- /etc/sysctl.conf 파일에 다음 라인을 추가한다.
net.ipv4.ip_forward = 1
iptables script
#!/bin/bash
# iptables 설정 자동화 스크립트
#firewalld 제거용
#yum -y erase firewalld
#yum -y install iptables iptables-services
#systemctl enable iptables.service
#flushing all rules
echo Flushing all rules
echo iptables -F FORWARD
iptables -F FORWARD
echo iptables -F INPUT
iptables -F INPUT
echo iptables -F OUTPUT
iptables -F OUTPUT
#setting default filter policy
echo Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo iptables -P INPUT DROP
echo iptables -P OUTPUT DROP
echo iptables -P FORWARD DROP
#allow all from loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo allow all from loopback
echo iptables -A INPUT -i lo -j ACCEPT
echo iptables -A OUTPUT -o lo -j ACCEPT
# Accept inbound TCP packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo Accept inbound TCP packets
echo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --source 192.168.0.0/16 -j ACCEPT
echo allow all traffic from internal range
echo iptables -A INPUT -p tcp -m tcp --source 192.168.0.0/16 -j ACCEPT
# Allow incoming SSH
iptables -A INPUT -p tcp --dport 10022 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
echo Allow incoming SSH
echo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# Allow incoming OpenVPN
iptables -A INPUT -p udp --dport 9411 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
echo Allow incoming OpenVPN
echo iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
echo ###########
#allow outbound packet
iptables -A OUTPUT -j ACCEPT
echo allow outbound packet
echo iptables -P OUTPUT ACCEPT
echo ########
#enable NAT for VPN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -i tun0 -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
#iptables -A FORWARD -i tun0 -j ACCEPT
#iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#drop client to client
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.0.0/24 -j DROP
# allow vpn traffic
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
#iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound access to all networks on the Internet from the VPN
#iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 0.0.0.0/0 -j ACCEPT
# Block client-to-client routing on the VPN
#iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.0.0/24 -j DROP
# accept outbound packets
#iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow DNS outbound
#iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
#echo Accept outbound packets
#echo iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
#echo Allow DNS outbound
#echo iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#echo iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
#ROUTER 용도로 사용시 해당 옵션 제거
#iptables -P FORWARD ACCEPT
#echo iptables -P FORWARD ACCEPT
# established and related 접속을 허용
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Apache 포트 80 허용
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# OpenVPN 포트 허용
#iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 9411 -j ACCEPT
# NULL Packet 차단
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# syn-flodd attack 차단
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# XMAS 패킷 차단
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# PING
#iptables -A INPUT -p icmp --source 192.168.0.0/16 --icmp-type echo-request -j ACCEPT
# NTP용
#iptables -A INPUT -p udp --dport 123 -j ACCEPT
#
#iptables -A INPUT -p udp --dport 389 -j
#iptables -A INPUT -p udp -j DROP
#iptables -A FORWARD -i tun+ -j ACCEPT
#iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
#iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
#iptables -A FORWARD -s 10.8.0.0/255.255.255.0 -j ACCEPT
echo # 들어오는 모든 연결 거부
echo iptables -P INPUT DROP
iptables -P INPUT DROP
# 설정을 저장
/sbin/service iptables save
# 설정한 내용을 출력
iptables -nL -v
yum install epel-release
yum install openvpn easy-rsa
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
# 2.4.8의 경우
# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn
# openvpn 사용 port
port 9411
# 프로토콜 (UDP는 user defined protocol)
proto udp
# 가상 Device
dev tun
# 인증 키 관련 정보
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
tls-auth /etc/vpn/easy-rsa/pki/ta.key
key-direction 0
auth SHA512
cipher AES-256-CBC
topology subnet
# vpn network 정보. 가상 device 인터페이스.
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# vpn을 연결하면 사용할 DNS
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.4.254"
push "dhcp-option DNS 8.8.8.8"
# 클라이언트간 연결을 허용할 때.
# 이 항목을 활성화 할 경우 iptables 정책도 수정 해야 한다.
;client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 4
#로그를 저장할 경로. 디렉토리를 만들어줘야 한다.
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
# config 파일 복사
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars
... 파일 내용
... KEY_ 로 시작하는 값을 변경할 것이다.
export KEY_COUNTRY="KR"
#국가명
export KEY_PROVINCE="Soeul"
#시/도
export CITY="GANGNAMGU"
#시/군/구
export ORG="Encore"
#회사명
export KEY_EMAIL="haedongg@haedongg.net"
#E-mail주소
export KEY_OU="BDC"
#부서명
export KEY_NAME="TUNNEL2"
#server name
export KEY_CN="tunnel2.haedongg.net"
#common name
cd /etc/openvpn/easy-rsa
./easyrsa clean-all
# pki 초기화
./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
./easyrsa gen-dh
openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key
./easyrsa build-client-full skkang
Note: using Easy-RSA configuration from: ./vars
...중략...
writing new private key to '/etc/openvpn/easy-rsa/pki/private/skkang.key.n8wcUobszs'
Enter PEM pass phrase: 사용자_KEY_Passphrase
Verifying - Enter PEM pass phrase: 사용자_KEY_Passphrase
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: CA_KEY_Passphrase
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'skkang'
Certificate is to be certified until Feb 19 06:35:42 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
systemctl enable openvpn@server.service --now
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
verb 4
##여기부터만 수정합니다.
#키 파일의 경로를 입력합니다.
#절대 경로로 입력합니다.
#디렉토리를 지정 시 \\ 두개를 넣어줘야 합니다.
ca c:\\keys\\ca.crt
cert c:\\keys\\test.crt
key c:\\keys\\test.key
tls-auth c:\\keys\\ta.key 1
key-direction 1
#auth-user-pass
remote tunnel2.haedongg.net 9411
vi /etc/openvpn/openvpn.conf
# user nobody
# group nobody
# 인증을 위해 권한 상승이 필요하다.
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
# 위 라이브러리 파일은 openvpn 패키지에 포함 되어있다. CentOS7 기준으로 user/lib64/openvpn/plugin 에 존재한다.
client-cert-not-required
ca c:\\keys\\ca.crt
#cert c:\\keys\\test.crt
#주석으로 삭제
#key c:\\keys\\test.key
#주석으로 삭제
tls-auth c:\\keys\\ta.key 1
key-direction 1
auth-user-pass