############################################## 以下是 KBT pptp 的 :~ $ sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j SNAT --to 192.168.3.153 :~ $ sudo service pptpd restart or :~ $ sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j MASQUERADE ############################################### ####sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j SNAT --to 61.63.1.157 ##for pptp sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j MASQUERADE ############################################# ********************************************* .sh ********************* ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP ExecStart=/sbin/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP ExecStop=/sbin/iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ********************************************* .sh ********************* ############################################## 以下是正常運作的,但是有修改 /etc/iptables.rules (x96) # Modified by hwdsl2 VPN script # Generated by iptables-save v1.6.1 on Fri Aug 23 20:24:52 2019 *mangle :PREROUTING ACCEPT [91839:61159286] :INPUT ACCEPT [27955:9498444] :FORWARD ACCEPT [63871:51660326] :OUTPUT ACCEPT [42310:49751915] :POSTROUTING ACCEPT [106181:101412241] -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Fri Aug 23 20:24:52 2019 # Generated by iptables-save v1.6.1 on Fri Aug 23 20:24:52 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j DROP -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -i ppp0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o ppp0 -j ACCEPT -A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT -A FORWARD -d 192.168.43.0/24 -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o ppp0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -j DROP COMMIT # Completed on Fri Aug 23 20:24:52 2019 # Generated by iptables-save v1.6.1 on Fri Aug 23 20:24:52 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.42.0/24 -o ppp0 -j MASQUERADE -A POSTROUTING -s 192.168.43.0/24 -o ppp0 -m policy --dir out --pol none -j MASQUERADE #-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 220.133.209.15 #-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 10.8.0.1 -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE COMMIT # Completed on Fri Aug 23 20:24:52 2019 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 61.63.1.157 的 pptp The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Aug 25 16:00:33 2019 from 1-164-169-209.dynamic-ip.hinet.net hckao@server157:~ $ cat pptp pptp server設定 http://raspberrypihelp.net/raspberry-pi-pptp-vpn-server/ https://www.linuxbabe.com/linux-server/setup-your-own-pptp-vpn-server-on-debian-ubuntu-centos sudo nano /etc/rc.local #sudo iptables -t nat -A POSTROUTING -s 192.168.0.234/24 -o eth0 -j SNAT --to IPADRESOFYOURRASPBERRYPI sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE 目前是用以下 # pptp用 sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o ppp0 -j MASQUERADE sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT sudo iptables -A INPUT -p gre -j ACCEPT # Wireless AP 用 sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE sudo iptables -A FORWARD -i ppp0 -o wlan0 -m state --state RELATED,ESTABLISHED $ sudo iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT iptables-restore < /etc/iptables.ipv4.nat exit 0 If you have Systemd on your server, then enable pptpd service on system boot: sudo systemctl enable pptpd 以下是自動啟動 sudo ln -s /etc/init.d/pptpd /etc/rc2.d/S16pptpd sudo systemctl enable pptpd ********************************************************************** sudo systemctl start pptpd or sudo service pptpd start If you have Systemd on your server, then enable pptpd service on system boot: sudo systemctl enable pptpd *********************************************************************** Rapsberry Pi PPTP VPN server. FIRST: sudo apt-get update [ENTER] sudo apt-get upgrade # Then check MPPE support: sudo modprobe ppp-compress-18 [ENTER] # No errors? You are good to go! Next, install the PPTP server package: sudo apt-get install pptpd [ENTER] # Now edit the pptp.conf file: sudo nano /etc/pptpd.conf [ENTER] At the end of the file, uncomment the following lines localip 192.168.0.1 remoteip 192.168.1.234-238,192.168.1.245 And change the “localip” to your raspberry pi ip adres Remoteip = are the addresses that will be handed out to clients. Hit Control + X To close and save the file. # Now, edit the ‘/etc/ppp/pptpd-options’ file. sudo nano /etc/ppp/pptpd-options [ENTER] Add the follow txt on the bottom: ms-dns 192.168.1.1 noipx mtu 1490 mru 1490 Where the IP used for the ms-dns directive is the DNS server for the local network to which your client will be connecting (quite possibly the IP address of your router). Hit Control + X to close/save the file Next, edit the ‘/etc/ppp/chap-secrets’ files. This is where you will place your credentials for logging into the VPN server. sudo nano /etc/ppp/chap-secrets [ENTER] Add your authentication credentials in the following form: username[TAB]*[TAB]password[TAB]* Control + X to close/save the file. Now restart the PPTP vpn server with: sudo service pptpd restart [ENTER] Now, enable forwarding if you wish to have access to your entire home network while away. Edit the ‘sysctl’ file. sudo vi /etc/sysctl.conf [ENTER] Find “net.ipv4.ip_forward=1” and uncomment it (or change =0 to =1) CONTROL + X to close/save the file. to enable forwarding. Now, execute the following command to apply change sudo sysctl -p [ENTER] Last step: Adding iptables rules sudo nano /etc/rc.local [ENTER] Add this line just above “exit 0” sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j SNAT --to 192.168.3.153 Hit left control + x and save the file. (The 192.168.0.234 is the begin first ip adres handed out by the vpn server) Now forward port 1723 in your router/modem You are ready to go! :~ $ sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j SNAT --to 192.168.3.153 :~ $ sudo service pptpd restart or sudo iptables -t nat -A POSTROUTING -s 172.18.100.0/24 -o eth0 -j MASQUERADE $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ hckao@server157:/etc $ sudo cat pptpd.conf [sudo] password for hckao: ############################################################################### # $Id$ # # Sample Poptop configuration file /etc/pptpd.conf # # Changes are effective when pptpd is restarted. ############################################################################### # TAG: ppp # Path to the pppd program, default '/usr/sbin/pppd' on Linux # #ppp /usr/sbin/pppd # TAG: option # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # option /etc/ppp/pptpd-options # TAG: debug # Turns on (more) debugging to syslog # #debug # TAG: stimeout # Specifies timeout (in seconds) on starting ctrl connection # # stimeout 10 # TAG: noipparam # Suppress the passing of the client's IP address to PPP, which is # done by default otherwise. # #noipparam # TAG: logwtmp # Use wtmp(5) to record client connections and disconnections. # logwtmp # TAG: bcrelay # Turns on broadcast relay to clients from interface # #bcrelay eth1 # TAG: delegate # Delegates the allocation of client IP addresses to pppd. # # Without this option, which is the default, pptpd manages the list of # IP addresses for clients and passes the next free address to pppd. # With this option, pptpd does not pass an address, and so pppd may use # radius or chap-secrets to allocate an address. # #delegate # TAG: connections # Limits the number of client connections that may be accepted. # # If pptpd is allocating IP addresses (e.g. delegate is not # used) then the number of connections is also limited by the # remoteip option. The default is 100. #connections 100 # TAG: localip # TAG: remoteip # Specifies the local and remote IP address ranges. # # These options are ignored if delegate option is set. # # Any addresses work as long as the local machine takes care of the # routing. But if you want to use MS-Windows networking, you should # use IP addresses out of the LAN address space and use the proxyarp # option in the pppd options file, or run bcrelay. # # You can specify single IP addresses seperated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than the value of connections, # it will start at the beginning of the list and go until it # gets connections IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # # (Recommended) #localip 192.168.0.1 #remoteip 192.168.0.234-238,192.168.0.245 # or #localip 192.168.0.234-238,192.168.0.245 #remoteip 192.168.1.234-238,192.168.1.245 # # # localip 172.18.100.1 remoteip 172.18.100.100-200 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$