[root@localhost ~]# grep ^[^#] /etc/ppp/options.pptpd
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
[root@localhost ~]# grep ^[^#] /etc/ppp/chap-secrets
testidrac pptpd "123456" *
[root@localhost ~]# grep ^[^#] /etc/pptpd.conf
option /etc/ppp/options.pptpd
logwtmp
localip 192.168.6.1
remoteip 192.168.6.234-238,192.168.6.245
[root@localhost ~]# cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward=1
[root@localhost ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "IPTABLES TCP-IN:"
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.6.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.6.0/24
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:1723 state ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "IPTABLES TCP-IN:"
使用iptables1:
[root@localhost ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Jun 6 02:40:33 2017
*filter
:INPUT DROP [3:989]
:FORWARD DROP [0:0]
:OUTPUT DROP [103:149468]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN:"
-A FORWARD -s 192.168.6.0/24 -o eno33554984 -j ACCEPT
-A FORWARD -d 192.168.6.0/24 -i eno33554984 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1723 -m state --state cp ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN:"
COMMIT
# Completed on Tue Jun 6 02:40:33 2017
# Generated by iptables-save v1.4.21 on Tue Jun 6 02:40:33 2017
*nat
:PREROUTING ACCEPT [337:34108]
:INPUT ACCEPT [3:256]
:OUTPUT ACCEPT [104:149528]
:POSTROUTING ACCEPT [1:60]
-A POSTROUTING -s 192.168.6.0/24 -o eno33554984 -j MASQUERADE
COMMIT
# Completed on Tue Jun 6 02:40:33 2017
使用iptables2:
[root@localhost sysconfig]# cat iptables
# Generated by iptables-save v1.4.21 on Sat Jun 10 01:04:10 2017
*filter
:INPUT DROP [2:400]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT DROPs:"
-A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD DROPs:"
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUT DROPs:"
COMMIT
# Completed on Sat Jun 10 01:04:10 2017
# Generated by iptables-save v1.4.21 on Sat Jun 10 01:04:10 2017
*nat
:PREROUTING ACCEPT [3967:388420]
:INPUT ACCEPT [4:240]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.6.0/24 -o eno33554984 -j MASQUERADE
COMMIT
# Completed on Sat Jun 10 01:04:10 2017
使用firewalld1
/usr/lib/firewalld/services/
[root@localhost services]# cat pptpd.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>pptdd</short>
<description>PPTD VPN SERVER</description>
<port protocol="tcp" port="1723"/>
</service>
[root@localhost services]# firewall-cmd --permanent --add-service=pptpd
success
[root@localhost services]# firewall-cmd --permanent --add-masquerade
success
[root@localhost services]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
success
[root@localhost services]# firewall-cmd --permanent --direct --add-rule ipv4 filter POSTROUTING 0 -t nat -s 192.168.6.0/24 -o eno33554984 -j MASQUERADE -t nat
success
[root@localhost services]# firewall-cmd --reload
success
[root@localhost services]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736 eno33554984
sources:
services: dhcpv6-client pptpd ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@localhost services]# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -s 192.168.6.0/24 -o eno33554984 -j MASQUERADE -t nat
使用firewalld2(此处应该是默认forward是drop的)
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i eth0 -p tcp --dport 1723 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter POSTROUTING 0 -t nat -o eth0 -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ppp+ -o eth0 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o ppp+ -j ACCEPT
firewall-cmd --reload
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:2b:09:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.99/24 brd 192.168.0.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2b:984/64 scope link
valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:2b:09:8e brd ff:ff:ff:ff:ff:ff
inet 192.168.4.99/24 brd 192.168.4.255 scope global eno33554984
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2b:98e/64 scope link
valid_lft forever preferred_lft forever
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 192.168.6.1 peer 192.168.6.234/32 scope global ppp0
valid_lft forever preferred_lft forever
192.168.0.99/24外部主机连接VPN的IP
192.168.4.99/24想要连接的局域网
192.168.6.1VPN连接后的虚拟ip