ααΆααααααΎααααα αΆ
α’ααααααα·αααααΆα’αααΈααΆααααα αααΆαα αΌαααααΎααΈα ααααΆααααααΆαααα»ααααα·ααα ααΎααα·ααααααααααΎαα αα α αΎαα’αΆα ααααΌαααΆαααααΎααΆααααΈαααΎααααΈαααααΎαααααααααααααααααΆαααααα»α α αΎαααΉαααΆααααααααααααααΆααααΆααααααΈααα ααααααααΆαααΆαααααααΆαα’αΆααααΆααααααα αααα»αααααααααααΆαα·ααααααααααααΆαααααΆαα α¬ααααΎαααΆαααααααΆαα·ααααααααααΆααα
ααααα ααα’αααααααΊααΎααααΈα’αα»αααααααααααααααααααααααΆααααΆααααααααΆαα αΌαααααΎααΈα ααααΆααα ααΆααααααΆααααα½α αααααΎαααΈ "ααΆαααα‘αΎα OpenVPN αααα»ααααααα 10 ααΆααΈ" α
ααΆαααααα ααΎαααΉαααα½αααΆαααααααααααααα·ααααΆαααααα αα·α (ααΆαααααΎα) αααααααααΆααΈαααααααΉαααααΌαααΆαααααΎααΎααααΈαααααααααΆααα’αααααααΎααααΆααα αααα ααΎαααΉαααα½αααΆααααααααααα½ααααααΆααααααΆαααααααααΆααααΈα - α’αααΈααααααα»αααΆα (αα·ααααΆαααααα) αα·αα’αααΈααααααα»αααΉα (ααΆααααααααΆαα) α
αααααΆαααα’αααααααΎααααΆααααααΌαααΆαα’αα»ααααΆαα±ααααααΆααααΊααΆαααΆαα·αααΆααααααα½ααααα αααα»ααααα»α myVPNUsr α α’αΆααααΆαααα·ααααΆααααααααΉαααααΌαααΆαααααΎαααααααΆαα’ααΈαααΊαα·αα
αααααααααΆαα’αα»αααααααααααααΆαααΊααααΉαααααααΆααααααααΉαααΌα α αα·αααΆαααΆα 1 ααααααααα’ααααααααααααααααααααα
ααΎαααΉαααααΎαααΆαααΈααα·αααα·αααΆαα½α OpenVPN αα·α Easy-RSA αααα 3 αα
ααΎ CetntOS 7 αααααααΌαααΆααααα
αα 100 vCPUs αα·α 4 GiB RAM αααα»α 4 ααΆααααααΆααα
αααα»αα§ααΆα ααα αααααΆαααααααααΆαααααααααΎαααΊ 172.16.0.0/16 ααααααα»αααααααΆαααΈααα VPN αααααΆαα’αΆααααααΆα 172.16.19.123 αααα·ααα
αααα»αααααα 172.16.19.0/24 αααΆαααΈααα DNS 172.16.16.16 αα·α 172.16.17.17 αα·ααα 172.16.20.0 α .23/XNUMX ααααΌαααΆαααααα»ααα»ααααααΆααα’αα·αα·αα VPN α
ααΎααααΈααααΆααααΈααΆααααα ααΆααααααΆααααΆααααα ααα 1194/udp ααααΌαααΆαααααΎ α αΎα A-record gw.abc.ru ααααΌαααΆααααααΎααα αααα»α DNS αααααΆαααααΆαααΈαααααααααΎαα
ααΆαα·αααααΌαααΆαααααΆααααΆαααΉααααΉαα±αααα·α SELinux αα! OpenVPN ααααΎαααΆαααααα·ααα·ααααααΆααααα»ααααα·ααΆαα
ααΆαα·ααΆ
ααΆαααα‘αΎα OS αα·ααααααα·ααΈαααααα·ααΈ ααΆαααα‘αΎαααΆαααααΈα ααΆαααα‘αΎα OpenVPN ααΆααααααααααΆαα AD ααΆαα αΆααααααΎα αα·αααΆαααααΎααααα·αα·α αααα αααα αΆαα·ααααΆαααααα αα·αααΆαααα αΌα ααααααα ααΆαααααααααααααΆα ααΆαβα’αααΈβαααααΆαα
ααΆαααα‘αΎα OS αα·ααααααα·ααΈαααααα·ααΈ
ααΎαααααΎααΆαα
ααα
αΆα CentOS 7.8.2003 α ααΎαααααΌαααα‘αΎαααααααααααααα·ααααα·ααΆααααα»αααΆαααααααα
ααΆαααααααααα·α
αα½α
αααα»αα ααΆααΆααααα½αααααΎαααααααΎ
αααααΆααααΈααα‘αΎααα½α αααααα’αΆααααααΆααα α ααα»α αααααΆαααααααΆα (αααααΆααααααααααααα·α αα ααΆα 172.16.19.123) ααΎαααααΎαα αα α»ααααααααΆαααααααααααααα·ααααα·ααΆαα
$ sudo yum update -y && reboot
ααΎαααααααΌαααααΆααααΆααΆαααααΎααααΆααααααααααααΆααααΌαααΆαα’αα»αααααα
ααΎαααΆαααΈαααααααΎαα
ααΎααααΈααα‘αΎααααααα·ααΈαααααα·ααΈ α’αααααααΌαααΆααααα
αα openvpn, openvpn-auth-ldap, easy-rsa αα·α vim ααΆαααααα·ααΈαα·αααααα (α’αααααΉαααααΌαααΆαααααΆαα EPEL)α
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
ααΆααΆααααααααααααα»αααΆαααα‘αΎαααααΆααααΆαααααααααααΆαααααΆαααΈααα·αααα·αα
$ sudo yum install open-vm-tools
αααααΆαααααΆαααΈα VMware ESXi α¬αααααΆαα oVirt
$ sudo yum install ovirt-guest-agent
ααΆαααα‘αΎαααΆαααααΈα
α αΌααα ααΆαααα easy-rsaα
$ cd /usr/share/easy-rsa/3/
αααααΎαα―αααΆαα’αααα
$ sudo vim vars
ααααΉαααΆαααΆααααααα
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
αααΆαααΆαααααααααααΆααα’αααααΆαααΆααααααααα ABC LLC ααααΌαααΆααα·αααααΆαα ααΈααα α’αααα’αΆα αααα½αααΆαα ααΆαα»αα·α α¬αα»αααΆα ααααΈα§ααΆα αααα α’αααΈαααααααΆαααααα»ααα αααα»ααααΆαααΆααααααααΊαααααΆααα α»αααααααααααααααααααααα»ααααΆααααα·ααααΆααααααααΆααααα α§ααΆα αααααααΎααααα 10 ααααΆα (365 * 10 + 2 ααααΆααααααααα) α ααααααααααΉαααααΌααααααααΌααα»ααααα αααα·ααααΆααααααα’αααααααΎααααΆααα
αααααΆαααα ααΎαααααααα ααΆααααααααα’αΆααααΆαααααααΆαααααααααΆαα
ααΆαααα‘αΎααα½αααΆαααΆαααΆαα ααα’ααα ααΆαα αΆααααααΎα CA ααΆαα ααααα αα·ααα·ααααΆαααααα CA αααααΉα Diffie-Hellman αααααΉα TLS αα·αααΌααααααΆαααΈααα αα·ααα·ααααΆααααααα αα CA ααααΌαααααΆαααΆααααΆααααα»ααααααααα αα·ααααααΆααΆααααααΆαα! αααΆαααΆαααααααααα½αααΆααα’ααα’αΆα ααααΌαααΆααα»αααΆααααΆαααΎαα
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
ααααααα
αααααααααααΆααααααΆαααα‘αΎαααααααΆαααααΈαα
ααΆαααα‘αΎα OpenVPN
α αΌααα ααΆαααα OpenVPN αααααΎααααααΈααααΆαααα αα·ααααααααααααααΆαααα ααΆαα easy-rsaα
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
αααααΎαα―αααΆαααααααα ααΆαααααααα OpenVPN α ααααα
$ sudo vim server.conf
ααΆαα·ααΆααΆαααααα
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
αααααα αααΆααα½αα ααα½αααΎαααΆαααΆααααααα
- ααααα·αααΎααααααααααααααΌαααΆααααααΆαααα αααα αααα·ααααΆαααααα ααΌααααααΆααααΆ;
- αααααΆααα’αΆαααααααΆααααααααΌαααΉααα·α αα ααΆαααααα’ααα*;
- ααΆα’αΆα ααΆαααααΌααα½α α¬α αααΎα αα·ααααΆαααΈααα DNS;
- ααααΌαααΆααααααΆαα 2 α α»αααααα ααΎααααΈα’αα»ααααααΆααααααααααΆαααα αααα»α AD **α
* αα½αααα’αΆααααααΆααααααΆαααααΎαααΎααααα»αα§ααΆα αααααΉαα’αα»ααααΆαα±ααα’αα·αα·αααα αΌαααααα
127 αααααΆαααααα»ααααααααΆαααααΆ ααΈααααα αααααΆα /23 ααααΌαααΆαααααΎαααΎα α αΎα OpenVPN αααααΎααααααΆααααααααΆααα’αα·αα·ααααΈαα½αααααααααΎαααΆαα /30 α
ααΎα
αΆαααΆα
αααΆαα·ααα α
ααα αα·ααα·ααΈααΆαα’αΆα
ααααΌαααΆαααααΆααααααΌα αααααΆαααΆαααΆααααα ααΆαα½αααααααΌαααΆαα
αα
αΆααααα»αα
α·αααααΆααΆαααααΆααααααΌααααα
αααα
αααααΉααα½ααααα
αΌαααΆαααααααα
ααΆαααααααα SELinux α αΎαααΆαααααΎαα·ααΈααΆα tcp ααΉαααΎαα‘αΎαααΎα ααΈααααα ααΆααααα½ααα·αα·αααααΆαα
ααα
αΆααααα
ααααααααΆα TCP ααααΌαααΆαα’αα»αααααα½α
α αΎααα
ααααα·ααααααα
ααααααααΆαααααα»αααααααααα»αααααΌαααΌααααααααΈα
** ααααα·αααΎααΆααααααααααΆαααα
αααα»α AD αα·αα
αΆαααΆα
ααα ααΌααααα
ααααα· ααααααααααααααΆαα αα·ααααα»αααααΌ αααααααΆαα auth-user-pass α
αα.
ααΆααααααααααΆαα AD
ααΎααααΈααΆαααααααααΆααΈααΈα ααΎαααΉαααααΎααΆααααααααααΆααααααΈαα αααα»α AD α
ααΎαααααΌαααΆαααααΈαα½ααα αααα»αααααααααΆααα·αααα·ααααα’αααααααΎααααααΆ αα·ααααα»ααα½α αααΆαα·αααΆααααααΉαααααααααααααΆααααα»αααΆαααααΆααα
αααααΎαα―αααΆαααααααα ααΆααααααααα
/etc/openvpn/ldap.conf
ααΆαα·ααΆααΆαααααα
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
αααΆαααΆααααααααααΆαααα
- URL βldap://ldap.abc.ruβ - α’αΆααααααΆαα§ααααααααααΆααα;
- BindDN βCN=bindUsr,CN=Users,DC=abc,DC=ruβ - ααααα canonical αααααΆααα αααααΆαααα LDAP (UZ - bindUsr αα αααα»α abc.ru/Users container);
- ααΆαααβαααααΆαα b1ndP@SS β ααΆαααβαααααΆααβα’αααβααααΎβαααααΆααβααΆαβα α;
- BaseDN βOU=allUsr,DC=abc,DC=ruβ β ααααΌααααααααΌαα αΆααααααΎααααααααα’αααααααΎααααΆααα
- BaseDN βOU=myGrp,DC=abc,DC=ruβ β αα»ααααααα»αα’αα»ααααΆα (αααα»α myVPNUsr αααα»ααα»αααΊααα abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ααΊααΆααααααααα»ααααα’αα»ααααΆαα
ααΆαα αΆααααααΎα αα·αααΆαααααΎααααα·αα·α αααα
α₯α‘αΌααααααΎαα’αΆα ααααΆααΆαααΎα αα·αα αΆααααααΎααααΆαααΈαααααααααΎαα
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
ααΆααααα½ααα·αα·αααααΆαα αΆααααααΎαα
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
αααα αΆαα·ααααΆαααααα αα·αααΆαααα αΌα
αααααΆααα ααααααααΈααΎαα·ααααΆααααααααααααα½αα―α α’αααααααΌαααΆααα αα·αααΆαααααααααααααα ααΆααΆααααα½αααΆαααααα»αααΆααα»αααΆααα’ααααααααα»αα―αααΆααααααααααα½αα αααααΆααααα―αααΆααααααααΌαααΆαααααααα α’αααααααΎααααΆαα α αΎαααααααααααΌαααΆαααΆαα αΌααα ααΎαααΆαααΈαααααα OpenVPN α ααΎααααΈααααΎααΌα αααα ααΎαααΉααααααΎαααααΌααΆαααααα αα·αααααααΈαααααααααΎαααααααα
α’αααααααΌαααααααααααΉαααΆααααα·ααααΆααααααα«αααα (ca.crt) αα·αα―αααΆα TLS key (ta.key) αα ααααααα
αα»ααααα αααα·ααααΆααααααα’αααααααΎααααΆαα αα»αααααα ααααααααααααα»ααααΆααααααααΌαααΆααααααΆαααα·ααααΆαααααα αα αααα»αα―αααΆααααΆαααΆααααααα α’αααβαα·αβαα½αβααααΎβααΆβααΌαβαααβαα αααα»αβααΌαβααααΆαβα±ααβαααααβαααα½αβα’αααβα±ααβα’αα·ααααΆβααααΉα 180 ααααα
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
α αααΆα:
- ααααα’αααα ααΆααααααα’ααα... ααααΆααααααΌααα ααΆαα·ααΆ αααααα½αααα αα·ααααΆαααααα;
- αα αααα»αααΆαααααΆαααΈα ααααΆα αααααΆααααααα/α’αΆααααααΆαααα αααααααΌαααααα’ααα;
- auth-user-pass directive ααααΌαααΆαααααΎαααααΆααααΆααααααααααΆααααΆααααα ααααααα
αα αααα»ααααααα (α¬ααααααααΆααααα½ααααααααα) ααΎααααααΎαααααααΈααααααΆααααααΎαα»ααα·ααααΆαααααα αα·ααααααΎαααααααα
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
ααααΎα±ααα―αααΆαα’αΆα ααααα·ααααα·ααΆαα
chmod a+x ~/make.profile.sh
α αΎαααΎαα’αΆα α αααα·ααααΆααααααααααΌαααααααΎαα
~/make.profile.sh my-first-user
ααα·ααααα·αααα
αααα»αααααΈααΆαααΆααααααααααα½ααααα·ααααΆαααααα (ααΆαααΆααααα α αααααα) α αΆαααΆα αααααΌαααα αΌααα·ααααΆαααααααααα
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
ααΎααα·ααααΆαααααααααααΆαα αα αα·αααα αΌα
ααΎααααΈααΎααα·ααααΆαααααααααααΆαα αα αα·αααα αΌααα·α ααααΆααααααΎαα―αααΆααα·αα·ααααα
cd /usr/share/easy-rsa/3/
cat pki/index.txt
ααΆαααααααα
- αααααΆααααΈαα½αααΊαα·ααααΆαααααααααΆαααΈαααα
- αα½α’ααααααααΌα
- V (αα»ααααΆα) - valid;
- R (ααα αΌα) - αααααΌααααα·αα
ααααααα ααΆαααααααααααααΆα
ααα αΆαα α»ααααααααΊααααΌαααααααα ααΆαααααααααααααΆααααααΌα - αααααααααΌα αα·ααααααΆααααααΎαα
α’αα»ααααΆαα±ααααΆαααΆααααααΆαααα αααα»ααααααΆααααααΎαααΌαααααΆαα
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
αααααΆααααααΎαααααΎαααΆαααααΌα IP α ααΆα αα
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
αα αααα»αααα·ααΆααΆαααΆααΈααααα ααααααΆααΆααααααΆααα α αΎαααΎαααααΌαααααΆαααααααααααΈααααααααΎαααα ααααααααΆααααααααααααααΆααα’αα·αα·αα VPN ααααααΎαα αα ααΎαααααΆααααΆααααααααΆααΎαααααα·ααααα·ααΆααααααααΆααΆααααα (α’αΆαααααααΎα§ααααααααααΆαααααΎ)α
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
αα·ααααααΆαα»αααΆααααααα
ααΎαααΈαααααααα ααΎα ααα»α αααααΆαααααααααααααααααααα’αΆααααααΆαααΆααααα gw.abc.ru ααααΌαααΆααααααΎααΆα αΆαααΆα αααΎααααΈα’αα»ααααΆαα±ααααααααΆαααααα ααααααααΆα udp/1194 α
αααα»αααααΈαααααααΆαααααΆαα αααΆαααα»ααααα·ααΆαααΉαααΉα αααααΆααααααΎαααααααΌαααααααααα ααΆαααααααααα ααΎαααΆαααΈααα VPN ααααααΎααααααα ααΆααααα·ααααααααα»α ααΆαααααααααα’ααα αΆααααααα»αααΊααααΌαααΆαααααααααααΆαααα‘αΎα iptables FORWARD chains αααααΈααΆααΆαααα‘αΎαααΆαα·αααΌαααΆααααα½ααααααα ααααα·α αααα’αααΈααΆααααα ααα½αααα ααΎααααΈααααΎααΌα αααααΆααΆααααα½ααααα»ααααα»αααΆαααααΎ "α αααΆααααααΆαα" - α αααΆααααααΆααααααααααΆαα»ααααα»αα―αααΆα /etc/firewalld/direct.xml. ααΆαααααααα ααΆαααααααααα αα α»ααααααααα αααΆααα’αΆα ααααΆαααΌα ααΆαααααα:
$ sudo firewall-cmd --direct --get-all-rule
αα»αααΉαααααΆααααααΌαα―αααΆα ααααΎα αααΆααα ααααααααα»ααα»αααααααΆα
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bak
ααααΉαααΆααααα αΆαααααα ααααα―αααΆαααΊα
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
ααΆααααααα
ααααΆααααΆαααααααΊααΆα αααΆαα iptables ααααααΆ αααααα αααα»αααααΆαααααΆααααΈααΆαααααααααααααΆααααααΎαα
α ααα»α αααααΆαααα·ααα αααααΆαααΆααααααααααΆαααΎαααΊ tun0 α αΎαα ααα»α αααααΆααααΆααααα αααααΆααααααΌαααΌααααααααΈα’αΆα αα»αααααΆ α§ααΆα ααα ens192 α’αΆαααααααΎαααα·ααΆαααααΆαααααΎα
αααααΆααα α»ααααααααΊαααααΆααααΆααααααααΆαααα αααααααΆααααααΆααα ααΎααααΈα±ααααΆαα αΌαααααΎαααΆα α’αααααααΌαααααΆααααααΌαααααα·αααααΆααααα α»ααααα»αααΆαααααααα ααΆαααααααααααααΆααααααΎαα
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
ααΆαα’αα»ααααααΆααααααααΊααΆααΆααααααααΆ firewalld ααααααΆααΎααααΈα’αΆαααΆααααααα‘αΎααα·αα
$ sudo firewall-cmd --reload
α’αααα’αΆα ααΎααααα αααααααΆααααααΆααααΌα αααα
grep forward_fw /var/log/messages
ααΆαβα’αααΈβαααααΆαα
ααααααα ααααΆαααα‘αΎα!
α’αααΈβαααβαα
βαααβααΊβααααΌαβααα‘αΎαβαααααα·ααΈβα’αα·αα·ααβαα
βααΆαβα’αα·αα·αα ααΆαα
αΌαβαααααα αα·αβαααααΆααα αααααΆααααααααααααααα·ααααα·ααΆα Windows α§αααααα
ααα
αΆαααΆαααΈααΆαααα
ααΎ
ααΆα α»αααααα ααΎαααααΆαααααΆαααΈαααααααΈααααααΎααα αααααααααααα½ααα·αα·ααα αα·ααααααΆαα»αα―αααΆα α αΎααα»αααααα ααα‘αΎααα αα α»ααααααααΆαααΆαααα αΆαα
ααΆααααααΆααααΆααααααααΆα!
ααααα: www.habr.com