欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

xl2tp转发 博客分类: xl2tp 防火墙sshxl2tp 

程序员文章站 2024-03-05 21:38:37
...
route add -host 172.217.3.164 dev ppp0


#######################################
#######################################

一。只做客户端:
参考 :
https://blog.csdn.net/loomz/article/details/52955267
https://segmentfault.com/a/1190000014160574
https://www.jianshu.com/p/e772ffc22e77
https://www.iteye.com/blog/haoningabc-2480610

原理:
1.启动xl2tp进程,里面配置远程xl2tp的ip,用户,密码
sysctl -p /etc/sysctl.conf
2.拨号连接
	echo 'c testvpn' > /var/run/xl2tpd/l2tp-control

3.检查配置:
转发:ip_forward, iptables的 MASQUERADE
网络: firewalld ,NetworkManager, 日志,远程端口,注意客户端ip
nc -vuz   13.231.152.* 1701
路由:本机路由
	ip route
	route add 13.231.152.115 gw 172.27.0.1 eth0
	route del default
	route add default dev ppp0


4.断开vpn,恢复gw
	echo 'd testvpn' > /var/run/xl2tpd/l2tp-control
	route del default
	route add default gw 172.27.0.1 eth0


具体修改:
转发:
修改:/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0


ipsec verify的时候会检查rp_filter

更改生效
sysctl -p /etc/sysctl.conf

sysctl -w net.ipv4.ip_forward=1
或者
echo 1 > /proc/sys/net/ipv4/ip_forward
这个是否需要,待定:
iptables -t nat -A POSTROUTING -s 172.27.0.0/20  -o ppp0  -j MASQUERADE

启动客户端服务

xl2tpd -c /etc/xl2tpd/xl2tpd.conf
[lac testvpn]
name = root
lns = 13.231.152.115
pppoptfile = /etc/ppp/peers/testvpn.l2tpd
ppp debug = yes


/etc/ppp/peers/testvpn.l2tpd
remotename testvpn
user "root"
password "你的密码"
unit 0
nodeflate
nobsdcomp
noauth
persist
nopcomp
noaccomp
maxfail 5
debug


开始拨号
echo 'c testvpn' > /var/run/xl2tpd/l2tp-control

查看日志问题:
tail  -f /var/log/messages

ifconfig检查是否多了ppp0的


add :
目的:把eth0的gw改成 ppp的gw,

一定要先who 一下,把ssh客户端的ip设置到可访问route
否则delete route的时候就断网了
#客户端的ip:
route add {客户端的ip} gw 172.27.0.1 eth0
#xl2tpd.conf配置的xl2tp 服务端的ip
route add 13.231.152.115 gw 172.27.0.1 eth0


route del default
route add default dev ppp0

#临时方案,客户端的ip
#route add -host 172.217.3.164 dev ppp0


delete:

目的:恢复回初始的gw

route del default
route add default gw 172.27.0.1 eth0

去掉客户端的ip
route del {客户端的ip} gw 103.37.140.25 eth0


断开vpn
echo 'd testvpn' > /var/run/xl2tpd/l2tp-control







############## server 和client同时配置:  作为转发用的功能####################

服务器端参考:https://www.iteye.com/blog/haoningabc-2480610

原理:
1.作为转发,服务端要起两个进程,ipsec,xl2tp
2.xl2tp,既要有服务端又要有客户端配置,
3. 拨号,
4.防火墙,网络,ip转发,iptables MASQUERADE的设置,nameserver配置
5.路由设置
6.恢复



注意:
xl2tpd.conf中的ip range  和local ip要和/etc/ipsec.conf 的对应上

######iptables -t nat -A POSTROUTING -s 172.17.0.4/24  -o eth0  -j MASQUERADE

iptables -t nat -A POSTROUTING -s 172.17.0.0/20  -o ppp0  -j MASQUERADE


add:
route add {ssh客户端ip} gw 172.17.0.1 eth0
route add 13.231.152.115 gw 172.17.0.1 eth0
#访问端的手机的ip,百度可查
route add 223.104.3.196 gw 172.17.0.1 eth0

route del default
route add default dev ppp0



ping www.google.com

######################## 检查脚本 ###############

1.第一次
systemctl status NetworkManager
systemctl status firewalld


systemctl start NetworkManager
systemctl start firewalld
systemctl enable NetworkManager
systemctl enable firewalld

firewall-cmd --permanent --add-service=ipsec 
firewall-cmd --permanent --add-port=1701/udp 
firewall-cmd --permanent --add-port=4500/udp 
firewall-cmd --permanent --add-masquerade 
firewall-cmd --reload


2.检查
备份一下/etc/resolv.conf
cat /etc/resolv.conf
options timeout:1 rotate
; generated by /usr/sbin/dhclient-script
nameserver 8.8.8.8



3.检查启动进程:
systemctl status ipsec
systemctl status xl2tpd

systemctl start ipsec
systemctl start xl2tpd
systemctl enable ipsec
systemctl enable xl2tpd

ipsec verify
最好全是ok

3.检查route ,ifconfig
ip route
default via 172.17.0.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
172.17.0.0/20 dev eth0 proto kernel scope link src 172.17.0.4


添加路由
route add 118.25.212.122 gw 172.17.0.1 eth0
route add {本机ip} gw 172.17.0.1 eth0
route add 13.231.152.115 gw 172.17.0.1 eth0

route add {客户端ip} gw 172.17.0.1 eth0

echo 'c testvpn' > /var/run/xl2tpd/l2tp-control


route del default
route add default dev ppp0


route del default
route add default dev eth0

route add default gw 172.17.0.1 eth0



#iptables -t nat -A POSTROUTING -s 172.17.0.0/20  -o ppp0  -j MASQUERADE

todo:iptables代替route?


#ping google的ip
ping -I ppp0 172.217.26.4



下面的 都是扯,不好使的



############  一些基础知识: #########

双网卡方案:https://blog.csdn.net/pamdora/article/details/81117268


iptables执行规则时,是从从规则表中从上至下顺序执行的,如果没遇到匹配的规则,就一条一条往下执行,如果遇到匹配的规则后,那么就执行本规则,执行后根据本规则的动作(accept, reject, log等),决定下一步执行的情况
参考https://blog.csdn.net/github_38885296/article/details/78978946

###iptables –A INPUT –i eth0 –j ACCEPT

#不好使
iptables -t nat -I POSTROUTING 1 -j SNAT -s 172.17.0.0/20 --to 172.100.1.1


iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


删除操作:
先查第几行
iptables -t nat -L --line-number
在删除那行
iptables -t nat -D POSTROUTING 1
参考 https://www.cnblogs.com/bethal/p/5806525.html

iptables的四表五链
https://www.cnblogs.com/clouders/p/6544584.html

iptables的例子:
http://www.lysator.liu.se/~torkel/computer/linux/netfilter_masquerading.html


ping www.google.com
ping 172.217.24.132

ping -I ppp0 172.217.27.68

iptables -t nat -L PREROUTING --line-number
iptables -t nat -L POSTROUTING --line-number


iptables -t nat -A PREROUTING -d 118.25.177.60 -j DNAT --to-destination 172.17.0.4 
iptables -t nat -A POSTROUTING -d 172.17.0.4  -j SNAT --to 172.100.1.1




iptables -t nat -I POSTROUTING 1 -j SNAT -s 172.16.0.0/24 --to 172.16.0.1 


route add 172.16.0.128 gw 172.100.1.1 ppp0