Duangw

• 首页
• 计算机
• 自行车

home-gate

操作系统版本：Slackware 12.2

 

1 硬件

配置3块网卡，分别映射到/dev/vmnet1、/dev/vmnet3、/dev/vmnet2。

 

2 安装基础系统

只安装a/目录下的软件包，全部安装。

配置lilo，安装在MBR中。

 

3 安装基本网络包

从光盘安装：

# mount /dev/cdrom /mnt
# cd /mnt/slackware/n
# installpkg iputils-s20070202-i486-2.tgz
# installpkg net-tools-1.60-i486-2.tgz
# installpkg network-scripts-12.2-noarch-4.tgz

 

4 配置网络

执行netconfig配置网络：

# netconfig

netconfig只能配置第一块网卡，其余2块编辑/etc/rc.d/rc.inet1.conf手工设置：

...
# Config information for eth1:
IPADDR[1]="172.16.0.10"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Config information for eth2:
IPADDR[2]="10.10.20.1"
NETMASK[2]="255.255.255.0"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
...

 

5 配置软件源

这里使用slackpkg工具来进行后续的软件包管理。

首先安装slackpkg和依赖的软件：

# mount /dev/cdrom /mnt
# cd /mnt/slackware/ap
# installpkg slackpkg-2.70.5-noarch-1.tgz
# installpkg diffutils-2.8.1-i486-3.tgz
# cd ../n
# installpkg gnupg-1.4.9-i486-1.tgz
# installpkg gnupg2-2.0.9-i486-1.tgz
# installpkg wget-1.11.4-i486-1.tgz

编辑/etc/slackpkg/mirrors，添加本地镜像：

ftp://10.10.10.199/pub/slackware/slackware-12.2/

初始化：

# slackpkg update
# slackpkg update gpg

修补当前系统：

# slackpkg upgrade-all

 

6 切换为generic内核

制作initrd：

# cd /boot
# mkinitrd -c -k 2.6.27.7-smp -m ext3:scsi_transport_spi:mptbase:mptscsih:mptspi

编辑/etc/lilo.conf，添加启动项：

image = /boot/vmlinuz-generic-smp-2.6.27.7-smp
  initrd = /boot/initrd.gz
  root = /dev/sda1
  label = Generic
  read-only

运行lilo，使之生效：

# /sbin/lilo

重启系统。

 

7 安装库文件

# slackpkg install zlib

 

8 安装其他需要的网络软件

# slackpkg install iptables
# slackpkg install tcpdump
# slackpkg install openssl
# slackpkg install openssh
# slackpkg install mailx
# slackpkg install bind
# slackpkg install netkit-ftp
# slackpkg install lftp

 

9 防火墙配置

有关各个iptables脚本的详细内容见：Iptables脚本。

这里使用网关脚本，从本地服务器获得rc.iptables-gate-novpn.ref、rc.ip6tables.ref和rc.S.ref。执行：

# cp rc.iptables-gate-novpn.ref /etc/rc.d/rc.iptables
# cp rc.ip6tables.ref /etc/rc.d/rc.ip6tables
# cd /etc/rc.d
# chmod +x rc.iptables
# chmod +x rc.ip6tables

修改/etc/rc.d/rc.S文件，把/newpkg/rc.S.ref模板内容粘贴到rc.S的末尾。

修改/etc/rc.d/rc.iptables脚本，去掉相关注释，使得：

• 内网可以访问外网的服务：ping、http(s)和ftp。
• 内网可以访问dmz。
• 外网可以访问dmz的服务：http(s)和ftp。
• 打开SNAT。
• 打开DNAT，重定向到home-server(10.10.20.20)。

其中DNAT只重定向http(s)和ftp：

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport http -j DNAT --to 10.10.20.20
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport https -j DNAT --to 10.10.20.20
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport ftp -j DNAT --to 10.10.20.20

 

10 设置内核参数

有关脚本的详细内容见：Sysctl脚本。

从本地服务器获得rc.sysctl.ref和rc.M.ref。执行：

# cp rc.sysctl.ref /etc/rc.d/rc.sysctl
# cd /etc/rc.d
# chmod +x rc.sysctl

编辑/etc/rc.d/rc.M，把rc.M.ref模板内容粘贴到rc.inet2的前面。

打开ip转发功能：

# chmod +x /etc/rc.d/rc.ip_forward

 

11 配置域名服务

这里网关只作为一个forward服务器，本身不负责域名解析。

编辑/etc/named.conf，增加如下内容：

options {
...
        forward only;
        forwarders {
                172.18.0.30;
        };
};
...

启动bind服务：

# cd /ec/rc.d/
# chmod +x rc.bind

编辑/etc/rc.d/rc.iptables，允许内网用户DNS查询：

# enalbe dns query in eth0
iptables -A in-IN -p udp --dport domain -m state --state NEW -j ACCEPT

 

12 配置openvpn server

使用openvpn实现home网络和away网络之间的vpn连接，其中home-gate作为server，away-gate作为client。单个客户连接的例子放在other-work中。

安装软件包：

# slackpkg install lzo
# slackpkg install openvpn

根据openvpn提供的INSTALL完成测试。详细配置可参见openvpn.net，这里只列出步骤。

生成CA(所有数据是虚构的，其中Common Name输入：sk26-home-gate)：

# cd /usr/doc/openvpn-2.0.9/easy-rsa
# . ./vars
# ./clean-all
# ./build-ca
Generating a 1024 bit RSA private key
........................................++++++
..........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:CN
State or Province Name (full name) [NA]:Yunnan
Locality Name (eg, city) [BISHKEK]:Kunming
Organization Name (eg, company) [OpenVPN-TEST]:Yunnan University
Organizational Unit Name (eg, section) []:Information School
Common Name (eg, your name or your server's hostname) []:sk26-home-gate
Email Address [me@myhost.mydomain]:admin@copyleft.net

生成server端的key(所有数据是虚构的，其中Common Name输入: sk26-home-server)：

# ./build-key-server sk26-home-server
Generating a 1024 bit RSA private key
...++++++
....................................++++++
writing new private key to 'sk26-home-server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:CN
State or Province Name (full name) [NA]:Yunnan
Locality Name (eg, city) [BISHKEK]:Kunming
Organization Name (eg, company) [OpenVPN-TEST]:Yunnan University
Organizational Unit Name (eg, section) []:Information School
Common Name (eg, your name or your server's hostname) []:sk26-home-server
Email Address [me@myhost.mydomain]:amdin@copyleft.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'Yunnan'
localityName          :PRINTABLE:'Kunming'
organizationName      :PRINTABLE:'Yunnan University'
organizationalUnitName:PRINTABLE:'Information School'
commonName            :PRINTABLE:'sk26-home-server'
emailAddress          :IA5STRING:'amdin@copyleft.net'
Certificate is to be certified until May 30 11:49:00 2019 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成client端的key，可生成多个(所有数据是虚构的)：

# ./build-key sk26-home-client1 (Common Name输入: sk26-home-client1)
Generating a 1024 bit RSA private key
...................................++++++
...++++++
writing new private key to 'sk26-home-client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:CN
State or Province Name (full name) [NA]:Yunnan
Locality Name (eg, city) [BISHKEK]:Kunming
Organization Name (eg, company) [OpenVPN-TEST]:Yunnan University
Organizational Unit Name (eg, section) []:Information School
Common Name (eg, your name or your server's hostname) []:sk26-home-client1
Email Address [me@myhost.mydomain]:admin@copyleft.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'Yunnan'
localityName          :PRINTABLE:'Kunming'
organizationName      :PRINTABLE:'Yunnan University'
organizationalUnitName:PRINTABLE:'Information School'
commonName            :PRINTABLE:'sk26-home-client1'
emailAddress          :IA5STRING:'admin@copyleft.net'
Certificate is to be certified until May 30 11:51:00 2019 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# ./build-key sk26-home-client2 (Common Name输入: sk26-home-client2)
...
# ./build-key sk26-home-client3 (Common Name输入: sk26-home-client3)
...

生成Diffie Hellman parameters：

# ./build-dh

将生成的各个key拷贝到需要的地方，这里放在/etc/openvpn/server下：

# mkdir /etc/openvpn/server
# cd keys
# cp * /etc/openvpn/server/

编写server端配置文件，首先复制一份模板作为起点：

# cd /usr/doc/openvpn-2.0.9/sample-config-files
# cp server.conf /etc/openvpn/server

修改配置：

# key文件名：
cert sk26-home-server.crt
key sk26-home-server.key  # This file should be kept secret

# 使用10.10.30.0/24作为vpn接口的地址空间：
server 10.10.30.0 255.255.255.0

# 允许client访问home-work子网：
push "route 10.10.10.0 255.255.255.0"

# 允许client端的away-work子网访问vpn：
client-config-dir ccd
route 10.20.10.0 255.255.255.0

# 允许client之间相互通信，并能直接访问away-work：
client-to-client
push "route 10.20.10.0 255.255.255.0"

创建ccd目录和配置文件：

# cd /etc/openvpn/server
# mkdir ccd
# cd ccd
# echo "iroute 10.20.10.0 255.255.255.0" > sk26-home-client1

针对openvpn，这里使用新的iptables脚本rc.iptables-gate-openvpn.ref：

# cp rc.iptables-gate-openvpn.ref /etc/rc.d/rc.iptables-gate-openvpn
# cd /etc/rc.d
# chmod +x rc.iptables-gate-openvpn
# mv rc.iptables rc.iptables-gate-novpn
# ln -s rc.iptables-gate-openvpn rc.iptables

编辑/etc/rc.d/rc.iptables，打开前面配置的各个规则，并增加：

• 打开udp 1194端口。
• 内网可以访问vpn的服务：ping。
• vpn可以访问内网的服务：ping。

启动测试：

# cd /etc/openvpn/server
# openvpn server.conf

相应的客户端配置请参见away-get和other-work的配置。

 

Free Open Technology!