ืืฆืืจืช ืืืขืื
ืืืืืจ ืืชืืจ ืืช ืืจืืื ืืืืฉื ืืจืืืง ืืขืืืืื ืืืืฆืจื ืงืื ืคืชืื ืื ืืชื ืืืฉืชืืฉ ืื ืื ืืื ืืืช ืืขืจืืช ืืืืื ืืืืช ืืืืืืื, ืืื ืืืขืื ืืืจืืื ืืืฉืจ ืืฉ ืืืกืืจ ืืจืืฉืืื ืืช ืืืขืจืืช ืืืกืืจืืช ืืงืืืืช ืื ืืืืฆืืขืื ืฉืื ืืื ื ืืกืคืงืื.
ืืืจืช ืืืืืจ ืืื ืืืืฉื ืืขืจืืช ืฉืืื ืืืชื ืืืฉื ืืจืืืง ืืืจืืื, ืฉืืื ืืขื ืืืชืจ ื"ืืชืงื ืช OpenVPN ืชืื 10 ืืงืืช."
ืืชืืฆืื ืืื, ื ืงืื ืืขืจืืช ืฉืื ืชืขืืืืช ื(ืืืคืฆืืื ืื) ื-Active Directory ืฉื ืืืจืืื ืืฉืืฉื ืืืืืืช ืืฉืชืืฉืื. ืึถื. ื ืงืื ืืขืจืืช ืขื ืฉื ื ืืืจืื ืืืืืช - ืื ืฉืืฉ ืื (ืชืขืืื) ืืื ืฉืื ื ืืืืข (ืกืืกืื).
ืกืืื ืืื ืฉืืฉืชืืฉ ืจืฉืื ืืืชืืืจ ืืื ืืืืจืืช ืฉืื ืืงืืืฆืช myVPNUsr. ืจืฉืืช ืืืืฉืืจืื ืชืฉืืฉ ืืืฆื ืื ืืงืืื.
ืขืืืช ืืืืขืช ืืคืชืจืื ืืื ืืฉืืื ืืืืจื ืงืื ืื ืืืื ืืฉืขืช ืขืืืื ืฉื ืื ืื ืืืขืจืืช.
ื ืฉืชืืฉ ืืืืื ื ืืืจืืืืืืช ืขื OpenVPN ื-Easy-RSA ืืจืกื 3 ื-CetntOS 7, ืืฉืจ ืืืงืฆืื 100 vCPUs ื-4 GiB RAM ืืื 4 ืืืืืจืื.
ืืืืืื, ืืจืฉืช ืฉื ืืืจืืื ืฉืื ื ืืื 172.16.0.0/16, ืฉืื ืฉืจืช ื-VPN ืขื ืืืชืืืช 172.16.19.123 ื ืืฆื ืืงืืข 172.16.19.0/24, ืฉืจืชื DNS 172.16.16.16 ื- 172.16.17.17 ื-subnet 172.16.20.0. .23/XNUMX ืืืงืฆื ืขืืืจ ืืงืืืืช VPN.
ืืื ืืืชืืืจ ืืืืืฅ, ื ืขืฉื ืฉืืืืฉ ืืืืืืจ ืืจื ืืฆืืื 1194/udp, ืื ืืฆืจ A-record gw.abc.ru ื-DNS ืขืืืจ ืืฉืจืช ืฉืื ื.
ืืืืื ืื ืืืืืฅ ืืืฉืืืช ืืช SELinux! OpenVPN ืคืืขื ืืืื ืืืฉืืืช ืืช ืืืื ืืืช ืืืืืื.
ืชืืื
ืืชืงื ืช ืืขืจืืช ืืคืขืื ืืชืืื ืืช ืืคืืืงืฆืื ืืืืจืช ืงืจืืคืืืืจืคืื ืืืืจืช OpenVPN ืืืืืช AD ืืคืขืื ืืืืืื ืื ืคืงืช ืืืฉืืจ ืืืืืื ืืืืจืช ืจืฉืช ืื ืืืื
ืืชืงื ืช ืืขืจืืช ืืคืขืื ืืชืืื ืืช ืืคืืืงืฆืื
ืื ื ืืฉืชืืฉืื ืืืคืฆื CentOS 7.8.2003. ืื ืื ื ืฆืจืืืื ืืืชืงืื ืืช ืืขืจืืช ืืืคืขืื ืืชืฆืืจื ืืื ืืืืืช. ืื ื ืื ืืขืฉืืช ืืืช ืืืืฆืขืืช
ืืืืจ ืืืชืงื ื, ืืงืฆืืช ืืชืืืช ืืืืฉืง ืืจืฉืช (ืขื ืคื ืชื ืื ืืืฉืืื 172.16.19.123), ืื ื ืืขืืื ืื ืืช ืืขืจืืช ืืืคืขืื:
$ sudo yum update -y && reboot
ืื ืื ื ืื ืฆืจืืืื ืืืืื ืฉืกื ืืจืื ืืื ืืืืฆืข ืืืืฉื ืฉืื ื.
ืืื ืืืชืงืื ืชืืื ืช ืืืฉืื, ืืชื ืฆืจืื ืืช ืืืืืืช openvpn, openvpn-auth-ldap, easy-rsa ื-vim ืืขืืจื ืืจืืฉื (ืชืฆืืจื ืืช ืืืืจ ื-EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
ืืืื ืืืชืงืื ืกืืื ืืืจื ืขืืืจ ืืืฉื ืืืจืืืืื:
$ sudo yum install open-vm-tools
ืขืืืจ ืืืจืื VMware ESXi, ืื ืขืืืจ oVirt
$ sudo yum install ovirt-guest-agent
ืืืืจืช ืงืจืืคืืืืจืคืื
ืขืืืจ ืื ืกืคืจืืืช easy-rsa:
$ cd /usr/share/easy-rsa/3/
ืฆืืจ ืงืืืฅ ืืฉืชื ื:
$ sudo vim vars
ืืชืืื ืืื:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
ืืคืจืืืจืื ืฉื ืืืจืืื ืืืืชื ื ABC LLC ืืชืืืจืื ืืื; ืืชื ืืืื ืืชืงื ืืืชื ืืืื ืืืืืชืืื ืื ืืืฉืืืจ ืืืชื ืืืืืืื. ืืืืจ ืืืฉืื ืืืืชืจ ืืคืจืืืจืื ืืื ืืฉืืจื ืืืืจืื ื, ืืงืืืขืช ืืช ืชืงืืคืช ืืชืืงืฃ ืฉื ืืชืขืืื ืืืืื. ืืืืืื ืืฉืชืืฉืช ืืขืจื 10 ืฉื ืื (365*10+2 ืฉื ืื ืืขืืืจืืช). ืืืื ืฆืืจื ืืืชืืื ืขืจื ืื ืืคื ื ืื ืคืงืช ืืืฉืืจื ืืฉืชืืฉ.
ืืืืจ ืืื, ืื ื ืืืืืจืื ืจืฉืืช ืืืฉืืจืื ืืืืื ืืืืช.
ืืืืืจื ืืืืืช ืืืฆืื ืืฉืชื ืื, ืืชืืื ื-CA, ืื ืคืงืช ืืคืชื ืืฉืืจืฉ ืืืืืฉืืจ ืฉื CA, ืืคืชื Diffie-Hellman, ืืคืชื TLS ืืืคืชื ืืชืขืืืช ืฉืจืช. ืืฉ ืืืื ืืงืคืืื ืขื ืืคืชื ื-CA ืืืฉืืืจ ืืกืื! ื ืืชื ืืืฉืืืจ ืืช ืื ืคืจืืืจื ืืฉืืืืชื ืืืจืืจืช ืืืื.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
ืื ืืฉืืื ืืช ืืืืง ืืขืืงืจื ืฉื ืืืืจืช ืื ืื ืื ืืืฆืคื ื.
ืืืืจืช OpenVPN
ืขืืืจ ืื ืกืคืจืืืช OpenVPN, ืฆืืจ ืกืคืจืืืช ืฉืืจืืช ืืืืกืฃ ืงืืฉืืจ ื-easy-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
ืฆืืจ ืืช ืงืืืฅ ืืชืฆืืจื ืืจืืฉื ืฉื OpenVPN:
$ sudo vim server.conf
ืืชืืื ืืื
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
ืืื ืืขืจืืช ืขื ืืคืจืืืจืื:
- ืื ืฆืืื ืฉื ืืืจ ืืขืช ืืืฆืืช ืืชืขืืื, ืฆืืื ืืืช;
- ืฆืืื ืืช ืืืืจ ืืืชืืืืช ืฉืืชืืื ืืืฉืืืืช ืฉืื*;
- ืืืืืื ืืืืืช ื ืชืื ืืื ืื ืืืชืจ ืืฉืจืชื DNS;
- ืืฉ ืฆืืจื ื-2 ืืฉืืจืืช ืืืืจืื ืืช ืืื ืืืืฉื ืืืืืช ื-AD**.
*ืืืื ืืืชืืืืช ืฉื ืืืจ ืืืืืื ืืืคืฉืจ ืืขื 127 ืืงืืืืช ืืืชืืืจ ืื ืืื ืืช, ืืืืืื ืจืฉืช /23 ื ืืืจื, ื-OpenVPN ืืืฆืจ ืจืฉืช ืืฉื ื ืขืืืจ ืื ืืงืื ืืืืฆืขืืช ืืกืืช /30.
ืื ืืฉ ืฆืืจื ืืืืืื, ื ืืชื ืืฉื ืืช ืืช ืืืฆืืื ืืืคืจืืืืงืื, ืขื ืืืช, ืืฉ ืืืืืจ ืฉืฉืื ืื ืืกืคืจ ืืืฆืืื ืืืืื ืืืืจืช SELinux, ืืฉืืืืฉ ืืคืจืืืืงืื tcp ืืืืื ืืช ืืชืงืืจื, ืืืืืื ืืงืจืช ืืฉืืื ืื ืืช TCP ืืืจ ืืืืฆืขืช ืืจืืช ืืื ืืช ืืืืืืขืืช ืืื ืืจื.
**ืื ืืื ืฆืืจื ืืืืืืช ื-AD, ืืืืื, ืืื ืขื ืืกืขืืฃ ืืื ืืืชืื ืืช ืืกืจ ืืช ืงื Auth-User Pass.
ืืืืืช AD
ืืื ืืชืืื ืืืืจื ืืฉื ื, ื ืฉืชืืฉ ืืืืืืช ืืฉืืื ื-AD.
ืื ื ืืงืืงืื ืืืฉืืื ืืืืืืื ืขื ืืืืืืช ืฉื ืืฉืชืืฉ ืจืืื ืืงืืืฆื, ืฉืืืืจืืช ืื ืชืงืืข ืืช ืืืืืช ืืืืืืจ.
ืฆืืจ ืงืืืฅ ืชืฆืืจื:
/etc/openvpn/ldap.conf
ืืชืืื ืืื
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
ืืกืคืจ ืงืืืืื:
- ืืชืืืช URL "ldap://ldap.abc.ru" - ืืชืืืช ืืงืจ ืชืืื;
- BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru" - ืฉื ืงื ืื ื ืืงืืฉืืจ ื-LDAP (UZ - bindUsr ืืืืื abc.ru/Users);
- ืกืืกืื b1ndP@SS โ ืกืืกืืช ืืฉืชืืฉ ืืืจืืื;
- BaseDN "OU=allUsr,DC=abc,DC=ru" - ืื ืชืื ืฉืืื ื ืืชืืืืื ืืืคืฉ ืืช ืืืฉืชืืฉ;
- BaseDN "OU=myGrp,DC=abc,DC=ru" - ืืืื ืฉื ืืงืืืฆื ืืืืคืฉืจืช (ืงืืฅ myVPNUsr ืืืืื abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ืืื ืืฉื ืฉื ืืงืืืฆื ืืืืคืฉืจืช.
ืืคืขืื ืืืืืื
ืืขืช ื ืืื ืื ืกืืช ืืืคืขืื ืืืืคืขืื ืืช ืืฉืจืช ืฉืื ื:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
ืืืืงืช ืืคืขืื:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
ืื ืคืงืช ืืืฉืืจ ืืืืืื
ืื ืื ืืกืฃ ืืืืฉืืจืื ืขืฆืื, ืืชื ืฆืจืื ืืคืชืืืช ืืืืืจืืช ืืืจืืช; ืื ืืืื ื ืื ืืขืืืฃ ืืช ืื ืื ืืงืืืฅ ืคืจืืคืื ืืื. ืืืืจ ืืื ืืงืืืฅ ืืื ืืืขืืจ ืืืฉืชืืฉ ืืืคืจืืคืื ืืืืื ืืืงืื OpenVPN. ืืฉื ืื ื ืืฆืืจ ืชืื ืืช ืืืืจืืช ืืกืงืจืืคื ืฉืืืฆืจ ืืช ืืคืจืืคืื.
ืขืืื ืืืืกืืฃ ืืคืจืืคืื ืืช ืืชืืื ืฉื ืืืฉืืจ ืืฉืืจืฉ (ca.crt) ืืืคืชื TLS (ta.key).
ืืคื ื ืื ืคืงืช ืืืฉืืจื ืืฉืชืืฉ ืื ืชืฉืื ืืืืืืจ ืืช ืชืงืืคืช ืืชืืงืฃ ืื ืืจืฉืช ืืืืฉืืจืื ืืงืืืฅ ืืคืจืืืจืื. ืืชื ืื ืฆืจืื ืืขืฉืืช ืืช ืื ืืจืื ืืื; ืื ื ืืืืืฅ ืืืืืื ืืช ืขืฆืื ืืื ืืืืชืจ 180 ืืืื.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
ืืขืจืืช:
- ืงืืืื ืฉืื ืืช ืฉืื... ืืฉื ืืช ืืชืืื ืฉื ืชืขืืืืช;
- ืืื ืืื ืืจืืืง, ืฆืืื ืืช ืืฉื/ืืืชืืืช ืฉื ืืฉืขืจ ืฉืื;
- ืืื ืืื Auth-user-pass ืืฉืืฉืช ืืืืืืช ืืืฆืื ื ื ืืกืฃ.
ืืกืคืจืืืช ืืืืช (ืื ืืืงืื ื ืื ืืืจ) ืื ื ืืืฆืจืื ืกืงืจืืคื ืืืงืฉืช ืืืฉืืจ ืืืฆืืจืช ืคืจืืคืื:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
ืืคืืืช ืืงืืืฅ ืืืคืฉืจื ืืคืขืื:
chmod a+x ~/make.profile.sh
ืืื ืื ื ืืืืืื ืืื ืคืืง ืืช ืืชืขืืื ืืจืืฉืื ื ืฉืื ื.
~/make.profile.sh my-first-user
ืืืืืจ
ืืืงืจื ืฉื ืคืืืขื ืืชืขืืื (ืืืืื, ืื ืืื), ืืฉ ืฆืืจื ืืืื ืืช ืืชืขืืื ืืื:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
ืืฆื ืชืขืืืืช ืฉืืื ืคืงื ืืืฉืืื
ืืื ืืืฆืื ืืืฉืืจืื ืฉืืื ืคืงื ืืืืื, ืคืฉืื ืืฆื ืืช ืงืืืฅ ืืืื ืืงืก:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
ืืกืืจืื:
- ืืฉืืจื ืืจืืฉืื ื ืืื ืชืขืืืช ืืฉืจืช;
- ืืืืืช ืืจืืฉืื ื
- V (ืชืงืฃ) - ืชืงืฃ;
- ืจ (ืืืืื) - ื ืืืจ.
ืืืืจืช ืจืฉืช
ืืฉืืืื ืืืืจืื ืื ืื ืืืืืืจ ืืช ืจืฉืช ืืฉืืืืจ - ื ืืชืื ืืืืืืช ืืฉ.
ืืชืจืช ืืืืืจืื ืืืืืช ืืืฉ ืืืงืืืืช:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
ืืืืจ ืืื, ืืคืขื ื ืืชืื ืชืขืืืจืช IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
ืืกืืืื ืืจืืื ืืช, ืกืืืจ ืืื ืื ืฉืืฉ ืจืฉืช ืืฉื ื ืืขืืื ื ืืืืจ ืื ืชื/ืื ืืืฆื ืืฉืืื ืื ืืช ืืืืืขืืืช ืืืงืืืืช ื-VPN ืฉืื ื. ืืฉืืจืช ืืคืงืืื ืื ื ืืืฆืขืื ืืช ืืคืงืืื ืืืืคื (ืืืชืื ืืฆืืื ืืืฉืืฉ):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
ืืฉืืืจ ืืช ืืชืฆืืจื.
ืื ืืกืฃ, ืืืืฉืง ืื ืชื ืืืืื ืฉืื ืืืืฉืช ืืืชืืืช ืืืืฆืื ืืช gw.abc.ru, ืืฉ ืฆืืจื ืืืคืฉืจ ืืขืืจ ืฉื ืื ืืช udp/1194.
ืืืงืจื ืฉืืืจืืื ืืฉ ืืืื ืืืืื ื ืืงืฉืื, ืืฉ ืืืืืืจ ืืืืช ืืฉ ืื ืืฉืจืช ื-VPN ืฉืื ื. ืืืขืชื, ืืืืืฉืืช ืืืืืื ืืืืชืจ ื ืืชื ืช ืืืงืืช ืจืฉืชืืช iptables FORWARD, ืื ืื ืืืืืจื ืฉืืื ืคืืืช ื ืืื. ืขืื ืงืฆืช ืขื ืืืืจืชื. ืืฉื ืื, ืืื ื ืื ืืืฉืชืืฉ ื"ืืืืื ืืฉืืจืื" - ืืืืื ืืฉืืจืื, ืืืืืืกื ืื ืืงืืืฅ /etc/firewalld/direct.xml. ื ืืชื ืืืฆืื ืืช ืืชืฆืืจื ืื ืืืืืช ืฉื ืืืืืื ืืืืงืื:
$ sudo firewall-cmd --direct --get-all-rule
ืืคื ื ืฉืื ืื ืงืืืฅ, ืฆืืจ ืขืืชืง ืืืืื ืฉืื:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bak
ืืชืืื ืืืฉืืขืจ ืฉื ืืงืืืฅ ืืื:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
ืืกืืจืื
ืืื ืื ืืขืฆื ืืืื iptables ืจืืืืื, ืืจืืืื ืืืจืช ืืืืจ ืืืคืขืช ืืืืช ืืืฉ.
ืืืฉืง ืืืขื ืขื ืืืืจืืช ืืจืืจืช ืืืืื ืืื tun0, ืืืืืฉืง ืืืืฆืื ื ืฉื ืืื ืืจื ืขืฉืื ืืืืืช ืฉืื ื, ืืืฉื, ens192, ืืืชืื ืืคืืืคืืจืื ืฉืื ื ืขืฉื ืฉืืืืฉ.
ืืฉืืจื ืืืืจืื ื ืืืืขืืช ืืจืืฉืื ืื ืืช ืฉื ืคืื. ืืื ืฉืืจืืฉืื ืืขืืื, ืขืืื ืืฉื ืืช ืืช ืจืืช ื ืืคืื ืืืืืื ืืชืฆืืจืช ืืืืช ืืืฉ:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
ืืืืช ืืืืจืืช ืืื ืืคืงืืื ืืจืืืื ืฉื ืืืืช ืืืฉ ืืื ืืงืจืื ืืืืฉ ืืช ืืืืืจืืช:
$ sudo firewall-cmd --reload
ืืชื ืืืื ืืจืืืช ืื ืืช ืฉื ืฉืืื ืื:
grep forward_fw /var/log/messages
ืื ืืืื
ืื ืืฉืืื ืืช ืืืืืจื!
ืื ืื ืฉื ืืชืจ ืืื ืืืชืงืื ืืช ืชืืื ืช ืืืงืื ืืฆื ืืืงืื, ืืืืื ืืช ืืคืจืืคืื ืืืืชืืืจ. ืขืืืจ ืืขืจืืืช ืืคืขืื Windows, ืขืจืืช ืืืคืฆื ืืืืงืืช ื-
ืืืกืืฃ, ืื ื ืืืืจืื ืืช ืืฉืจืช ืืืืฉ ืฉืื ื ืืืขืจืืืช ืื ืืืืจ ืืืืจืืืื, ืืื ืฉืืืืื ืืืชืงืื ืขืืืื ืื ืืืืคื ืงืืืข.
ืืืืืจ ืืฆืื!
ืืงืืจ: www.habr.com