构想网络拓扑-实践笔记

[TOC]

前言:本文所要达成的目的, 其实可以简单通过配置完善的商业路由器实现。我爱Windows, 然而生而为人(划掉)程序员, 不用Linux就是原罪 (
生命在于折腾, 共勉。

I. 系统初始化:

Life is short, I use ubuntu.

By gyakkun

使用 Ubuntu 16.04.3 LTS, kernel 4.10.28-13 (?)

1. 安装, 使用LVM

2. ​启用root

   sudo passwd -u root //解锁root账户
   sudo passwd root    //为root增加密码

3. 卸载无用应用

   sudo apt remove --purge libreoffice*
   sudo apt remove --purge unity-webapps-common //亚马逊链接
   sudo apt remove --purge thunderbird totem rhythmbox empathy brasero simple-scan gnome-mahjongg aisleriot 
   sudo apt remove --purge gnome-mines cheese gnome-orca gnome-sudoku  landscape-client-ui-install  
   sudo apt remove --purge onboard deja-dup 

4. 更改软件源

Ref: https://mirrors.tuna.tsinghua.edu.cn/help/ubuntu/

sudo nano /etc/apt/source.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse

# 预发布软件源,不建议启用
# deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse

5. 升级

   sudo apt update
   sudo apt upgrade

6. 安装openssh-server, fail2ban

   sudo apt install openssh-server fail2ban

检查是否已启动

    ps | grep sshd

如未启动

   sudo /etc/init.d/ssh start

配置公钥登陆

   sudo nano /etc/ssh/sshd_config

改:

   RSAAuthentication yes //允许RSA认证登录?
   PubkeyAuthentication yes //允许公钥认证
   AuthorizedKeysFile %h/.ssh/authorized_keys //公钥位置
   PermitRootLogin no //禁止root登录, 要用的时候su root即可
   PasswordAuthentication no //禁止密码登录

为当前帐户新建ssh公钥私钥

   ssh-keygen

默认放在~/.ssh/目录下, 将id_rsa.pub留下, 更名为authorized_keys, 将id_rsa(私钥)拷贝出来, 防止泄露

   cd ~/.ssh
   mv id_rsa.pub authorized_keys
   chmod 600 authorized_keys //只有拥有者能够读写
   scp id_rsa Steve@Steve-PC:/E/ssh-keys
   rm id_rsa
   //重启sshd
   sudo /etc/init.d/ssh restart (?)

II. 配置成双栈路由器

7. 确认内核

   uname -r //4.13.XX

8. 开启转发

   sudo nano /etc/sysctl.conf
   net.ipv4.ip_forward = 1
   net.ipv6.conf.all.forwarding = 1
   sudo sysctl -p

9. 开启BBR

   sudo nano /etc/sysctl.conf
   net.core.default_qdisc=fq
   net.ipv4.tcp_congestion_control=bbr
    sudo sysctl -p

10. 配置自己喜欢的ipv6地址

   sudo systctl -w net.ipv6.conf.<iface>.autoconfig = 0
   sudo nano /etc/network/interfaces
       auto eth0
          iface eth0 inet6 static
          address 2001:250:3002:4411::5678
          netmask 64
          //gateway 可以填链路地址, 不知道的情况下就填网关的global地址吧
          #gateway fe80::3a22:d6ff:fee5:abcd
          gateway 2001:250:3002:4411::1

       //eth1在交换机上的地址
       auto eth1
          iface eth1 inet static
          address 192.168.22.2
          network 192.168.22.0
          netmask 255.255.255.0
          broadcast 192.168.22.255
          iface eth1 inet6 static
          address 2001:250:3002:4411:a1:b2::1

11. 配置路由器

使用两虚拟机, 一台接NAT + Host-only, 角色server, 名称gyakkun-vm
另一台只接Host-only, 角色client, 名称steve-vm-1

解释: Host-only 相当于虚拟的交换机。根据ndp, server在上面广播路由信息(Router Advertisement, via radvd), 并作为邻居发现代理(ndppd), 代理处理子网中的nd数据包, 由于是比/64小的子网, 地址自动配置地址失效(?), 需要DHCPv6来分配下级主机的IPV6地址(isc-dhcp-server)

/参考
1) https://wiki.ubuntu.com/IPv6#Configure_your_Ubuntu_box_as_a_IPv6_router
2) http://blog.csdn.net/l0605020112/article/details/41899359
3) https://jochen.kirstaetter.name/dhcpv6-ipv6-in-your-local-network/ //dhcpv6启动参数
4) https://wiki.ubuntu.com/DHCPv6
5) https://blog.joshu.moe/2017/08/24/dhcpv6-server-on-linux/
6) http://bbs.swdyz.com/thread270sw1dyz1.shtml //openwrt配置
/

//gyakkun-vm, server
安装radvd, isc-dhcp-server, ndppd
解释:
radvd: Router Advertisement Daemon
isc-dhcp-server: DHCP服务器, 提供v6地址
ndppd: 邻居发现协议代理, 在上下级网络间代理邻居发现协议包(nd packet, rfc4651)信息(?)

   sudo apt install radvd isc-dhcp-server ndppd

开启内核ndp支持

   sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1

配置 /etc/ndppd.conf

   proxy eth0{
    router yes
    timeout 500
    ttl 30000
    //注意分配一个比/64小的子网, 可以是/80, /96 ...
      前64位地址记得和主网卡地址保持一致
    rule 2001:250:3002:4411:a:b::/96{
        static
    }
   }

配置 /etc/radvd.conf, 广播nd中规定的路由广播(ra)信息

   interface eth1{
    AdvSendAdvert on;
    AdvManagedFlag on;
    AdvOtherConfigFlag on;
    //注意, 此处不应广播前缀, 因为radvd只能广播大于等于/64的前缀信息, 如广播/64前缀则客户端会自动加入到/64的路由
   };

/etc/dhcp/dhcpd6.conf 注意权限问题, 提前生成/var/…/dhcpd.leases , 详见debug信息

   authoritative;
   default-lease-time 14400;
   max-lease-time 86400;
   log-facility local7;
   option dhcp6.next-hop code 242 = ip6-address;
   subnet6 2001:250:3002:4411:a1:b2::/96{
      range6 2001:250:3002:4411:a:b::2 2001:250:3002:4411:a:b:ffff:fffd;
      range6 2001:250:3002:4411:a:b::/96 temporary;
      //下一条地址记得写成eth1的静态地址
      option dhcp6.next-hop 2001:250:3002:4411:a:b::1;
      allow unknown-clients;
   }
   //自启动配置 rc.local
   #/etc/init.d/iNodeAuthService start
   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   dhcpd -6 -cf /etc/dhcp/dhcpd6.conf eth1
   dhclient eth0 -v

Ref:

  1. Linux IPV6 HOW TO
    http://man.chinaunix.net/linux/how/Linux-IPv6-HOWTO.html
  2. 网关
    fe80::3a22:d6ff:fee5:abcd
    sudo ip -6 route add ::/0 via fe80::3a22:d6ff:fee5:abcd dev
  3. 网络重启
    sudo systemctl restart networking
  4. 关闭自动配置v6地址, 需手动设置网关(link/global address both OK)
    https://superuser.com/questions/33196/how-to-disable-autoconfiguration-on-ipv6-in-linux
  5. 开启V4 NAT
    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  6. sysuh3c
    https://github.com/renbaoke/h3c
    sudo sysuh3c -u -p -i eth0 -c -d

    route change ::/0 fe80::3a22:d6ff:fee5:abcd metric 300
    route change 2001:250:3002:4411::/64 fe80::20c:29ff:fe09:21aa
    route delete 2001:250:3002:4411::/64
    route add ::/0 fe80::20c:29ff:fe09:21aa IF 27 //IF31==VMnet1