home-gate
操作系统版本:Slackware 12.2
1 硬件
配置3块网卡,分别映射到/dev/vmnet1、/dev/vmnet3、/dev/vmnet2。
2 安装基础系统
只安装a/目录下的软件包,全部安装。
配置lilo,安装在MBR中。
3 安装基本网络包
从光盘安装:
# mount /dev/cdrom /mnt # cd /mnt/slackware/n # installpkg iputils-s20070202-i486-2.tgz # installpkg net-tools-1.60-i486-2.tgz # installpkg network-scripts-12.2-noarch-4.tgz
4 配置网络
执行netconfig配置网络:
# netconfig
netconfig只能配置第一块网卡,其余2块编辑/etc/rc.d/rc.inet1.conf手工设置:
... # Config information for eth1: IPADDR[1]="172.16.0.10" NETMASK[1]="255.255.255.0" USE_DHCP[1]="" DHCP_HOSTNAME[1]="" # Config information for eth2: IPADDR[2]="10.10.20.1" NETMASK[2]="255.255.255.0" USE_DHCP[2]="" DHCP_HOSTNAME[2]="" ...
5 配置软件源
这里使用slackpkg工具来进行后续的软件包管理。
首先安装slackpkg和依赖的软件:
# mount /dev/cdrom /mnt # cd /mnt/slackware/ap # installpkg slackpkg-2.70.5-noarch-1.tgz # installpkg diffutils-2.8.1-i486-3.tgz # cd ../n # installpkg gnupg-1.4.9-i486-1.tgz # installpkg gnupg2-2.0.9-i486-1.tgz # installpkg wget-1.11.4-i486-1.tgz
编辑/etc/slackpkg/mirrors,添加本地镜像:
ftp://10.10.10.199/pub/slackware/slackware-12.2/
初始化:
# slackpkg update # slackpkg update gpg
修补当前系统:
# slackpkg upgrade-all
6 切换为generic内核
制作initrd:
# cd /boot # mkinitrd -c -k 2.6.27.7-smp -m ext3:scsi_transport_spi:mptbase:mptscsih:mptspi
编辑/etc/lilo.conf,添加启动项:
image = /boot/vmlinuz-generic-smp-2.6.27.7-smp initrd = /boot/initrd.gz root = /dev/sda1 label = Generic read-only
运行lilo,使之生效:
# /sbin/lilo
重启系统。
7 安装库文件
# slackpkg install zlib
8 安装其他需要的网络软件
# slackpkg install iptables # slackpkg install tcpdump # slackpkg install openssl # slackpkg install openssh # slackpkg install mailx # slackpkg install bind # slackpkg install netkit-ftp # slackpkg install lftp
9 防火墙配置
有关各个iptables脚本的详细内容见:Iptables脚本。
这里使用网关脚本,从本地服务器获得rc.iptables-gate-novpn.ref、rc.ip6tables.ref和rc.S.ref。执行:
# cp rc.iptables-gate-novpn.ref /etc/rc.d/rc.iptables # cp rc.ip6tables.ref /etc/rc.d/rc.ip6tables # cd /etc/rc.d # chmod +x rc.iptables # chmod +x rc.ip6tables
修改/etc/rc.d/rc.S文件,把/newpkg/rc.S.ref模板内容粘贴到rc.S的末尾。
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 内网可以访问外网的服务:ping、http(s)和ftp。
- 内网可以访问dmz。
- 外网可以访问dmz的服务:http(s)和ftp。
- 打开SNAT。
- 打开DNAT,重定向到home-server(10.10.20.20)。
其中DNAT只重定向http(s)和ftp:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport http -j DNAT --to 10.10.20.20 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport https -j DNAT --to 10.10.20.20 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport ftp -j DNAT --to 10.10.20.20
10 设置内核参数
有关脚本的详细内容见:Sysctl脚本。
从本地服务器获得rc.sysctl.ref和rc.M.ref。执行:
# cp rc.sysctl.ref /etc/rc.d/rc.sysctl # cd /etc/rc.d # chmod +x rc.sysctl
编辑/etc/rc.d/rc.M,把rc.M.ref模板内容粘贴到rc.inet2的前面。
打开ip转发功能:
# chmod +x /etc/rc.d/rc.ip_forward
11 配置域名服务
这里网关只作为一个forward服务器,本身不负责域名解析。
编辑/etc/named.conf,增加如下内容:
options { ... forward only; forwarders { 172.18.0.30; }; }; ...
启动bind服务:
# cd /ec/rc.d/ # chmod +x rc.bind
编辑/etc/rc.d/rc.iptables,允许内网用户DNS查询:
# enalbe dns query in eth0 iptables -A in-IN -p udp --dport domain -m state --state NEW -j ACCEPT
12 配置openvpn server
使用openvpn实现home网络和away网络之间的vpn连接,其中home-gate作为server,away-gate作为client。单个客户连接的例子放在other-work中。
安装软件包:
# slackpkg install lzo # slackpkg install openvpn
根据openvpn提供的INSTALL完成测试。详细配置可参见openvpn.net,这里只列出步骤。
生成CA(所有数据是虚构的,其中Common Name输入:sk26-home-gate):
# cd /usr/doc/openvpn-2.0.9/easy-rsa # . ./vars # ./clean-all # ./build-ca Generating a 1024 bit RSA private key ........................................++++++ ..........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:CN State or Province Name (full name) [NA]:Yunnan Locality Name (eg, city) [BISHKEK]:Kunming Organization Name (eg, company) [OpenVPN-TEST]:Yunnan University Organizational Unit Name (eg, section) []:Information School Common Name (eg, your name or your server's hostname) []:sk26-home-gate Email Address [me@myhost.mydomain]:admin@copyleft.net
生成server端的key(所有数据是虚构的,其中Common Name输入: sk26-home-server):
# ./build-key-server sk26-home-server Generating a 1024 bit RSA private key ...++++++ ....................................++++++ writing new private key to 'sk26-home-server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:CN State or Province Name (full name) [NA]:Yunnan Locality Name (eg, city) [BISHKEK]:Kunming Organization Name (eg, company) [OpenVPN-TEST]:Yunnan University Organizational Unit Name (eg, section) []:Information School Common Name (eg, your name or your server's hostname) []:sk26-home-server Email Address [me@myhost.mydomain]:amdin@copyleft.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'Yunnan' localityName :PRINTABLE:'Kunming' organizationName :PRINTABLE:'Yunnan University' organizationalUnitName:PRINTABLE:'Information School' commonName :PRINTABLE:'sk26-home-server' emailAddress :IA5STRING:'amdin@copyleft.net' Certificate is to be certified until May 30 11:49:00 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
生成client端的key,可生成多个(所有数据是虚构的):
# ./build-key sk26-home-client1 (Common Name输入: sk26-home-client1) Generating a 1024 bit RSA private key ...................................++++++ ...++++++ writing new private key to 'sk26-home-client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:CN State or Province Name (full name) [NA]:Yunnan Locality Name (eg, city) [BISHKEK]:Kunming Organization Name (eg, company) [OpenVPN-TEST]:Yunnan University Organizational Unit Name (eg, section) []:Information School Common Name (eg, your name or your server's hostname) []:sk26-home-client1 Email Address [me@myhost.mydomain]:admin@copyleft.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'Yunnan' localityName :PRINTABLE:'Kunming' organizationName :PRINTABLE:'Yunnan University' organizationalUnitName:PRINTABLE:'Information School' commonName :PRINTABLE:'sk26-home-client1' emailAddress :IA5STRING:'admin@copyleft.net' Certificate is to be certified until May 30 11:51:00 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # ./build-key sk26-home-client2 (Common Name输入: sk26-home-client2) ... # ./build-key sk26-home-client3 (Common Name输入: sk26-home-client3) ...
生成Diffie Hellman parameters:
# ./build-dh
将生成的各个key拷贝到需要的地方,这里放在/etc/openvpn/server下:
# mkdir /etc/openvpn/server # cd keys # cp * /etc/openvpn/server/
编写server端配置文件,首先复制一份模板作为起点:
# cd /usr/doc/openvpn-2.0.9/sample-config-files # cp server.conf /etc/openvpn/server
修改配置:
# key文件名: cert sk26-home-server.crt key sk26-home-server.key # This file should be kept secret # 使用10.10.30.0/24作为vpn接口的地址空间: server 10.10.30.0 255.255.255.0 # 允许client访问home-work子网: push "route 10.10.10.0 255.255.255.0" # 允许client端的away-work子网访问vpn: client-config-dir ccd route 10.20.10.0 255.255.255.0 # 允许client之间相互通信,并能直接访问away-work: client-to-client push "route 10.20.10.0 255.255.255.0"
创建ccd目录和配置文件:
# cd /etc/openvpn/server # mkdir ccd # cd ccd # echo "iroute 10.20.10.0 255.255.255.0" > sk26-home-client1
针对openvpn,这里使用新的iptables脚本rc.iptables-gate-openvpn.ref:
# cp rc.iptables-gate-openvpn.ref /etc/rc.d/rc.iptables-gate-openvpn # cd /etc/rc.d # chmod +x rc.iptables-gate-openvpn # mv rc.iptables rc.iptables-gate-novpn # ln -s rc.iptables-gate-openvpn rc.iptables
编辑/etc/rc.d/rc.iptables,打开前面配置的各个规则,并增加:
- 打开udp 1194端口。
- 内网可以访问vpn的服务:ping。
- vpn可以访问内网的服务:ping。
启动测试:
# cd /etc/openvpn/server # openvpn server.conf
相应的客户端配置请参见away-get和other-work的配置。