2015年2月20日星期五

在CentOS 6.5上编译ocserv并配置Cisco AnyConnect VPN,以便在iphone上使用OpenConnect SSL VPN翻墙

在CentOS 6.5上编译ocserv并配置Cisco AnyConnect VPN,以便在iphone上使用OpenConnect SSL VPN翻墙

AnyConnect是思科的安全远程接入解决方案,之前只有思科的设备才支持。
ocserv(OpenConnect server)是一个OpenConnect SSL VPN协议服务端,0.3.0版后兼容使用AnyConnect SSL VPN协议的终端。
官方主页:http://www.infradead.org/ocserv/

在iOS下的客户端推荐使用cisco AnyConnect,目前iOS使用VPN存在以下问题:
1、待机会断开
2、不能控制路由表
iOS使用APN存在以下问题:
1、不稳定,有时打不开页面
2、需要墙内墙外均部署服务器

AnyConnect相比有以下优势:
1、待机不会断开
2、能够下发路由表给客户端(未测试)
3、稳定
4、相比APN,只需要1台机器
经测试,从晚上2点多,待机到早上9点多,iPhone电量从18%掉到13%,AnyConnect还保持连接。
环境:CentOS 6.5 x64
ocserv需要3.1版以上的gnutls,gnutls需要2.7版以上的nettle
这两个在repo仓库里均没有,所以我们自己编译
首先保证系统里已安装openssl、gcc、make等常用软件
BTW:Ubuntu上好像可以用apt-get -t wheezy-backports从backports安装这些新版本(未测试)

1、编译nettle
安装gmp
yum install gmp-devel gmp
wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1
./configure --prefix=/usr && make
make install &&
chmod -v 755 /usr/lib/libhogweed.so.2.5 /usr/lib/libnettle.so.4.7 &&
install -v -m755 -d /usr/share/doc/nettle-2.7.1 &&
install -v -m644 nettle.html /usr/share/doc/nettle-2.7.1

2、编译unbound
安装expat-devel
yum install expat-devel
wget http://unbound.nlnetlabs.nl/downloads/unbound-1.4.22.tar.gz
tar zxf unbound-1.4.22.tar.gz && cd unbound-1.4.22
./configure && make && make install
mkdir -p /etc/unbound && unbound-anchor -a "/etc/unbound/root.key"

3、编译gnutls
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.1.tar.xz
xz -c -d gnutls-3.2.12.1.tar.xz | tar x
cd gnutls-3.2.12
./configure --prefix=/usr && make && make install

4、编译ocserv
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
xz -c -d ocserv-0.3.2.tar.xz | tar x
cd ocserv-0.3.2
./configure && make && make install
如果nettle和gnutls安装在/usr/local目录,需要运行以下命令设置系统变量,再运行./configure。同时要把这些命令加进系统启动里。
export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/ NETTLE_CFLAGS="-I/usr/local/include/" NETTLE_LIBS="-L/usr/local/lib64/ -lnettle" HOGWEED_CFLAGS="-I/usr/local/include" HOGWEED_LIBS="-L/usr/local/lib64/ -lhogweed"
export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/ LIBGNUTLS_CFLAGS="-I/usr/local/include/" LIBGNUTLS_LIBS="-L/usr/local/lib/ -lgnutls" LIBNL3_CFLAGS="-I/usr/local/include" LIBNL3_LIBS="-L/usr/local/lib/ -lnl-3 -lnl-route-3"

5、配置ocserv
创建ca证书和服务器证书(参考http://www.infradead.org/ocserv/manual.html#heading5
certtool --generate-privkey --outfile ca-key.pem
cat << _EOF_ >ca.tmpl
cn = "stunnel.info VPN"
organization = "stunnel.info"
serial = 1
expiration_days = 365
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile server-key.pem
cat << _EOF_ >server.tmpl
cn = "stunnel.info VPN"
o = "stunnel"
serial = 2
expiration_days = 365
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

把证书复制到ocserv的配置目录
mkdir -p /usr/local/etc/ocserv/
cp server-cert.pem /usr/local/etc/ocserv/ && cp server-key.pem /usr/local/etc/ocserv/

复制配置文件样本,还在源码目录中
cp doc/sample.config /usr/local/etc/ocserv/ocserv.conf
编辑配置文件
vim /usr/local/etc/ocserv/ocserv.conf

修改如下:
auth = "plain[/usr/local/etc/ocserv/ocpasswd]"
#ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件
#ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式
server-cert = /usr/local/etc/ocserv/server-cert.pem
server-key = /usr/local/etc/ocserv/server-key.pem
#证书路径
max-same-clients = 10
#同一个用户最多同时登陆数
run-as-group = nobody
ipv4-network = 192.168.10.0
#分配给VPN客户端的IP段
dns = 8.8.8.8
dns = 8.8.4.4
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#注释掉这两行。route参数留空表示所有流量均走VPN。
#ocserv可以给客户端下发路由表。比如可以把公司内网IP段、所有国外IP走VPN出去。
#default-domain = example.com
#注释掉这行。

创建认证用的用户文件
ocpasswd -c /usr/local/etc/ocserv/.passwd <username>

修改系统配置,允许转发
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o venet0 -j MASQUERADE
iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT
#IP段和venet0接口要根据自己的情况修改

最后运行服务
/usr/local/sbin/ocserv -c /usr/local/etc/ocserv/ocserv.conf
在iOS上安装Cisco AnyConnect即可连接服务器
Android上也有Cisco AnyConnect(需要root),不过Android可选择的太多,推荐Shadowsocks
Windows、MAC OS也有Cisco的官方客户端

参考:
http://www.infradead.org/ocserv/manual.html
http://ttz.im/blog/2014/02/1131
http://www.cisco.com/web/CN/solutions/trends/byod_smart_solution/pdf/at_a_glance_c45_578609.pdf
--------------------------------------------------
 架设OpenConnect Server给iPhone提供更顺畅的网络生活

OpenConnet Server(ocserv)是朋友给我的建议,它通过实现Cisco的AnyConnect协议,用DTLS作为主要的加密传输协议。我认为它的主要好处在于——
  • AnyConnect的VPN协议默认使用UDP DTLS作为数据传输,但如果有什么网络问题导致UDP传输出现问题,它会利用最初建立的TCP TLS通道作为备份通道,降低VPN断开的概率。
  • AnyConnect作为Cisco新一代的VPN解决方案,被用于许多大型企业,这些企业依赖它提供正常的商业运作,这些正常运作对应的经济效益(读作GDP),是我们最好的伙伴。
  • OpenConnet的架设足够麻烦,我的意思是,如果你不是大型企业,你会用AnyConnect的概率无限趋近于零。再者,如果它足够简单,我就不用写这篇文章了。
至于它的自定义路由表支持,我觉得都是次要了。
介绍到此,让我们按步骤干好事情。
(下文选用最新的Ubuntu 14.04 LTSOCServ 0.9.0.1作为标准环境,但我会尽量提供不依赖版本的步骤与建议。)

编译OCserv

官方站点找最新的OpenConnect Server版本。
curl -O ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz
tar xvf ocserv-0.9.0.1.tar.xz
cd ocserv-0.9.0
看下README文件提及的编译依赖。理论上只有libgnutls-dev和libreadline-dev是必须的,但我们还是把可选的功能都带上。
(顺便一提,如果你在Ubuntu 14.04或更早版本上,libgnutls-dev的版本还是2.x,需要用libgnutls28-dev获取3.x的GnuTLS才能支持OCserv。)
sudo apt-get install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libpam0g-dev libwrap0-dev libnl-nf-3-dev
编译并安装。
./configure
(在我测试的环境里,最终报告只有systemd和dbus的结果为no,如果你发现其他项目显示no,不必担心,你的环境可能安装了可选的包导致出现不同结果。目前只有libgnutls28-dev是必须的模块。)
make
sudo make install

配置OCserv

我们希望做到的,是无需用户名与密码的客户端证书验证登陆。但在此之前,让我们先测通更简单的密码登录模式。首先让我们把CA证书与服务器证书生成好,具体步骤官方文档也有——
mkdir certificates
cd certificates
CA模板,创建ca.tmpl,按需填写,这里的cn和organization可以随便填。
cn = "Your CA name" 
organization = "Your fancy name" 
serial = 1 
expiration_days = 3650
ca 
signing_key 
cert_signing_key 
crl_signing_key
CA密钥
certtool --generate-privkey --outfile ca-key.pem
CA证书
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
同理,我们用CA签名,生成服务器证书。先创建server.tmpl模板。这里的cn项必须对应你最终提供服务的hostname或IP,否则AnyConnect客户端将无法正确导入证书。
cn = "Your hostname or IP" 
organization = "Your fancy name" 
expiration_days = 3650
signing_key 
encryption_key
tls_www_server
Server密钥
certtool --generate-privkey --outfile server-key.pem
Server证书
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
将CA,Server证书与密钥复制到以下文件夹
sudo cp ca-cert.pem /etc/ssl/certs/my-ca-cert.pem
sudo cp server-cert.pem /etc/ssl/certs/my-server-cert.pem
sudo cp server-key.pem /etc/ssl/private/my-server-key.pem
剩下的就是OCServ配置文件了。同样的,参考官方文档是最佳选项,但为了方便起见,这是你需要注意的一些设置。回到ocserv-0.9.0的文件夹下,将配置文件复制到OCserv默认读取的位置。
sudo mkdir /etc/ocserv
sudo cp doc/sample.config /etc/ocserv/ocserv.conf
确保以下配置正确
# 登陆方式,目前先用密码登录
auth = "plain[/etc/ocserv/ocpasswd]"
# 允许同时连接的客户端数量
max-clients = 4
# 限制同一客户端的并行登陆数量
max-same-clients = 2
# 服务监听的IP(服务器IP,可不设置)
listen-host = 1.2.3.4
# 服务监听的TCP/UDP端口
tcp-port = 9000
udp-port = 9001
# 自动优化VPN的网络性能
try-mtu-discovery = true
# 服务器证书与密钥
server-cert = /etc/ssl/certs/my-server-cert.pem
server-key = /etc/ssl/private/my-server-key.pem
# 客户端连上vpn后使用的dns
dns = 8.8.8.8
# 注释掉所有的route,让服务器成为gateway
#route = 192.168.1.0/255.255.255.0
# 启用cisco客户端兼容性支持
cisco-client-compat = true
创建一个登陆用的用户名与密码。
sudo ocpasswd -c /etc/ocserv/ocpasswd username
这样OCserv就基本配置好了。但如果你和我一样强化过服务器安全,还得为服务器上开些端口才行。以Linode的安全配置为例,我们需要加入和修改以下内容。
sudo nano /etc/iptables.firewall.rules
打开OCserv对应的TCP/UDP端口
-A INPUT -p tcp -m state --state NEW --dport 9000 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 9001 -j ACCEPT
注释这行,允许转发
# -A FORWARD -j DROP
启用NAT
*nat
-A POSTROUTING -j MASQUERADE
COMMIT
完成之后导入新配置并检查配置正确。
sudo iptables-restore < /etc/iptables.firewall.rules
sudo iptables -L
sudo iptables -t nat -L
如果你之前没有配置服务器启动时自动导入这个设置
sudo nano /etc/network/if-pre-up.d/firewall
输入以下内容
#!/bin/sh 
/sbin/iptables-restore < /etc/iptables.firewall.rules
最后我们需要打开IPv4的流量转发。
sudo nano /etc/sysctl.conf
启用此项
net.ipv4.ip_forward=1
并刷新配置
sudo sysctl -p /etc/sysctl.conf

测试OCserv

在服务器端启动OpenConnect Server。
sudo ocserv -f -d 1
如果服务没错误退出,是时候来测测客户端了。假设你使用iOS,下载Cisco AnyConnect
在Connections下加入新的VPN配置,在服务器地址栏目上填入对应的IP/Hostname和TCP端口(我们的例子就是1.2.3.4:9000)
然后到设置标签页下暂时禁用“阻止不信任的服务器”选项。首次连接,AnyConnect会提示你这是不信任证书,如果你之前的服务器证书模板的 cn没写错的话(我们的例子是1.2.3.4),你可以接受并导入该证书(可在诊断标签页的证书菜单里的服务器证书列表看到)。以后即便启用“阻止不信任 的服务器”选项,也不会报错了(和SSH首次登陆类似)。
确定VPN连接正常并可以科学上网后,我们可以接着提高网络生活质量。

自动化OCserv

假如现有的配置有哪里让人不大满意,大概是这两点——
  1. OCserv的服务最好会自动跑,进程挂了也自动恢复。
  2. AnyConnect每次都要输入密码很麻烦,最好用客户端证书验证。
为OCserv写个简单的upstart脚本。
cd /etc/init.d
sudo ln -s /lib/init/upstart-job ocserv
cd /etc/init
sudo nano ocserv.conf
放入以下内容
#!upstart
description "OpenConnect Server"
start on runlevel [2345]
stop on runlevel [06]
respawn
respawn limit 20 5
script
    exec start-stop-daemon --start --pidfile /var/run/ocserv.pid --exec /usr/local/sbin/ocserv -- -f >> /dev/null 2>&1
end script
这样就可以用以下方式启动/暂停服务
sudo service ocserv start
sudo service ocserv stop
为AnyConnect建个客户端证书
和服务器端证书的步骤基本相同。回到之前的certificates文件夹。
创建user.tmpl
cn = "some random name"
unit = "some random unit"
expiration_days = 365
signing_key
tls_www_client
User密钥
certtool --generate-privkey --outfile user-key.pem
User证书
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
然后要将证书和密钥转为PKCS12的格式。按说certtool也能做到,但不知为何,当前的AnyConnect iOS版并不接受certtool生成的p12文件,于是我们只能用openssl替代——
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12
然后我们要通过URL将user.p12文件导入AnyConnect,具体位置在诊断标签页的证书栏目下。如果你的服务器已经有Nginx/Apache服务,只要传到一个可以访问的URL路径下即可。如果没有,请参照Nginx官网Linode的Nginx入门教程
导入成功之后,将对应的VPN设置的高级设置部分的证书栏目,改为导入的这张证书。
最后我们要调整下OCserv的配置——
nano /etc/ocserv/ocserv.conf
修改以下内容
# 改为证书登陆,注释掉原来的登陆模式
auth = "certificate" 
# 证书认证不支持这个选项,注释掉这行
#listen-clear-file = /var/run/ocserv-conn.socket
# 启用证书验证
ca-cert = /etc/ssl/certs/my-ca-cert.pem
重启OCserv服务,确认VPN无需密码就可以正常登陆。

小结

这篇笔记是在完成配置之后靠回忆写下的,仅仅做到“可用”,没做更多优化与安全配置。如有什么疏漏(很可能有,毕竟环境不可能完全一致),欢迎在留言栏相互协助。祝各位的iPhone生活美满~
参考阅读:
 -----------------------------------------------------------------------
在iphone上使用OpenConnect SSL VPN翻墙 

我都没有越狱,7.1 发布后更是没有机会去越狱了。 
幸福的是 AnyConnect 改变了我窘迫的现状。
  1. 不会断线
  2. 可以给客户端下发走 VPN 的路由表
  3. 稳定
So,我们来聊一聊如何通过 Ocserv 在 Ubuntu 13.10 搭建你的 AnyConnect。
这里不选择 12.04 的原因是他的包比较旧,需要你很折腾才能编译 Ocserv,另外 14.04 已经 On the way 了。
PS.如果想要在 Ubuntu 12.04 上安装,那么需要参考这文章安装 Nettle 和 Gnutls

安装 Ocserv

下载 Ocserv 0.3.2
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
tar xvf ocserv-0.3.2.tar.xz
cd ocserv-0.3.2
安装编译依赖
sudo apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev \
libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev\
 libopts25-dev autogen libgnutls28 libgnutls28-dev  libseccomp-dev
编译
./configure --prefix=/usr --sysconfdir=/etc && make && sudo make install

生成证书

这里你需要先仔细阅读官方的文档 简单的来说,如下几步
创建工作文件夹
mkdir CA
cd CA
生成 CA 证书
certtool --generate-privkey --outfile ca-key.pem
vim ca.tmpl

#输入一下内容

cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

#保存退出文件编辑

certtool --generate-self-signed --load-privkey ca-key.pem \
--template ca.tmpl --outfile ca-cert.pem
生成本地服务器证书
certtool --generate-privkey --outfile server-key.pem
vim  server.tmpl

# 输入以下内容

cn = "www.example.com"
organization = "MyCompany"
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server

#保存退出文件编辑

certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile server-cert.pem
生成之后
server-cert.pem 放到/etc/ssl/certs server-key.pem 放到/etc/ssl/private

配置文件

工作目录是最初解压出来的 ocserv-0.3.2
sudo mkdir /etc/ocserv && \ 
sudo cp doc/sample.config /etc/ocserv/ && \
 sudo mv /etc/ocserv/sample.conf /etc/ocserv/ocserv.conf
编辑配置文件
vim /etc/ocserv/ocserv.conf
修改如下
auth = "plain[/etc/ocserv/ocpasswd]"
#ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件
#ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式

#证书路径
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem

#同一个用户最多同时登陆数
max-same-clients = 10 

#运行组
run-as-group = nogroup

#分配给VPN客户端的IP段
ipv4-network = 10.10.0.0

#DNS
dns = 8.8.8.8
dns = 8.8.4.4

#注释掉route的字段,这样表示所有流量都通过 VPN 发送
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0

创建用户

sudo ocpasswd -c /etc/ocserv/ocpasswd username
#username为你要添加的用户名

修改系统配置,允许转发

vim /etc/sysctl.conf
#修改这行
net.ipv4.ip_forward = 1
#保存退出
sysctl -p
修改 iptables 规则 你可以参考 Linode 的文章 来配置 iptables

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -j DROP

COMMIT
特别需要主意的是,一定不要存在这样的一句话 不然能连上也是哪里都不能访问……
-A FORWARD -j DROP #不要存在这句
在你的 /etc/rc.local 的exit 前面加上这句 来开启 NAT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Debug

现在我们可以开启服务器试试了
sudo ocserv -c /etc/ocserv/ocserv.conf -f -d 1
如果你出现了这样的错误
DBUS connection error (Connection ":1.225" is not allowed to own the service "org.infradead.ocserv" due to security policies in the configuration file)Cannot create command handler
那么你需要这样处理
sudo cp ocserv-0.3.2/doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/
Thanks to sskaje
拿起你的 iPhone,下载思科的 AnyConnect 客户端
然后输入你的服务器地址,以及你的用户名密码。 出现问题可以看debug的返回信息,如果信息不详细,可以把 1 改成 10
另外也可以通过 ifconfig 来看下你的设备名,我的是 vpns3,然后通过 tcpdump 抓包来看下数据
sudo tcpdump -i vpns3 -vv

配置启动文件

现在我们需要一个脚本来管理 Ocserv
你可以在这里找到, Thanks to Tony
把这个文件复制到 /etc/init.d/ocserv
然后
sudo chmod 755 /etc/init.d/ocserv
sudo update-rc.d ocserv defaults
就可以开机启动了。
你也可以通过
/etc/init.d/ocserv start
这样子来管理。

下发路由

我想这个功能是最激动人心的,因为我们手机如果长期连接,那么肯定是某些服务走 VPN,而国内的网站可以走手机自己的网络体验最好。
但是这里的一个问题是,AnyConnect 有下发路由表的 64 条数限制。
所以我们只能保证下某几个常用的服务是可用的,比如 Google Facebook 以及 Twitter
编辑配置文件
sudo vim /etc/ocserv/ocserv.conf
找到 route = 的字段
你可以使用我的路由表,把这些复制到里面。 保存后重新启动 VPN 服务器,就可以了。
/etc/init.d/ocserv restart
另外这里也有一个我写的 ruby 脚本,用来转换 72.52.99.0/24 > 72.52.99.0/255.255.255.0 这样格式的路由 CIDR to Wildcard mask。
这样你可以自行通过 nslookup
nslookup www.google.com
这样来获取服务器的A地址,然后转换成我们需要的格式。
--------------------------------
 OpenConnect on Ubuntu vps

 OpenConnect is an open source implementation of Cisco’s AnyConnect SSL VPN which is natively supported by iOS(You can create profile with Apple Configurator).

OpenConnect VPN Server can be found on http://www.infradead.org/ocserv/ and downloaded from ftp://ftp.infradead.org/pub/ocserv/, manual http://www.infradead.org/ocserv/manual.html

Let’s build it on Ubuntu 13.10!
  
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.0.tar.xz
tar xvf ocserv-0.3.0.tar.xz
cd ocserv-0.3.0

Dependencies:  
apt-get install libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev \
  libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \
  autogen libgnutls28 libgnutls28-dev  libseccomp-dev

OpenConnect requires GNUTLS 3.0+ which is libgnutls28 in Ubuntu;
libseccomp-dev is mis-spelled in README;
libhttp-parser-dev is offered in Ubuntu Trusty(14.04)

Let’s configure it as simple as possible like:
./configure --prefix=/opt/ocserv
...
configure:
Summary of build options:
  version:              0.3.0
  Host type:            x86_64-unknown-linux-gnu
  Install prefix:       /opt/ocserv
  Compiler:             gcc
  CFlags:               -g -O2 -Wall

  PAM auth backend:     yes
  TCP wrappers:         yes
  systemd:              no
  (socket activation)
  dbus:                 yes
  readline:             yes
  libnl3:               yes
  local protobuf-c:     no
  local PCL library:    no
  local libopts:        no
  local http-parser:    yes

Optional programs:
  occtl:                yes

configure:

Experimental options:
  seccomp:              no
  Anyconnect compat:    yes

Then make:
   
root@sskaje:~/build/ocserv-0.3.0# make
make  all-recursive
make[1]: Entering directory `/root/build/ocserv-0.3.0'
Making all in gl
make[2]: Entering directory `/root/build/ocserv-0.3.0/gl'
make  all-recursive
make[3]: Entering directory `/root/build/ocserv-0.3.0/gl'
make[4]: Entering directory `/root/build/ocserv-0.3.0/gl'
make[4]: Nothing to be done for `all-am'.
make[4]: Leaving directory `/root/build/ocserv-0.3.0/gl'
make[3]: Leaving directory `/root/build/ocserv-0.3.0/gl'
make[2]: Leaving directory `/root/build/ocserv-0.3.0/gl'
Making all in src
make[2]: Entering directory `/root/build/ocserv-0.3.0/src'
make  all-recursive
make[3]: Entering directory `/root/build/ocserv-0.3.0/src'
make[4]: Entering directory `/root/build/ocserv-0.3.0/src'
  CC       ocserv-args.o
In file included from ocserv-args.c:43:0:
ocserv-args.h:61:3: error: #error option template version mismatches autoopts/options.h header
# error option template version mismatches autoopts/options.h header
   ^
ocserv-args.h:62:3: error: unknown type name ‘Choke’
   Choke Me.
   ^
ocserv-args.h:62:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘.’ token
   Choke Me.
           ^
ocserv-args.h:78:3: warning: data definition has no type or storage class [enabled by default]
} teOptIndex;
   ^
ocserv-args.h:78:3: warning: type defaults to ‘int’ in declaration of ‘teOptIndex’ [-Wimplicit-int]
ocserv-args.c:303:29: error: ‘INDEX_OPT_VERSION’ undeclared here (not in a function)
   {  /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION,
                             ^
ocserv-args.c:317:29: error: ‘INDEX_OPT_HELP’ undeclared here (not in a function)
   {  /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP,
                             ^
ocserv-args.c:329:29: error: ‘INDEX_OPT_MORE_HELP’ undeclared here (not in a function)
   {  /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP,
                             ^
ocserv-args.c:490:5: warning: suggest parentheses around arithmetic in operand of ‘|’ [-Wparentheses]
     + OPTPROC_MISUSE ),
     ^
make[4]: *** [ocserv-args.o] Error 1
make[4]: Leaving directory `/root/build/ocserv-0.3.0/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/root/build/ocserv-0.3.0/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/build/ocserv-0.3.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/build/ocserv-0.3.0'
make: *** [all] Error 2

To solve this:  
./configure --prefix=/opt/ocserv --enable-local-libopts --enable-libopts-install

Install

Create config folder and copy sample config:
  
make install
mkdir /opt/ocserv/etc/
cp doc/sample.* /opt/ocserv/etc/

Create configurations

Certificate related: Generate Certificate with GnuTLS and Sign with OpenSSL:
  
cd /opt/ocserv/;
cp /etc/ipsec.d/crls/crl.pem etc/
cp /etc/ipsec.d/cacerts/cacert.pem etc/

config file like…(I’ll upload it later)
Add User(Plain):
  
cd /opt/ocserv/;
./bin/ocpasswd -c etc/passwd -g GROUPNAME sskaje

Start & Stop:
  
root@sskaje:/opt/ocserv# cd /opt/ocserv/;
root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config
root@sskaje:/opt/ocserv# ps -ef|grep ocserv
root     16583     1  0 14:38 ?        00:00:00 ./sbin/ocserv -c etc/config
root     16584 16583  0 14:38 ?        00:00:00 ./sbin/ocserv -c etc/config
root     16586 19163  0 14:38 pts/0    00:00:00 grep --color=auto ocserv
root@sskaje:/opt/ocserv# ./bin/occtl  stop now
Server scheduled to stop
root@sskaje:/opt/ocserv# ps -ef|grep ocserv
root     16590 19163  0 14:38 pts/0    00:00:00 grep --color=auto ocserv

iOS Connect

This time, you need to have Cisco AnyConnect installed on your iDevice, Apple Configurator is not necessory.
I added a ‘0.0.0.0/0.0.0.0′ route but does not yet work for me.

Trouble Shooting

Debug foreground
  
root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config  -d -f
listening (TCP) on 0.0.0.0:8443...
listening (TCP) on [::]:8443...
listening (UDP) on 0.0.0.0:8443...
listening (UDP) on [::]:8443...
ocserv[16335]: [main] initialized ocserv 0.3.0
ocserv[16336]: sec-mod initialized (socket: /var/run/ocserv-socket.16335)
DBUS connection error (Connection ":1.225" is not allowed to own the service "org.infradead.ocserv" due to security policies in the configuration file)Cannot create command handler.

If you see this error, you need to copy dbus config files to /etc:
cp /root/build/ocserv-0.3.0/doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/
-----------------------------------------------------
 Install Ocserv on CentOS 6.5

Ocserv is a Cisco AnyConnect compatible server, it had been designed for OpenConnect, but the author made it Cisco AnyConnect compatible later.
In pre-iOS 7 era, Apple gave users an ability to trigger VPN as a global one, that means once you need to access the Internet, VPN could be connected automatically. After iOS 7 was released, Apple has disabled this feature, even though VPN still could be triggered by URL or destination, but solely by specific ones, not global any more.
Despite the compatible of Cisco AnyConnect, ocserv is not certified by Cisco and there are some known issues like mismatch MTU.
To install ocserv on CentOS 6, you must install some the latest version softwares including GnuTLS, Nettle and LibNL.

Preparation

First of all, install some RPM packages that will be required afterward:
yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget
Install Nettle:
wget http://www.lysator.liu.se/~nisse/archive/nettle-2.7.tar.gz
tar xvf nettle-2.7.tar.gz
cd nettle-2.7
./configure --prefix=/opt/
make && make install
cd ..
Install the latest GnuTLS, this version comes with a fix of security flaw:
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz
tar xvf gnutls-3.2.12.tar.xz
cd gnutls-3.2.12
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle" HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed" ./configure --prefix=/opt/
make && make install
cd ..
Install the Latest LibNL:
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/opt/
make && make install
cd ..

Install Ocserv

The latest version of ocserv is 0.8.0[1], if you want a git version, you might need to compile a recent version of automake and autoconf.
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.0.tar.xz
tar xvf ocserv-0.8.0.tar.xz
cd ocserv-0.8.0
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls" LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3 -lnl-route-3" ./configure --prefix=/opt/
make && make install
You may need to

export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
every time you run ocserv as the libraries it linked with are in /opt/ rather than a standard path.
I found DTLS (connecting through UDP) may cause a MTU issue, the value on server side is lower than client side, this may stop some sites or images from loading correctly. So I use custom-headers to lock the MTU on client side to 1200. [2]
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"
If you need to route all traffic like I do, comment all lines begins with ‘route’. You may also want some of traffic to remain un-routed, then you could add another customer header
custom-header = "X-CSTP-Split-Exclude: 8.8.8.8/255.255.255.0"
And, comment the following line, I found if I leave it uncommented, Cisco AnyConnect on iOS will not connect properly.
#cisco-client-compat = true
Last, remember to set up IPv4 forward on your CentOS – edit /etc/sysctl.conf
net.ipv4.ip_forward = 1
and
sysctl -p
iptables -t nat -A POSTROUTING -j MASQUERADE
That’s it. Hope you enjoy the AnyConnect on your iPhone or Android devices.
Here is a sample configuration file.
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
# A banner to be displayed on clients
#banner = "Welcome"
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
max-clients = 1024
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 0
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds
dpd = 90
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /path/to/crt_file
server-key = /path/to/key_file
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = ./alphassl.crt
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-timeout = 86400000
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 86400000
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# D-BUS usage. If disabled occtl tool cannot be used. If enabled
# then ocserv must have access to register org.infradead.ocserv
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
use-dbus = false
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
# Network settings
device = vpns
# The default domain to be advertised
#default-domain = example.com
ipv4-network = 10.18.240.0
ipv4-netmask = 255.255.255.0
# dns = 192.168.2.1
#dns = 192.168.1.1
#dns = fe80::1
dns = 203.80.96.10
dns = 8.8.8.8
dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.2.3
# The IPv6 subnet prefix
#ipv6-network = fe80::
#ipv6-prefix = 16
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40960
#tx-data-per-sec = 40960
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
output-buffer = 10
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv?-netmask, ipv6-prefix, rx/tx-per-sec, iroute and route.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24 (so iroute in this system has different syntax than route)
route-add-cmd = "ip route add %R dev %D"
route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
cisco-client-compat = true
#Advanced options# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"

Update:

[1] 23/Jun/2014 – Updated to 0.8.0
[2] Or you can let iptables determine a correct MTU value instead of a fixed one:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

相关帖子:
翻墙工具OpenConnect server 0.8.9 一键安装脚本 for debian 7+ 
发帖者 时间: 没有评论:

2015年2月19日星期四

VPS优化之添加swap交换分区

相信很多使用VPS的朋友和我一样,没有太多的米买更多的内存,通常使用swap交换分区来给VPS提高一下性能。
下面说一下VPS添加swap交换分区的方法(只有Xen的VPS可以,OpenVZ不支持添加swap)。
 1、进入一个目录
cd /var/
  2、获取256M的文件块:
dd if=/dev/zero of=swapfile bs=1024 count=262144
  3、创建swap文件
/sbin/mkswap swapfile
  4、激活swap文件
/sbin/swapon swapfile
  5、查看一下swap是否正确:
/sbin/swapon -s
  6、加到fstab文件中让系统引导时自动启动
vi /etc/fstab
在末尾增加以下内容:
/var/swapfile swap swap defaults 0 0
也可以执行如下命令,感觉这样更方便
echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
顺便附上DD命令的参数介绍:
dd命令
功能:把指定的输入文件拷贝到指定的输出文件中,并且在拷贝过程中可以进行格式转换。可以用该命令实现DOS下的diskcopy命令的作用。先用dd命令把软盘上的数据写成硬盘的一个寄存文件,再把这个寄存文件写入第二张软盘上,完成diskcopy的功能。需要注意的是,应该将硬盘上的寄存文件用rm命令删除掉。系统默认使用标准输入文件和标准输出文件。
语法:dd [选项]
if =输入文件(或设备名称)。
of =输出文件(或设备名称)。
ibs = bytes 一次读取bytes字节,即读入缓冲区的字节数。
skip = blocks 跳过读入缓冲区开头的ibs*blocks块。
obs = bytes 一次写入bytes字节,即写入缓冲区的字节数。
bs = bytes 同时设置读/写缓冲区的字节数(等于设置ibs和obs)。
cbs = byte 一次转换bytes字节。
count=blocks 只拷贝输入的blocks块。
>>转载请注明出处:VPS侦探 本文链接地址:http://www.vpser.net/opt/vps-add-swap.html
发帖者 时间: 没有评论:

用 iptables 屏蔽来自某个国家的 IP

星期六我们一位客户受到攻击,我们的网络监测显示有连续6小时的巨大异常流量,我们立即联系了客户,没有得到回应,我们修改和限制了客户的 VPS,使得个别 VPS 受攻击不会对整个服务器和其他 VPS 用户造成任何影响,我们一直保持这个 VPS 为开通状态(尽管一直受攻击),攻击又持续了24小时,星期天攻击仍在继续,我们忍无可忍,但是仍然无法联系到客户,我们向客户网站的另一负责人询问是否需要我们介入来帮助解决,这位负责人答应后我们立即投入到与 DDoS 的战斗中(我们动态扫描屏蔽坏 IP,现在客户网站已恢复。整个过程很有意思,以后有时间再写一篇博客来描述)。登录到客户 VPS 第一件事情就是查当前连接和 IP,来自中国的大量 IP 不断侵占80端口,典型的 DDos. 所以第一件事是切断攻击源,既然攻击只攻80端口,那有很多办法可以切断,直接关闭网站服务器、直接用防火墙/iptables 切断80端口或者关闭所有连接、把 VPS 网络关掉、换一个 IP,⋯,等等。因为攻击源在国内,所以 VPSee 决定切断来自国内的所有访问,这样看上去网站好像是被墙了而不是被攻击了,有助于维护客户网站的光辉形象。那么如何屏蔽来自某个特定国家的 IP 呢?
方法很容易,先到 IPdeny 下载以国家代码编制好的 IP 地址列表,比如下载 cn.zone:
# wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
有了国家的所有 IP 地址,要想屏蔽这些 IP 就很容易了,直接写个脚本逐行读取 cn.zone 文件并加入到 iptables 中:
#!/bin/bash
# Block traffic from a specific country
# written by vpsee.com

COUNTRY="cn"
IPTABLES=/sbin/iptables
EGREP=/bin/egrep

if [ "$(id -u)" != "0" ]; then
   echo "you must be root" 1>&2
   exit 1
fi

resetrules() {
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
}

resetrules

for c in $COUNTRY
do
        country_file=$c.zone

        IPS=$($EGREP -v "^#|^$" $country_file)
        for ip in $IPS
        do
           echo "blocking $ip"
           $IPTABLES -A INPUT -s $ip -j DROP
        done
done

exit 0
好 IP 和坏 IP 都被屏蔽掉了,这种办法当然不高明,屏蔽 IP 也没有解决被攻击的问题,但是是解决问题的第一步,屏蔽了攻击源以后我们才有带宽、时间和心情去检查 VPS 的安全问题。公布一份我们客户被攻击的网络流量图,在18点到0点所有带宽都被攻击流量占用,这时候客户无法登录 VPS,访问者也无法访问网站:
>>转载请注明出处:VPS侦探 本文链接地址:http://www.vpser.net/security/iptables-block-countries-ip.html
发帖者 时间: 没有评论:

Linux上iptables防火墙的基本应用教程

iptables是Linux上常用的防火墙软件,下面vps侦探给大家说一下iptables的安装、清除iptables规则、iptables只开放指定端口、iptables屏蔽指定ip、ip段及解封、删除已添加的iptables规则等iptables的基本应用

1、安装iptables防火墙

如果没有安装iptables需要先安装,CentOS执行:
yum install iptables
Debian/Ubuntu执行:
apt-get install iptables

2、清除已有iptables规则

iptables -F
iptables -X
iptables -Z

3、开放指定的端口

#允许本地回环接口(即运行本机访问本机)
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# 允许已建立的或相关连的通行
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许所有本机向外的访问
iptables -A OUTPUT -j ACCEPT
# 允许访问22端口
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#允许访问80端口
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#允许FTP服务的21和20端口
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#如果有其他端口的话,规则也类似,稍微修改上述语句就行
#禁止其他未允许的规则访问
iptables -A INPUT -j REJECT  (注意:如果22端口未加入允许规则,SSH链接会直接断开。)
iptables -A FORWARD -j REJECT

4、屏蔽IP

#如果只是想屏蔽IP的话“3、开放指定的端口”可以直接跳过。
#屏蔽单个IP的命令是
iptables -I INPUT -s 123.45.6.7 -j DROP
#封整个段即从123.0.0.1到123.255.255.254的命令
iptables -I INPUT -s 123.0.0.0/8 -j DROP
#封IP段即从123.45.0.1到123.45.255.254的命令
iptables -I INPUT -s 124.45.0.0/16 -j DROP
#封IP段即从123.45.6.1到123.45.6.254的命令是
iptables -I INPUT -s 123.45.6.0/24 -j DROP

4、查看已添加的iptables规则

iptables -L -n
v:显示详细信息,包括每条规则的匹配包数量和匹配字节数
x:在 v 的基础上,禁止自动单位换算(K、M) vps侦探
n:只显示IP地址和端口号,不将ip解析为域名

5、删除已添加的iptables规则

将所有iptables以序号标记显示,执行:
iptables -L -n --line-numbers
比如要删除INPUT里序号为8的规则,执行:
iptables -D INPUT 8

6、iptables的开机启动及规则保存

CentOS上可能会存在安装好iptables后,iptables并不开机自启动,可以执行一下:
chkconfig --level 345 iptables on
将其加入开机启动。
CentOS上可以执行:service iptables save保存规则。
另外更需要注意的是Debian/Ubuntu上iptables是不会保存规则的。
需要按如下步骤进行,让网卡关闭是保存iptables规则,启动时加载iptables规则:
创建/etc/network/if-post-down.d/iptables 文件,添加如下内容:
#!/bin/bash
iptables-save > /etc/iptables.rules
执行:chmod +x /etc/network/if-post-down.d/iptables 添加执行权限。
创建/etc/network/if-pre-up.d/iptables 文件,添加如下内容:
#!/bin/bash
iptables-restore < /etc/iptables.rules
执行:chmod +x /etc/network/if-pre-up.d/iptables 添加执行权限。
关于更多的iptables的使用方法可以执行:iptables --help或网上搜索一下iptables参数的说明。
如有问题欢迎在本文下留言或到VPS论坛反馈。
原创文章,谢绝转载!
>>转载请注明出处:VPS侦探 本文链接地址:http://www.vpser.net/security/linux-iptables.html
发帖者 时间: 没有评论:

CentOS下shadowsocks-go一键安装脚本

本脚本适用环境:
系统支持:CentOS 5 & 6 & 7 32或64位
内存要求:≥128M
日期:2015年01月08日
关于本脚本:
一键安装 go 版的 shadowsocks 最新版本 1.1.3。据说 go 版本有 buff ,但是我没看到。与 python 版不同的是,其客户端程序能使用多个服务端配置,但是本脚本安装的是服务端。作者默认推荐 aes-128-cfb 加密,基于一致性的决定,脚本还是使用了 aes-256-cfb 加密方式。
默认配置:
服务器端口:8989
客户端端口:1080
密码:自己设定(如不设定,默认为teddysun.com)
使用方法:
使用root用户登录,运行以下命令:
wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-go.sh
chmod +x shadowsocks-go.sh
./shadowsocks-go.sh 2>&1 | tee shadowsocks-go.log
安装完成后,脚本提示如下:
Congratulations, shadowsocks-go install completed!
Your Server IP:your_server_ip
Your Server Port:8989
Your Password:your_password
Your Local Port:1080
Your Encryption Method:aes-256-cfb

Welcome to visit:http://teddysun.com/392.html
Enjoy it!
卸载方法:
使用 root 用户登录,运行以下命令:
./shadowsocks-go.sh uninstall
其他事项:
客户端配置的参考链接:http://teddysun.com/339.html
安装完成后即已后台启动 shadowsocks-go ,运行:
/etc/init.d/shadowsocks status
可以查看 shadowsocks-go 进程是否存在。
本脚本安装完成后,会将 shadowsocks-go 加入开机自启动。
使用命令:
启动:/etc/init.d/shadowsocks start
停止:/etc/init.d/shadowsocks stop
重启:/etc/init.d/shadowsocks restart
状态:/etc/init.d/shadowsocks status
多用户多端口配置文件 sample(2015年01月08日):
配置文件路径:/etc/shadowsocks/config.json
{
    "port_password":{
         "8989":"password0",
         "9001":"password1",
         "9002":"password2",
         "9003":"password3",
         "9004":"password4"
    },
    "method":"aes-256-cfb",
    "timeout":600
}
官方版本的 sample ,详见这里
特别说明:
1、关于 CentOS 的默认 iptables 防火墙规则 icmp-host-prohibited ,如果安装之后发现已经启动 shadowsocks,本地客户端却不能连接上,请检查 iptables 是不是有如下的一条规则:
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
运行命令:
/etc/init.d/iptables status
可以查看。如果有这条规则,则添加的 8989 端口需手动更改一下,放到这条规则的上一行。编辑 /etc/sysconfig/iptables 文件,将:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8989 -j ACCEPT
放在:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
的前面。最终效果如下:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8989 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
编辑完后,重启 iptables 防火墙。命令:/etc/init.d/iptables restart
更新日志:
更新(2015年01月08日):修改了启动脚本 /etc/init.d/shadowsocks ,按照 CentOS 的 chkconfig 标准语法修改了一下(原来使用的是作者 Github 上自带的)。去掉了以 nobody 用户启动 shadowsocks 的方式,改为直接以当前登录用户直接启动(一般是 root 用户)。开机自启动,以及修改端口号提示无权限的问题已经解决。
更新(2015年01月07日):支持在 CentOS 5,6 及 7 下安装。注意,在 CentOS 7 中默认是没有 iptables 的,如果你开启了 firewalld ,请手动对端口放行。

http://teddysun.com/392.html

发帖者 时间: 没有评论:
订阅: 博文 (Atom)