[TOC]
前言:本文所要达成的目的, 其实可以简单通过配置完善的商业路由器实现。我爱Windows, 然而生而为人(划掉)程序员, 不用Linux就是原罪 (
生命在于折腾, 共勉。
I. 系统初始化:
Life is short, I use ubuntu.
By gyakkun
使用 Ubuntu 16.04.3 LTS, kernel 4.10.28-13 (?)
1. 安装, 使用LVM
2. 启用root
sudo passwd -u root //解锁root账户
sudo passwd root //为root增加密码
3. 卸载无用应用
sudo apt remove --purge libreoffice*
sudo apt remove --purge unity-webapps-common //亚马逊链接
sudo apt remove --purge thunderbird totem rhythmbox empathy brasero simple-scan gnome-mahjongg aisleriot
sudo apt remove --purge gnome-mines cheese gnome-orca gnome-sudoku landscape-client-ui-install
sudo apt remove --purge onboard deja-dup
4. 更改软件源
Ref: https://mirrors.tuna.tsinghua.edu.cn/help/ubuntu/
sudo nano /etc/apt/source.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# 预发布软件源,不建议启用
# deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ xenial-proposed main restricted universe multiverse
5. 升级
sudo apt update
sudo apt upgrade
6. 安装openssh-server, fail2ban
sudo apt install openssh-server fail2ban
检查是否已启动
ps | grep sshd
如未启动
sudo /etc/init.d/ssh start
配置公钥登陆
sudo nano /etc/ssh/sshd_config
改:
RSAAuthentication yes //允许RSA认证登录?
PubkeyAuthentication yes //允许公钥认证
AuthorizedKeysFile %h/.ssh/authorized_keys //公钥位置
PermitRootLogin no //禁止root登录, 要用的时候su root即可
PasswordAuthentication no //禁止密码登录
为当前帐户新建ssh公钥私钥
ssh-keygen
默认放在~/.ssh/目录下, 将id_rsa.pub留下, 更名为authorized_keys, 将id_rsa(私钥)拷贝出来, 防止泄露
cd ~/.ssh
mv id_rsa.pub authorized_keys
chmod 600 authorized_keys //只有拥有者能够读写
scp id_rsa [email protected]:/E/ssh-keys
rm id_rsa
//重启sshd
sudo /etc/init.d/ssh restart (?)
II. 配置成双栈路由器
7. 确认内核
uname -r //4.13.XX
8. 开启转发
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
sudo sysctl -p
9. 开启BBR
sudo nano /etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
sudo sysctl -p
10. 配置自己喜欢的ipv6地址
sudo systctl -w net.ipv6.conf.<iface>.autoconfig = 0
sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet6 static
address 2001:250:3002:4411::5678
netmask 64
//gateway 可以填链路地址, 不知道的情况下就填网关的global地址吧
#gateway fe80::3a22:d6ff:fee5:abcd
gateway 2001:250:3002:4411::1
//eth1在交换机上的地址
auto eth1
iface eth1 inet static
address 192.168.22.2
network 192.168.22.0
netmask 255.255.255.0
broadcast 192.168.22.255
iface eth1 inet6 static
address 2001:250:3002:4411:a1:b2::1
11. 配置路由器
使用两虚拟机, 一台接NAT + Host-only, 角色server, 名称gyakkun-vm
另一台只接Host-only, 角色client, 名称steve-vm-1
解释: Host-only 相当于虚拟的交换机。根据ndp, server在上面广播路由信息(Router Advertisement, via radvd), 并作为邻居发现代理(ndppd), 代理处理子网中的nd数据包, 由于是比/64小的子网, 地址自动配置地址失效(?), 需要DHCPv6来分配下级主机的IPV6地址(isc-dhcp-server)
/参考
1) https://wiki.ubuntu.com/IPv6#Configure_your_Ubuntu_box_as_a_IPv6_router
2) http://blog.csdn.net/l0605020112/article/details/41899359
3) https://jochen.kirstaetter.name/dhcpv6-ipv6-in-your-local-network/ //dhcpv6启动参数
4) https://wiki.ubuntu.com/DHCPv6
5) https://blog.joshu.moe/2017/08/24/dhcpv6-server-on-linux/
6) http://bbs.swdyz.com/thread270sw1dyz1.shtml //openwrt配置
/
//gyakkun-vm, server
安装radvd, isc-dhcp-server, ndppd
解释:
radvd: Router Advertisement Daemon
isc-dhcp-server: DHCP服务器, 提供v6地址
ndppd: 邻居发现协议代理, 在上下级网络间代理邻居发现协议包(nd packet, rfc4651)信息(?)
sudo apt install radvd isc-dhcp-server ndppd
开启内核ndp支持
sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1
配置 /etc/ndppd.conf
proxy eth0{
router yes
timeout 500
ttl 30000
//注意分配一个比/64小的子网, 可以是/80, /96 ...
前64位地址记得和主网卡地址保持一致
rule 2001:250:3002:4411:a:b::/96{
static
}
}
配置 /etc/radvd.conf, 广播nd中规定的路由广播(ra)信息
interface eth1{
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
//注意, 此处不应广播前缀, 因为radvd只能广播大于等于/64的前缀信息, 如广播/64前缀则客户端会自动加入到/64的路由
};
/etc/dhcp/dhcpd6.conf 注意权限问题, 提前生成/var/…/dhcpd.leases , 详见debug信息
authoritative;
default-lease-time 14400;
max-lease-time 86400;
log-facility local7;
option dhcp6.next-hop code 242 = ip6-address;
subnet6 2001:250:3002:4411:a1:b2::/96{
range6 2001:250:3002:4411:a:b::2 2001:250:3002:4411:a:b:ffff:fffd;
range6 2001:250:3002:4411:a:b::/96 temporary;
//下一条地址记得写成eth1的静态地址
option dhcp6.next-hop 2001:250:3002:4411:a:b::1;
allow unknown-clients;
}
//自启动配置 rc.local
#/etc/init.d/iNodeAuthService start
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
dhcpd -6 -cf /etc/dhcp/dhcpd6.conf eth1
dhclient eth0 -v
Ref:
- Linux IPV6 HOW TO
http://man.chinaunix.net/linux/how/Linux-IPv6-HOWTO.html - 网关
fe80::3a22:d6ff:fee5:abcd
sudo ip -6 route add ::/0 via fe80::3a22:d6ff:fee5:abcd dev - 网络重启
sudo systemctl restart networking - 关闭自动配置v6地址, 需手动设置网关(link/global address both OK)
https://superuser.com/questions/33196/how-to-disable-autoconfiguration-on-ipv6-in-linux 开启V4 NAT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEsysuh3c
https://github.com/renbaoke/h3c
sudo sysuh3c -u-p -i eth0 -c -d route change ::/0 fe80::3a22:d6ff:fee5:abcd metric 300
route change 2001:250:3002:4411::/64 fe80::20c:29ff:fe09:21aa
route delete 2001:250:3002:4411::/64
route add ::/0 fe80::20c:29ff:fe09:21aa IF 27 //IF31==VMnet1