初心易得,始終難守

Category: Tech

  • OpenVPN Server on FreeBSD

    和Centos有点区别。

    1. 使用pkg安装openvpn:pkg install openvpn
    2. 使用easy-rsa生成数字证书,生成openvpn server配置文件,默认的即可,我们使用udp协议,把服务端口修改为443,这样比较通用。
    3. 修改rc.conf,启用pf做nat,启用gateway,增加openvpn配置。pf_enable=”YES”
      pf_rules=”/etc/pf.conf”
      pflog_enable=”YES”
      pflog_logfile=”/var/log/pflog”
      gateway_enable=”YES”
      openvpn_enable=”yes”
      openvpn_configfile=”/usr/local/etc/openvpn/2.0/conf/server.conf”
      openvpn_if=”tun”
    4. 增加pf.conf配置文件,这里我们的FreeBSD运行在ESXI上,所以网卡是vmx0,openvpn clients的网络是10.9.0.0/24,服务器的IP地址是192.168.0.99:#/etc/pf.conf
      if=”vmx0″
      vpn_if=”tun0″
      vpn_net = “10.9.0.0/24″icmp_types = “echoreq”
      open_tcp = “{22}”
      open_udp = “{443}”
      # wan ip
      ip = 192.168.0.99
      set block-policy drop
      set skip on lo0
      set limit { states 10000, frags 5000 }
      set loginterface vmx0
      set optimization normal
      set require-order yes
      set fingerprints “/etc/pf.os”
      set ruleset-optimization basicscrub in all fragment reassemble random-idnat on $if from $vpn_net to any -> $ip

      block log all
      block return

      antispoof quick for $if
      pass in quick proto udp from any to port 443 keep state label “openvpn”

      # Pass stuff on the VPN interface
      pass quick on $vpn_if keep state

      pass in on $if proto tcp from any to any port 22 keep state

      pass in on $if proto tcp from any to any port $open_tcp keep state
      pass in on $if proto udp from any to any port $open_udp keep state

      pass out quick all keep state

      pass in on $if inet proto icmp all icmp-type $icmp_types keep state

    5. 在sysctl.conf中增加IP forwarding配置:net.inet.ip.forwarding=1
    6. 可以启动了:service openvpn start
    7. 其实大同小异,不过最近发现zfs和jail都是蛮不错的好东西,大神的设计往往超越了时代,却是那些简陋而充满bug的设计流行于世间。

     

  • Create a bootable CentOS USB drive with a Mac (OS X) for a PC

    1. Visit Centos’ web page, https://www.centos.org/download/, and download the iso image you’d like to boot from.
    2. When the download has completed, open up terminal and use ‘hditutil’ to convert the *.iso to an *.img file (specifically, a UDIF read/write image).

    $hdiutil convert -format UDRW -o target.img CentOS-7.0-1406-x86_64-Everything.iso
    Reading Master Boot Record (MBR : 0)…
    Reading CentOS 7 x86_64 (Apple_ISO : 1)…
    Reading (Type EF : 2)…
    Reading CentOS 7 x86_64 (Apple_ISO : 3)…
    …………………………………………………………………….
    Elapsed Time: 33.590s
    Speed: 200.5Mbytes/sec
    Savings: 0.0%
    created: /tmp/target.img.dmg

    3. Use the ‘dd’ utility to copy the iso to your USB drive:

    $ diskutil list
    /dev/disk0
    #: TYPE NAME SIZE IDENTIFIER
    0: GUID_partition_scheme *121.3 GB disk0
    1: EFI EFI 209.7 MB disk0s1
    2: Apple_HFS Macintosh HD 120.5 GB disk0s2
    3: Apple_Boot Recovery HD 650.0 MB disk0s3
    /dev/disk1
    #: TYPE NAME SIZE IDENTIFIER
    0: FDisk_partition_scheme *31.9 GB disk1
    1: DOS_FAT_32 NO NAME 31.9 GB disk1s1
    /dev/disk2
    #: TYPE NAME SIZE IDENTIFIER
    0: CentOS_7.0_Final *4.5 GB disk2
    $ diskutil unmountDisk /dev/disk1
    Unmount of all volumes on disk1 was successful
    $ diskutil unmountDisk /dev/disk2
    Unmount of all volumes on disk2 was successful
    $ time sudo dd if=target.img.dmg of=/dev/disk1 bs=1m
    Password:
    4261+0 records in
    4261+0 records out
    4467982336 bytes transferred in 1215.483272 secs (3675890 bytes/sec)

  • Linux IPTables: Incoming and Outgoing Rule Examples

    Default Chain Policy

    As you notice below, it says “(policy ACCEPT)” next to all the three chain names (INPUT, OUTPUT, and FORWARD). This indicates that the default chain policy is ACCEPT.

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp — anywhere anywhere tcp dpt:ssh
    DROP all — anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    So, you have two options here. (more…)