理:
1.启动xl2tp进程,里面配置远程xl2tp的ip,用户,密码
sysctl -p /etc/sysctl.conf
2.拨号连接
3.检查配置:
转发:ip_forward, iptables的 MASQUERADE
网络: firewalld ,NetworkManager, 日志,远程端口,注意客户端ip
nc -vuz 13.231.152.* 1701
路由:本机路由
4.断开vpn,恢复gw
具体修改:
转发:
修改:/etc/sysctl.conf
ipsec verify的时候会检查rp_filter
更改生效
sysctl -p /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=1
或者
echo 1 > /proc/sys/net/ipv4/ip_forward
这个是否需要,待定:
iptables -t nat -A POSTROUTING -s 172.27.0.0/20 -o ppp0 -j MASQUERADE
启动客户端服务
xl2tpd -c /etc/xl2tpd/xl2tpd.conf
/etc/ppp/peers/testvpn.l2tpd
开始拨号
echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
查看日志问题:
tail -f /var/log/messages
ifconfig检查是否多了ppp0的
add :
目的:把eth0的gw改成 ppp的gw,
一定要先who 一下,把ssh客户端的ip设置到可访问route
否则delete route的时候就断网了
#客户端的ip:
route add {客户端的ip} gw 172.27.0.1 eth0
#xl2tpd.conf配置的xl2tp 服务端的ip
route add 13.231.152.115 gw 172.27.0.1 eth0
route del default
route add default dev ppp0
#临时方案,客户端的ip
#route add -host 172.217.3.164 dev ppp0
delete:
目的:恢复回初始的gw
route del default
route add default gw 172.27.0.1 eth0
去掉客户端的ip
route del {客户端的ip} gw 103.37.140.25 eth0
断开vpn
echo 'd testvpn' > /var/run/xl2tpd/l2tp-control
############## server 和client同时配置: 作为转发用的功能####################
服务器端参考:https://www.iteye.com/blog/haoningabc-2480610
原理:
1.作为转发,服务端要起两个进程,ipsec,xl2tp
2.xl2tp,既要有服务端又要有客户端配置,
3. 拨号,
4.防火墙,网络,ip转发,iptables MASQUERADE的设置,nameserver配置
5.路由设置
6.恢复
注意:
xl2tpd.conf中的ip range 和local ip要和/etc/ipsec.conf 的对应上
######iptables -t nat -A POSTROUTING -s 172.17.0.4/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.17.0.0/20 -o ppp0 -j MASQUERADE
add:
route add {ssh客户端ip} gw 172.17.0.1 eth0
route add 13.231.152.115 gw 172.17.0.1 eth0
#访问端的手机的ip,百度可查
route add 223.104.3.196 gw 172.17.0.1 eth0
route del default
route add default dev ppp0
ping www.google.com
######################## 检查脚本 ###############
1.第一次
systemctl status NetworkManager
systemctl status firewalld
systemctl start NetworkManager
systemctl start firewalld
systemctl enable NetworkManager
systemctl enable firewalld
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
2.检查
备份一下/etc/resolv.conf
cat /etc/resolv.conf
options timeout:1 rotate
; generated by /usr/sbin/dhclient-script
nameserver 8.8.8.8
3.检查启动进程:
systemctl status ipsec
systemctl status xl2tpd
systemctl start ipsec
systemctl start xl2tpd
systemctl enable ipsec
systemctl enable xl2tpd
ipsec verify
最好全是ok
3.检查route ,ifconfig
ip route
default via 172.17.0.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
172.17.0.0/20 dev eth0 proto kernel scope link src 172.17.0.4
添加路由
route add 118.25.212.122 gw 172.17.0.1 eth0
route add {本机ip} gw 172.17.0.1 eth0
route add 13.231.152.115 gw 172.17.0.1 eth0
route add {客户端ip} gw 172.17.0.1 eth0
echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
route del default
route add default dev ppp0
route del default
route add default dev eth0
或
route add default gw 172.17.0.1 eth0
#iptables -t nat -A POSTROUTING -s 172.17.0.0/20 -o ppp0 -j MASQUERADE
todo:iptables代替route?
#ping google的ip
ping -I ppp0 172.217.26.4
下面的 都是扯,不好使的
############ 一些基础知识: #########
双网卡方案:https://blog.csdn.net/pamdora/article/details/81117268
iptables执行规则时,是从从规则表中从上至下顺序执行的,如果没遇到匹配的规则,就一条一条往下执行,如果遇到匹配的规则后,那么就执行本规则,执行后根据本规则的动作(accept, reject, log等),决定下一步执行的情况
参考https://blog.csdn.net/github_38885296/article/details/78978946
###iptables –A INPUT –i eth0 –j ACCEPT
#不好使
iptables -t nat -I POSTROUTING 1 -j SNAT -s 172.17.0.0/20 --to 172.100.1.1
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
删除操作:
先查第几行
iptables -t nat -L --line-number
在删除那行
iptables -t nat -D POSTROUTING 1
参考 https://www.cnblogs.com/bethal/p/5806525.html
iptables的四表五链
https://www.cnblogs.com/clouders/p/6544584.html
iptables的例子:
http://www.lysator.liu.se/~torkel/computer/linux/netfilter_masquerading.html
ping www.google.com
ping 172.217.24.132
ping -I ppp0 172.217.27.68
iptables -t nat -L PREROUTING --line-number
iptables -t nat -L POSTROUTING --line-number
iptables -t nat -A PREROUTING -d 118.25.177.60 -j DNAT --to-destination 172.17.0.4
iptables -t nat -A POSTROUTING -d 172.17.0.4 -j SNAT --to 172.100.1.1
iptables -t nat -I POSTROUTING 1 -j SNAT -s 172.16.0.0/24 --to 172.16.0.1
route add 172.16.0.128 gw 172.100.1.1 ppp0
#######################################
#######################################
一。只做客户端:
参考 :
https://blog.csdn.net/loomz/article/details/52955267
https://segmentfault.com/a/1190000014160574
https://www.jianshu.com/p/e772ffc22e77
https://www.iteye.com/blog/haoningabc-2480610
原理:
1.启动xl2tp进程,里面配置远程xl2tp的ip,用户,密码
sysctl -p /etc/sysctl.conf
2.拨号连接
echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
3.检查配置:
转发:ip_forward, iptables的 MASQUERADE
网络: firewalld ,NetworkManager, 日志,远程端口,注意客户端ip
nc -vuz 13.231.152.* 1701
路由:本机路由
ip route route add 13.231.152.115 gw 172.27.0.1 eth0 route del default route add default dev ppp0
4.断开vpn,恢复gw
echo 'd testvpn' > /var/run/xl2tpd/l2tp-control route del default route add default gw 172.27.0.1 eth0
具体修改:
转发:
修改:/etc/sysctl.conf
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0
ipsec verify的时候会检查rp_filter
更改生效
sysctl -p /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=1
或者
echo 1 > /proc/sys/net/ipv4/ip_forward
这个是否需要,待定:
iptables -t nat -A POSTROUTING -s 172.27.0.0/20 -o ppp0 -j MASQUERADE
启动客户端服务
xl2tpd -c /etc/xl2tpd/xl2tpd.conf
[lac testvpn] name = root lns = 13.231.152.115 pppoptfile = /etc/ppp/peers/testvpn.l2tpd ppp debug = yes
/etc/ppp/peers/testvpn.l2tpd
remotename testvpn user "root" password "你的密码" unit 0 nodeflate nobsdcomp noauth persist nopcomp noaccomp maxfail 5 debug
开始拨号
echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
查看日志问题:
tail -f /var/log/messages
ifconfig检查是否多了ppp0的
add :
目的:把eth0的gw改成 ppp的gw,
一定要先who 一下,把ssh客户端的ip设置到可访问route
否则delete route的时候就断网了
#客户端的ip:
route add {客户端的ip} gw 172.27.0.1 eth0
#xl2tpd.conf配置的xl2tp 服务端的ip
route add 13.231.152.115 gw 172.27.0.1 eth0
route del default
route add default dev ppp0
#临时方案,客户端的ip
#route add -host 172.217.3.164 dev ppp0
delete:
目的:恢复回初始的gw
route del default
route add default gw 172.27.0.1 eth0
去掉客户端的ip
route del {客户端的ip} gw 103.37.140.25 eth0
断开vpn
echo 'd testvpn' > /var/run/xl2tpd/l2tp-control
############## server 和client同时配置: 作为转发用的功能####################
服务器端参考:https://www.iteye.com/blog/haoningabc-2480610
原理:
1.作为转发,服务端要起两个进程,ipsec,xl2tp
2.xl2tp,既要有服务端又要有客户端配置,
3. 拨号,
4.防火墙,网络,ip转发,iptables MASQUERADE的设置,nameserver配置
5.路由设置
6.恢复
注意:
xl2tpd.conf中的ip range 和local ip要和/etc/ipsec.conf 的对应上
######iptables -t nat -A POSTROUTING -s 172.17.0.4/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.17.0.0/20 -o ppp0 -j MASQUERADE
add:
route add {ssh客户端ip} gw 172.17.0.1 eth0
route add 13.231.152.115 gw 172.17.0.1 eth0
#访问端的手机的ip,百度可查
route add 223.104.3.196 gw 172.17.0.1 eth0
route del default
route add default dev ppp0
ping www.google.com
######################## 检查脚本 ###############
1.第一次
systemctl status NetworkManager
systemctl status firewalld
systemctl start NetworkManager
systemctl start firewalld
systemctl enable NetworkManager
systemctl enable firewalld
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
2.检查
备份一下/etc/resolv.conf
cat /etc/resolv.conf
options timeout:1 rotate
; generated by /usr/sbin/dhclient-script
nameserver 8.8.8.8
3.检查启动进程:
systemctl status ipsec
systemctl status xl2tpd
systemctl start ipsec
systemctl start xl2tpd
systemctl enable ipsec
systemctl enable xl2tpd
ipsec verify
最好全是ok
3.检查route ,ifconfig
ip route
default via 172.17.0.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
172.17.0.0/20 dev eth0 proto kernel scope link src 172.17.0.4
添加路由
route add 118.25.212.122 gw 172.17.0.1 eth0
route add {本机ip} gw 172.17.0.1 eth0
route add 13.231.152.115 gw 172.17.0.1 eth0
route add {客户端ip} gw 172.17.0.1 eth0
echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
route del default
route add default dev ppp0
route del default
route add default dev eth0
或
route add default gw 172.17.0.1 eth0
#iptables -t nat -A POSTROUTING -s 172.17.0.0/20 -o ppp0 -j MASQUERADE
todo:iptables代替route?
#ping google的ip
ping -I ppp0 172.217.26.4
下面的 都是扯,不好使的
############ 一些基础知识: #########
双网卡方案:https://blog.csdn.net/pamdora/article/details/81117268
iptables执行规则时,是从从规则表中从上至下顺序执行的,如果没遇到匹配的规则,就一条一条往下执行,如果遇到匹配的规则后,那么就执行本规则,执行后根据本规则的动作(accept, reject, log等),决定下一步执行的情况
参考https://blog.csdn.net/github_38885296/article/details/78978946
###iptables –A INPUT –i eth0 –j ACCEPT
#不好使
iptables -t nat -I POSTROUTING 1 -j SNAT -s 172.17.0.0/20 --to 172.100.1.1
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
删除操作:
先查第几行
iptables -t nat -L --line-number
在删除那行
iptables -t nat -D POSTROUTING 1
参考 https://www.cnblogs.com/bethal/p/5806525.html
iptables的四表五链
https://www.cnblogs.com/clouders/p/6544584.html
iptables的例子:
http://www.lysator.liu.se/~torkel/computer/linux/netfilter_masquerading.html
ping www.google.com
ping 172.217.24.132
ping -I ppp0 172.217.27.68
iptables -t nat -L PREROUTING --line-number
iptables -t nat -L POSTROUTING --line-number
iptables -t nat -A PREROUTING -d 118.25.177.60 -j DNAT --to-destination 172.17.0.4
iptables -t nat -A POSTROUTING -d 172.17.0.4 -j SNAT --to 172.100.1.1
iptables -t nat -I POSTROUTING 1 -j SNAT -s 172.16.0.0/24 --to 172.16.0.1
route add 172.16.0.128 gw 172.100.1.1 ppp0