最近買了臺便宜VPS搭梯子用,在這裏記錄一下配置流程。萬一商家跑路了,就再找另外一家照着流程刷刷刷就好了。
我買的是OpenVZ的機器,便宜嘛。首先後檯面板打開tun支持,然後可以直接登錄了。
查看CentOS版本,修改主機名、修改時區
cat /etc/redhat-release
hostnamectl –static set-hostname D2O-VPS
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
CentOS7默認沒有ifconfig nslookup等工具,安裝之
yum install -y bind-utils net-tools htop mlocate initscripts.x86_64
updatedb
修改ssh端口
vi /etc/ssh/sshd_config
Port xx22
CentOS7默認使用firewalld作爲防火牆,這玩意不懂怎麼用,故把他停掉,繼續使用原來熟悉的iptables
systemctl stop firewalld
systemctl mask firewalld
yum install -y iptables-services policycoreutils
systemctl enable iptables
打開ssh端口
vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
改爲
-A INPUT -p tcp -m state –state NEW -m tcp –dport xx22 -j ACCEPT
打開常用服務端口允許所有內網IP訪問
iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 1723 -j ACCEPT
iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 53 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 161 -j ACCEPT
iptables -I INPUT -s 198.18.0.0/16 -d 198.18.0.0/16 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 11990:12010 -j ACCEPT
打開轉發
iptables -I FORWARD -j ACCEPT
開啓ip僞裝、端口重定向、mss fix
iptables -t nat -I POSTROUTING -o venet0 -j MASQUERADE
iptables -t mangle -I POSTROUTING -o venet0 -p tcp -m tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t nat -I PREROUTING -p udp -m udp –dport 5352 -j REDIRECT –to-ports 53
別忘了ip6tables
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp –dport 8622 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
ip6tables -A INPUT -p udp -m udp –dport 161 -j ACCEPT
ip6tables -A INPUT -p udp -m udp –dport 11990:12000 -j ACCEPT
ip6tables -A INPUT -j REJECT –reject-with icmp6-port-unreachable
保存iptables規則
service iptables save
service ip6tables save
開啓內核轉發、關閉rp_filter
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
導入epel源,安裝openvpn quagga net-snmp
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm
yum install -y openvpn quagga net-snmp
dnsmasq先yum安裝,然後編譯替換改過的dnsmasq。autovpn-for-openwrt這個項目修改過的dnsmasq可以執行自定義的腳本,具體的意義就不多說了,這是正經博客。。
#yum安裝dnsmasq,安裝編譯器及各種依賴包
yum install -y gcc make automake patch dnsmasq
mkdir src
cd src
#下載源碼及補丁、打補丁、編譯、替換可執行文件
wget https://github.com/conupefox/autovpn-for-openwrt/blob/master/packages/dnsmasq-14.07-2.71-src-autovpn.tar.gz
wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.71.tar.gz
tar xvf dnsmasq-14.07-2.71-src-autovpn.tar.gz
tar xvf dnsmasq-2.71.tar.gz
cd dnsmasq-2.71
../dnsmasq/patches/autovpn.patch ./
patch -p1 \< autovpn.patch
make
mv /usr/sbin/dnsmasq /usr/sbin/dnsmasq.bak
cp src/dnsmasq /usr/sbin/dnsmasq
配置snmp
cd ~
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
vi /etc/snmp/snmpd.confcom2sec notConfigUser default d2o
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUserview systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1access notConfigGroup “” any noauth exact all none none
view all included .1 80
syslocation HongKong
syscontact D2OdontLogTCPWrappersConnects yes
extend .1.3.6.1.4.1.2021.54 active_connects /bin/cat /proc/sys/net/netfilter/nf_conntrack_count
extend .1.3.6.1.4.1.2021.55 Route /bin/sh /etc/snmp/route_prefixes.shsystemctl enable snmpd
參考:
http://www.cnblogs.com/hitwtx/archive/2012/02/13/2349742.html
http://www.kevinick.com/archives/?article-445.html
http://www.centoscn.com/CentOS/config/2014/1031/4039.html
http://u.sanwen.net/subject/250517.html
http://itgeeker.net/centos-7-epel-china-mirror-repository/
https://github.com/conupefox/autovpn-for-openwrt
https://argcv.com/articles/3167.c