2009年4月14日星期二

PPTPD实现VPN简单中转应用


vpn简单中转应用服务 作者:linuxpf最后修改时间:2008.12.24
网上关于原理讲解很多,我就不多说,其它当你遇到一些问题的时候,往往试着分析下原理,主要是要知道ppp封装原理及gre路由知识.有关原理请看底下链接,本文能够实现vpn中转,基本能够应用于vpn代理上网,比如解决国内用户访问国外网站速度慢等一些应用,当然访问vpn网内资源自然不在话下
注:已经修订部分内容:合理设置ppp会话MTU为1359,避免造成一些网页无法显示,MSN无法登陆,经测试基本能够提供中转服务:包括以下:HTTP HTTPS SSL DNS SMTP POP3 DNS FTP MSN QQ


如图
1.下载到/home/download
site:http://poptop.sourceforge.net/yum/stable/rhel4/i386/

#cd /home/download
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/ppp-2.4.3-7.rhel4.i386.rpm
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/pptpd-1.3.4-1.rhel4.i386.rpm
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/dkms-2.0.17.5-1.noarch.rpm
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm

2.安装pptpd
#yum install kernel kernel-devel
因为此处我采用centos最小安装方式安装,系统上没有安装kernel源代码,所以重新编译过程中会出错,所以安装更新kernel源代码,根据自己的情况而定
#vi /etc/grub.conf
-----------------------------------------------------
default=0
------------------------------------------------------
设置启动内核次序
#uname -a
Linux squid.x.com 2.6.9-78.0.1.EL #1 Tue Aug 5 10:49:42 EDT 2008 i686 i686 i386 GNU/Linux
#cd /home/download
#rpm -Uvh ppp-2.4.3-7.rhel4.i386.rpm
#rpm -ivh pptpd-1.3.4-1.rhel4.i386.rpm
#rpm -ivh dkms-2.0.17.5-1.noarch.rpm
#rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm

3.加载内核模块
检查kernel module是否正常
#modprobe ppp-compress-18 && echo ok
ok
如果出现
#modprobe ppp-compress-18 && echo ok
FATAL: Module ppp_mppe not found.
Install them with command "rpm -ivh".

出现此提示,表明模块没有加载成功,或者内核源代码没有安装,按照以上步骤应该是不会出现此错误

4.vpn服务器设置
定制网络设置,注意如果存在多个内网网卡,则需要在vpn中设定路由表,否则过别情况无法访问到内网

内网卡:172.16.12.1
外网卡:x.x.x.x
#cd /etc/sysconfig/network-scripts
#cp ifcfg-eth0 ifcfg-eth0:1
#vi ifcfg-eth0:1
---------------------------------------------------
DEVICE=eth0:1
BOOTPROTO=static
BROADCAST=172.16.12.255
HWADDR=00:0C:2F:58:F4:4E
IPADDR=172.16.12.1
NETMASK=255.255.255.0
NETWORK=172.16.12.0
ONBOOT=yes
TYPE=Ethernet
---------------------------------------------------

5.配置pptpd

#vi /etc/pptpd.conf
___________________________________
ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
localip 172.16.12.1
remoteip 172.16.12.100-250,172.16.12.252
netmask 255.255.255.0
--------------------------------------------------------------

#vi /etc/ppp/options.pptpd
-----------------------------------
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 202.177.2.166
proxyarp
logfile /var/log/pptpd.log
-----------------------------------
注:一般只需修改ms-dns


#vi /etc/ppp/chap-secrets
---------------------------------------------------------------
# Secrets for authentication using CHAP
# client server secret IP addresses
"username" pptpd "yourpassword" "*"
"admin" pptpd "password" "172.16.12.85"
---------------------------------------------------------------
每行一个用户信息,分别采用以上格式,用""引用,虽然是明文,但最好设置让此文件非属主不能够读
如果一个用户分配一个固定ip,则可以进一步进行行为控制,方便你的管理
6:create a a file
创建一个脚本文件,用于启用iptables转发功能,实现中转上网,否则无法正常工作,并使此文件开机自启动!
#vi vpn_forward





  1. #!/bin/bash

  2. #2008.11.19

  3. echo "Starting................."

  4. #configured to forward packets,using echo or sysctl

  5. echo 1 > /proc/sys/net/ipv4/ip_forward

  6. echo "Allow input and output on port 1723 for protocol tcp"

  7. echo "Allow input and output on protocol gre 47, required for vpn"

  8. echo "Enable time rsync"

  9. iptables -I INPUT -p tcp --dport 123 -j ACCEPT

  10. iptables -I INPUT -p udp --dport 123 -j ACCEPT

  11. iptables -I INPUT -p gre -j ACCEPT

  12. iptables -I INPUT -p tcp --dport 1723 -j ACCEPT

  13. iptables -I OUTPUT -p gre -j ACCEPT

  14. iptables -I OUTPUT -p tcp --sport 1723 -j ACCEPT

  15. echo "Insert the rule to forward all data!"

  16. iptables -I FORWARD -p udp --dport 8000 -s 172.16.12.0/24 -j ACCEPT

  17. iptables -I FORWARD -p tcp --dport 1024:8000 -j ACCEPT

  18. iptables -I FORWARD -p tcp --dport 20:22 -s 172.16.12.0/24 -j ACCEPT

  19. iptables -I FORWARD -p tcp --dport 25 -j ACCEPT

  20. iptables -I FORWARD -p tcp --dport 69 -j ACCEPT

  21. iptables -I FORWARD -p tcp --dport 110 -j ACCEPT

  22. iptables -I FORWARD -p tcp --dport 443 -j ACCEPT

  23. iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  24. iptables -I FORWARD -o eth0 -s 172.16.12.0/24 -m state --state NEW -j ACCEPT

  25. iptables -I FORWARD -p tcp --dport 80 -j ACCEPT

  26. iptables -I FORWARD -p tcp --dport 53 -j ACCEPT

  27. iptables -I FORWARD -p udp --dport 53 -j ACCEPT

  28. iptables -I FORWARD -p tcp -s 172.16.12.0/24 --dport 1723 -j ACCEPT

  29. echo "Set the session MTU with 1356"

  30. iptables -I FORWARD -p tcp --syn -s 172.16.12.0/24 -j TCPMSS --set-mss 1356

  31. echo "Enable NAT"

  32. iptables -t nat -A POSTROUTING -o eth0 -s 172.16.12.0/24 -j SNAT --to-source 202.177.24.X

  33. echo "Now ,Enabled Firewall Access rule Successfull"



复制代码

#chmod +x vpn_forward.sh
#cp vpn_forward /etc/rc.d/init.d/vpn_forward
#ln -s /etc/rc.d/init.d/vpn_forward /etc/rc.d/rc3.d/S94vpn_forward
说明:
(1)启用ntp时间同步
iptables -I INPUT -p tcp --dport 123 -j ACCEPT
iptables -I INPUT -p udp --dport 123 -j ACCEPT
(2)允许vpn连接
iptables -I INPUT -p gre -j ACCEPT
iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I OUTPUT -p tcp --sport 1723 -j ACCEPT
(3)启用内核ip转发功能
#configured to forward packets,using echo or sysctl
echo 1 > /proc/sys/net/ipv4/ip_forward
(4)开放forward功能,注意为了提高转发效率,只需对tcp新会话验行,已经建立起连接的会话数据包直接通行
iptables -I FORWARD -p tcp --dport 20:8000 -s 172.16.12.0/24 -j ACCEPT \\定制开户的服务
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT \已经建立起连接tcp数据包直接通行
iptables -I FORWARD -o eth0 -s 172.16.12.0/24 -m state --state NEW -j ACCEPT \\只需对tcp新会话验行
iptables -I FORWARD -p tcp --dport 80 -j ACCEPT \\开户http转发
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT \\开户DNS服务
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -s 172.16.12.0/24 --dport 1723 -j ACCEPT \\转发vpn数据包
iptables -I FORWARD -p tcp --syn -s 172.16.12.0/24 -j TCPMSS --set-mss 1356 \\协商tcp会话MTU为1359,防止过别ip包不能够分片造成问题
(5)启用NAT功能
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.12.0/24 -j SNAT --to-source 202.177.14.X
如果vpn service 为动态IP对应语句修改为:iptables --table nat --append POSTROUTING --out-interface eth0 --jump MASQUERADE
7.启用日常工作管理需要
#chkconfig pptpd on
#crontab -e
*/5 * * * * /usr/sbin/ntpdate 203.129.68.14 ; /sbin/hwclock -w
0,30 8 * * 1-5 /etc/rc.d/init.d/pptpd start
0,30 18 * * 1-5 /etc/rc.d/init.d/pptpd restart-kill ; /etc/rc.d/init.d/pptpd stop

8.确保已经加载以下模块,主要针对内核版本而言, 否则NAT将不能够很好工作,在有些版本中可能存在问题
# modprobe -l >/home/modprode
# less modprode |grep ip_tables
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_tables.ko
# less modprode |grep ip_conntrack_ftp
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
# less modprode |grep ip_conntrack
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_tftp.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_proto_sctp.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_amanda.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko

9.完整iptables表,以上脚本定制于centos4.6,其它系统请结合起来修改
#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 172.16.12.0/24 anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS set 1356
ACCEPT tcp -- 172.16.12.0/24 anywhere tcp dpt:1723
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 172.16.12.0/24 anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:tftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- 172.16.12.0/24 anywhere tcp dpts:ftp-data:ssh
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:8000
ACCEPT udp -- 172.16.12.0/24 anywhere udp dpt:8000
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:1723
ACCEPT gre -- anywhere anywhere

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3128 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:3128 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:22 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:32100 state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@vm home]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.12.0/24 anywhere to:202.177.24.x

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
10.测试:
客户端新建一个vpn联接,要求加密连接,针对服务端配置不同而定.默认就行!


成功拔入后客户端:默认远程网关是本身,同时注意设置DNS


[img]

服务端会话:



pptpd包封装格式:


相关:
分析pptpd转发测试
http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml
pptpd内核补丁安装问题
http://members.optushome.com.au/~wskwok/poptop_ads_howto_a1.htm
http://bbs.chinaunix.net/viewthread.php?tid=847612
关于MTU问题分析
http://bbs.chinaunix.net/thread-694733-1-1.html
关于GRE封装原理分析
http://www.linuxpf.com.cn/bbs/vi ... =page%3D1&frombbs=1
点对点隧道协议PPTP
http://www.linuxpf.com.cn/bbs/vi ... =page%3D1&frombbs=1
PPTP流量分析
http://www.microsoft.com/china/t ... ableguy/cg0103.mspx


时间:

没有评论:

发表评论