我新建的vpn

系统是centos 4.7,单网卡。网上搜了很多实例,也看过一点书,现在把成果报告一下。

wget http://poptop.sourceforge.net/yum/stable/packages/dkms-2.0.17.5-1.noarch.rpm
wget http://poptop.sourceforge.net/yum/stable/packages/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
wget http://poptop.sourceforge.net/yum/stable/packages/ppp-2.4.3-7.rhel4.i386.rpm
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel4.i386.rpm

要先装GCC和kernel-smp-devel,再给rhel4的核心打补丁。
yum install gcc kernel-smp-devel

rpm -ivh dkms-2.0.17.5-1.noarch.rpm
rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm 核心的mppe补丁

modprobe ppp-compress-18 && echo ok 执行这个显示ok,说明补丁成功

rpm -Uvh ppp-2.4.3-7.rhel4.i386.rpm 升级ppp
rpm -ivh pptpd-1.3.4-1.rhel4.i386.rpm

vi /etc/pptpd.conf 设置本地IP和远程IP范围(10.0.10.1和10.0.10.2-200)
vi /etc/ppp/chap-secrets 设置登录的用户名和密码("username" pptpd "password" *)

service pptpd start
service pptpd restart

service pptpd restart-kill
service pptpd start

setup 到服务里把pptpd打*号,开机自启动

vi /etc/sysctl.conf 修改成net.ipv4.ip_forward = 1

在防火墙上打开TCP端口1723和GRE协议(47),重启iptables,使其生效。

iptables -L
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.0/24 -j SNAT --to XXX.XXX.XXX.XXX 公网IP
iptables -t nat -L

iptables -L FORWARD
iptables -F FORWARD 清空

service iptables save 保存配置

reboot

再附上最终的iptables内容:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [115:13093]
:OUTPUT ACCEPT [363:47468]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p gre -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [278:26210]
:POSTROUTING ACCEPT [2:162]
:OUTPUT ACCEPT [2:162]
-A POSTROUTING -s 10.0.10.0/255.255.255.0 -o eth0 -j SNAT --to-source XXX.XXX.XXX.XXX 公网IP
COMMIT