åé¡ã®å®åŒå
ãã®èšäºã§ã¯ããªãŒãã³ãœãŒã¹è£œåã§ã®åŸæ¥å¡ã®ãªã¢ãŒã ã¢ã¯ã»ã¹ã®æ§æã«ã€ããŠèª¬æããŠããŸããããã¯å®å šã«èªåŸçãªã·ã¹ãã ã®æ§ç¯ã«ã䜿çšã§ããæ¢åã®åçšã·ã¹ãã ã§ã©ã€ã»ã³ã¹ãäžè¶³ããŠããå Žåãããã©ãŒãã³ã¹ãäžååãªå Žåã®æ¡åŒµã«ã圹ç«ã¡ãŸãã
ãã®èšäºã®ç®æšã¯ãçµç¹ã«ãªã¢ãŒã ã¢ã¯ã»ã¹ãæäŸããããã®å®å šãªã·ã¹ãã ãå®è£ ããããšã§ãããããã¯ã10 å㧠OpenVPN ãã€ã³ã¹ããŒã«ãããã«ãããŸããã
ãã®çµæã蚌ææžãš (ãªãã·ã§ã³ã§) äŒæ¥ Active Directory ããŠãŒã¶ãŒã®èªèšŒã«äœ¿çšããã·ã¹ãã ãåŸãããŸãã ããã ç§ãã¡ã¯ãç§ãæã£ãŠãããã® (蚌ææž) ãšç§ãç¥ã£ãŠãããã® (ãã¹ã¯ãŒã) ãšãã XNUMX ã€ã®æ€èšŒèŠçŽ ãåããã·ã¹ãã ãååŸããŸãã
ãŠãŒã¶ãŒãæ¥ç¶ãèš±å¯ãããŠããããšã¯ãmyVPNUsr ã°ã«ãŒãã®ã¡ã³ããŒã·ããã§ããããšã瀺ããŸãã èªèšŒå±ã¯ãªãã©ã€ã³ã§äœ¿çšãããŸãã
ãœãªã¥ãŒã·ã§ã³ã®å®è£ ã³ã¹ãã¯ãããããªããŒããŠã§ã¢ ãªãœãŒã¹ãšã·ã¹ãã 管çè ã® 1 æéã®äœæ¥ã®ã¿ã§ãã
CetntOS 3 äžã® OpenVPN ãš Easy-RSA ããŒãžã§ã³ 7 ãåããä»®æ³ãã·ã³ã䜿çšããŸããããã«ã¯ã100 æ¥ç¶ããšã« 4 ã€ã® vCPU ãš 4 GiB RAM ãå²ãåœãŠãããŸãã
ãã®äŸã§ã¯ãçµç¹ã®ãããã¯ãŒã¯ã¯ 172.16.0.0/16 ã§ãã¢ãã¬ã¹ 172.16.19.123 ã® VPN ãµãŒããŒãã»ã°ã¡ã³ã 172.16.19.0/24ãDNS ãµãŒã㌠172.16.16.16 ããã³ 172.16.17.17ãããã³ãµãããã 172.16.20.0 ã«é
眮ãããŠããŸãã .23/XNUMX 㯠VPN ã¯ã©ã€ã¢ã³ãã«å²ãåœãŠãããŸãã
å€éšããæ¥ç¶ããã«ã¯ãããŒã 1194/udp çµç±ã®æ¥ç¶ã䜿çšããããµãŒããŒã® DNS ã« A ã¬ã³ãŒã gw.abc.ru ãäœæãããŠããŸãã
SELinux ãç¡å¹ã«ããããšã¯å³å¯ã«ã¯æšå¥šãããŸããã OpenVPN ã¯ã»ãã¥ãªã㣠ããªã·ãŒãç¡å¹ã«ããããšãªãåäœããŸãã
ããŒãžå 容
OSãã¢ããªã±ãŒã·ã§ã³ãœããã®ã€ã³ã¹ããŒã« æå·åã®ã»ããã¢ãã OpenVPN ã®èšå® ADèªèšŒ èµ·åãšèšºæ 蚌ææžã®çºè¡ãšå€±å¹ ãããã¯ãŒã¯èšå® 次ã®ã¹ããã
OSãã¢ããªã±ãŒã·ã§ã³ãœããã®ã€ã³ã¹ããŒã«
CentOS 7.8.2003 ãã£ã¹ããªãã¥ãŒã·ã§ã³ã䜿çšããŸãã æå°æ§æ㧠OS ãã€ã³ã¹ããŒã«ããå¿
èŠããããŸãã ããã䜿çšãããšäŸ¿å©ã§ã
ã€ã³ã¹ããŒã«åŸããããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ã«ã¢ãã¬ã¹ãå²ãåœãŠ (ã¿ã¹ã¯ 172.16.19.123 ã®æ¡ä»¶ã«åŸã£ãŠ)ãOS ãæŽæ°ããŸãã
$ sudo yum update -y && reboot
ãŸãããã·ã³äžã§æå»åæãå®è¡ãããŠããããšã確èªããå¿
èŠããããŸãã
ã¢ããªã±ãŒã·ã§ã³ ãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ããã«ã¯ãã¡ã€ã³ ãšãã£ã¿ãšã㊠openvpnãopenvpn-auth-ldapãeasy-rsaãããã³ vim ããã±ãŒãžãå¿
èŠã§ã (EPEL ãªããžããªãå¿
èŠã§ã)ã
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
ä»®æ³ãã·ã³ã«ã²ã¹ã ãšãŒãžã§ã³ããã€ã³ã¹ããŒã«ãããšäŸ¿å©ã§ãã
$ sudo yum install open-vm-tools
VMware ESXi ãã¹ãã®å ŽåããŸã㯠oVirt ã®å Žå
$ sudo yum install ovirt-guest-agent
æå·åã®ã»ããã¢ãã
easy-rsa ãã£ã¬ã¯ããªã«ç§»åããŸãã
$ cd /usr/share/easy-rsa/3/
å€æ°ãã¡ã€ã«ãäœæããŸãã
$ sudo vim vars
次ã®ã³ã³ãã³ãïŒ
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
ããã§ã¯ãæ¡ä»¶ä»ãçµç¹ ABC LLC ã®ãã©ã¡ãŒã¿ã«ã€ããŠèª¬æããŸãããããã®ãã©ã¡ãŒã¿ãå®éã®ãã©ã¡ãŒã¿ã«ä¿®æ£ããããšããäŸããã®ãã©ã¡ãŒã¿ããã®ãŸãŸäœ¿çšããããšãã§ããŸãã ãã©ã¡ãŒã¿ãŒã®äžã§æãéèŠãªã®ã¯æåŸã®è¡ã§ã蚌ææžã®æå¹æéãæ¥æ°ã§æ±ºå®ããŸãã ãã®äŸã§ã¯ãå€ 10 幎 (365*10+2 é幎) ã䜿çšããŸãã ãã®å€ã¯ããŠãŒã¶ãŒèšŒææžãçºè¡ããåã«èª¿æŽããå¿ èŠããããŸãã
次ã«ãèªåŸçãªèªèšŒå±ãæ§æããŸãã
ã»ããã¢ããã«ã¯ãå€æ°ã®ãšã¯ã¹ããŒããCA ã®åæåãCA ã«ãŒã ããŒãšèšŒææžãDiffie-Hellman ããŒãTLS ããŒããµãŒã㌠ããŒãšèšŒææžã®çºè¡ãå«ãŸããŸãã CA ããŒã¯æ éã«ä¿è·ããç§å¯ã«ããŠããå¿ èŠããããŸãã ãã¹ãŠã®ã¯ãšãªãã©ã¡ãŒã¿ã¯ããã©ã«ãã®ãŸãŸã«ããããšãã§ããŸãã
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
ããã§ãæå·åã¡ã«ããºã ã®ã»ããã¢ããã®äž»èŠéšåãå®äºããŸããã
OpenVPN ã®èšå®
OpenVPN ãã£ã¬ã¯ããªã«ç§»åãããµãŒãã¹ ãã£ã¬ã¯ããªãäœæããeasy-rsa ãžã®ãªã³ã¯ãè¿œå ããŸãã
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
ã¡ã€ã³ã® OpenVPN æ§æãã¡ã€ã«ãäœæããŸãã
$ sudo vim server.conf
以äžã®å 容
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
ãã©ã¡ãŒã¿ã«é¢ãã泚æäºé :
- 蚌ææžã®çºè¡æã«å¥ã®ååãæå®ãããå Žåã¯ãããã瀺ããŸãã
- ã¿ã¹ã¯ã«åãããŠã¢ãã¬ã¹ã®ããŒã«ãæå®ããŸã*ã
- XNUMX ã€ä»¥äžã®ã«ãŒããš DNS ãµãŒããŒãååšããå¯èœæ§ããããŸãã
- æåŸã® 2 è¡ã¯ãAD** ã§èªèšŒãå®è£ ããããã«å¿ èŠã§ãã
*äŸã§éžæããã¢ãã¬ã¹ã®ç¯å²ã§ã¯ãæ倧 127 ã®ã¯ã©ã€ã¢ã³ããåæã«æ¥ç¶ã§ããŸãã /23 ãããã¯ãŒã¯ãéžæãããOpenVPN 㯠/30 ãã¹ã¯ã䜿çšããŠåã¯ã©ã€ã¢ã³ãã®ãµãããããäœæããŸãã
ç¹ã«å¿
èŠãªå Žåã¯ãããŒããšãããã³ã«ãå€æŽã§ããŸãããã ããããŒãã®ããŒãçªå·ãå€æŽããã«ã¯ SELinux ã®èšå®ãå¿
èŠã«ãªããtcp ãããã³ã«ã䜿çšãããšãªãŒããŒããããå¢å ããããšã«çæããå¿
èŠããããŸãã TCP ãã±ããã®é
ä¿¡å¶åŸ¡ã¯ããã³ãã«å
ã«ã«ãã»ã«åããããã±ããã®ã¬ãã«ã§ãã§ã«å®è¡ãããŠããŸãã
**AD ã§ã®èªèšŒãå¿
èŠãªãå Žåã¯ãã³ã¡ã³ãã¢ãŠãããŠæ¬¡ã®ã»ã¯ã·ã§ã³ãã¹ããããããã³ãã¬ãŒãå
ã§èªèšŒããŠãã ããã auth-user-pass è¡ãåé€ããŸã.
ADèªèšŒ
XNUMX çªç®ã®èŠçŽ ããµããŒãããããã«ãAD ã§ã¢ã«ãŠã³ãæ€èšŒã䜿çšããŸãã
éåžžã®ãŠãŒã¶ãŒãšã°ã«ãŒãã®æš©éãæã€ãã¡ã€ã³å ã®ã¢ã«ãŠã³ããå¿ èŠã§ãããã®ã¡ã³ããŒã·ããã«ãã£ãŠæ¥ç¶ã§ãããã©ããã決ãŸããŸãã
æ§æãã¡ã€ã«ãäœæããŸãã
/etc/openvpn/ldap.conf
以äžã®å 容
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
ÐÑМПвМÑепаÑаЌеÑÑÑïŒ
- URLãldap://ldap.abc.ruã - ãã¡ã€ã³ã³ã³ãããŒã©ãŒã®ã¢ãã¬ã¹ã
- BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru" - LDAP ã«ãã€ã³ãããããã®æ£èŠå (UZ - abc.ru/Users ã³ã³ãããŒã® bindingUsr)ã
- ãã¹ã¯ãŒã b1ndP@SS â ãã€ã³ãçšã®ãŠãŒã¶ãŒ ãã¹ã¯ãŒãã
- BaseDN "OU=allUsr,DC=abc,DC=ru" â ãŠãŒã¶ãŒã®æ€çŽ¢ãéå§ãããã¹ã
- BaseDN "OU=myGrp,DC=abc,DC=ru" â èš±å¯ã°ã«ãŒãã®ã³ã³ãã㌠(abc.rumyGrp ã³ã³ãããŒå ã®ã°ã«ãŒã myVPNUsr)ã
- SearchFilter "(cn=myVPNUsr)" ã¯ãèš±å¯ããã°ã«ãŒãã®ååã§ãã
èµ·åãšèšºæ
ããã§ããµãŒããŒãæå¹ã«ããŠèµ·åããŠã¿ãŸãã
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
èµ·åãã§ãã¯ïŒ
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
蚌ææžã®çºè¡ãšå€±å¹
ãªããªã蚌ææžèªäœã«å ããŠãããŒããã®ä»ã®èšå®ãå¿ èŠãšãªããããããããã¹ãŠã XNUMX ã€ã®ãããã¡ã€ã« ãã¡ã€ã«ã«ã©ãããããšéåžžã«äŸ¿å©ã§ãã ãã®ãã¡ã€ã«ã¯ãŠãŒã¶ãŒã«è»¢éããããããã¡ã€ã«ã OpenVPN ã¯ã©ã€ã¢ã³ãã«ã€ã³ããŒããããŸãã ãããè¡ãã«ã¯ãèšå®ãã³ãã¬ãŒããšãããã¡ã€ã«ãçæããã¹ã¯ãªãããäœæããŸãã
ã«ãŒã蚌ææž (ca.crt) ãã¡ã€ã«ãš TLS ã㌠(ta.key) ãã¡ã€ã«ã®å 容ããããã¡ã€ã«ã«è¿œå ããå¿ èŠããããŸãã
ãŠãŒã¶ãŒèšŒææžãçºè¡ããå㫠蚌ææžã«å¿ èŠãªæå¹æéãèšå®ããããšãå¿ããªãã§ãã ãã ãã©ã¡ãŒã¿ãã¡ã€ã«å ã ããŸãé·ãããããªãããã«ããŠãã ãããæé· 180 æ¥ãŸã§ã«å¶éããããšããå§ãããŸãã
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
åèïŒ
- è¡ ããªãã®ãã®ã眮ããŠãã ãã... ã³ã³ãã³ãã«å€æŽ ç«çœ 蚌ææžã
- ãªã¢ãŒã ãã£ã¬ã¯ãã£ãã§ãã²ãŒããŠã§ã€ã®åå/ã¢ãã¬ã¹ãæå®ããŸãã
- auth-user-pass ãã£ã¬ã¯ãã£ãã¯ãè¿œå ã®å€éšèªèšŒã«äœ¿çšãããŸãã
ããŒã ãã£ã¬ã¯ã㪠(ãŸãã¯ãã®ä»ã®äŸ¿å©ãªå Žæ) ã«ã蚌ææžãèŠæ±ããŠãããã¡ã€ã«ãäœæããããã®ã¹ã¯ãªãããäœæããŸãã
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
ãã¡ã€ã«ãå®è¡å¯èœã«ãã:
chmod a+x ~/make.profile.sh
ãããŠãæåã®èšŒææžãçºè¡ã§ããŸãã
~/make.profile.sh my-first-user
ã¬ãã¥ãŒ
蚌ææžã䟵害ãããå Žå (çŽå€±ãçé£)ããã®èšŒææžãåãæ¶ãå¿ èŠããããŸãã
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
çºè¡æžã¿ããã³å€±å¹ãã蚌ææžã衚瀺ãã
çºè¡æžã¿ããã³å€±å¹ãã蚌ææžã衚瀺ããã«ã¯ãã€ã³ããã¯ã¹ ãã¡ã€ã«ã衚瀺ããã ãã§ãã
cd /usr/share/easy-rsa/3/
cat pki/index.txt
説æïŒ
- æåã®è¡ã¯ãµãŒããŒèšŒææžã§ãã
- æåã®æå
- V (æå¹) - æå¹ã
- R (åãæ¶ã) - ãªã³ãŒã«ãããŸããã
ãããã¯ãŒã¯èšå®
æåŸã®ã¹ãããã¯ãäŒéãããã¯ãŒã¯ (ã«ãŒãã£ã³ã°ãšãã¡ã€ã¢ãŠã©ãŒã«) ãæ§æããããšã§ãã
ããŒã«ã« ãã¡ã€ã¢ãŠã©ãŒã«ã§ã®æ¥ç¶ãèš±å¯ããŸãã
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
次ã«ãIP ãã©ãã£ã㯠ã«ãŒãã£ã³ã°ãæå¹ã«ããŸãã
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
äŒæ¥ç°å¢ã§ã¯ããµããããåãè¡ãããå¯èœæ§ããããã«ãŒã¿ãŒã« VPN ã¯ã©ã€ã¢ã³ãå®ãŠã®ãã±ããã®éä¿¡æ¹æ³ãæ瀺ããå¿ èŠããããŸãã ã³ãã³ã ã©ã€ã³ã§ã¯ã次ã®æ¹æ³ã§ã³ãã³ããå®è¡ããŸã (䜿çšããæ©åšã«å¿ããŠç°ãªããŸã)ã
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
ãããŠèšå®ãä¿åããŸãã
ããã«ãå€éšã¢ãã¬ã¹ gw.abc.ru ãæäŸãããããŒã㌠ã«ãŒã¿ãŒ ã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ãudp/1194 ãã±ããã®ééãèš±å¯ããå¿ èŠããããŸãã
çµç¹ã«å³æ Œãªã»ãã¥ãªã㣠ã«ãŒã«ãããå Žåã¯ãVPN ãµãŒããŒäžã«ãã¡ã€ã¢ãŠã©ãŒã«ãèšå®ããå¿ èŠããããŸãã ç§ã®æèŠã§ã¯ãiptables FORWARD ãã§ãŒã³ãèšå®ããããšã§æ倧ã®æè»æ§ãæäŸãããŸãããèšå®ã¯ããã»ã©äŸ¿å©ã§ã¯ãããŸããã ãããã®èšå®ã«ã€ããŠããå°ã詳ãã説æããŸãã ãããè¡ãã«ã¯ããã¡ã€ã«ã«ä¿åãããçŽæ¥ã«ãŒã«ã§ãããçŽæ¥ã«ãŒã«ãã䜿çšããã®ãæã䟿å©ã§ãã /etc/firewalld/direct.xmlã ã«ãŒã«ã®çŸåšã®æ§æã¯æ¬¡ã®ããã«ãªããŸãã
$ sudo firewall-cmd --direct --get-all-rule
ãã¡ã€ã«ãå€æŽããåã«ããã®ããã¯ã¢ãã ã³ããŒãäœæããŸãã
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bak
ãã¡ã€ã«ã®ããããã®å 容ã¯æ¬¡ã®ãšããã§ãã
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
説æ
ãããã¯åºæ¬çã«éåžžã® iptables ã«ãŒã«ã§ããããã以å€ã®å Žå㯠firewalld ã®åºçŸåŸã«ããã±ãŒãžåãããŠããŸãã
ããã©ã«ãèšå®ã®å®å ã€ã³ã¿ãŒãã§ã€ã¹ã¯ tun0 ã§ããã³ãã«ã®å€éšã€ã³ã¿ãŒãã§ã€ã¹ã¯ã䜿çšãããŠãããã©ââãããã©ãŒã ã«å¿ããŠãããšãã° ens192 ãªã©ç°ãªãå ŽåããããŸãã
æåŸã®è¡ã¯ãããããããããã±ããããã°ã«èšé²ããããã®ãã®ã§ãã ãã°ãæ©èœãããã«ã¯ãfirewalld æ§æã®ãããã° ã¬ãã«ãå€æŽããå¿ èŠããããŸãã
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
èšå®ã®é©çšã¯ãèšå®ãåèªã¿åãéåžžã® firewalld ã³ãã³ãã§ãã
$ sudo firewall-cmd --reload
ããããããããã±ããã¯æ¬¡ã®ããã«è¡šç€ºã§ããŸãã
grep forward_fw /var/log/messages
次ã®ã¹ããã
ããã§èšå®ã¯å®äºã§ãïŒ
æ®ã£ãŠããã®ã¯ãã¯ã©ã€ã¢ã³ãåŽã«ã¯ã©ã€ã¢ã³ã ãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ãããããã¡ã€ã«ãã€ã³ããŒãããŠæ¥ç¶ããããšã ãã§ãã Windows ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®å Žåãé
åžãããã¯æ¬¡ã®å Žæã«ãããŸãã
æåŸã«ãæ°ãããµãŒããŒãç£èŠããã³ã¢ãŒã«ã€ã ã·ã¹ãã ã«æ¥ç¶ããå®æçã«æŽæ°ããã°ã©ã ãã€ã³ã¹ããŒã«ããããšãå¿ããªãã§ãã ããã
å®å®ããæ¥ç¶ïŒ
åºæïŒ habr.com