修改时间 - 上次编辑时间 编辑者
本帖最后由 zylccna2015 于 2020-1-24 13:19 编辑
- 开始之前准备DDNS&L2TP/Ipsec为手机提供外部联入方案
aaa new-model
aaa authentication ppp default local
!
username root privilege 15 password 7 097D5FD4C434C47525FD507B
!
ip ddns update method 3322
HTTP
add http://kagamigawa:************@<s>/nic/update?system=dyndns&hostname=&myip=<a>
interval maximum 0 0 1 0
interval minimum 0 0 1 0
!
ip dhcp pool l2tp-pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
vpdn enable
vpdn-group l2tpv2
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 14
crypto isakmp key ***** address 0.0.0.0
crypto ipsec transform-set l2tp esp-3des esp-sha-hmac
mode transport
crypto dynamic-map l2tp 1
set transform-set l2tp
crypto map l2tp 1 ipsec-isakmp dynamic l2tp
#
interface dialer 1
ip nbar protocol-discovery
crypto map l2tp
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
crypto map l2tp
ip ddns update hostname kagamigawa.f3322.net
ip ddns update 3322 host members.3322.net
!
interface Virtual-Template1
ip address 192.168.1.1 255.255.255.0
ip nat inside
peer default ip address dhcp-pool l2tp-pool
ppp authentication chap eap ms-chap ms-chap-v2 pap
end - 开启Guestshell与流量监测
ip nbar http-services
!
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-DSCP
match dscp af41
class-map match-all WEBUI-BROADCAST_VIDEO-NBAR
match protocol attribute traffic-class broadcast-video
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-NBAR
match protocol attribute traffic-class voip-telephony
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-BULK_DATA-NBAR
match protocol attribute traffic-class bulk-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-NBAR
match protocol attribute traffic-class signaling
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_CONTROL-DSCP
match dscp cs6
class-map match-all WEBUI-SCAVENGER-NBAR
match protocol attribute business-relevance business-irrelevant
class-map match-all WEBUI-SCAVENGER-DSCP
match dscp cs1
class-map match-all WEBUI-NETWORK_CONTROL-NBAR
match protocol attribute traffic-class network-control
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-DSCP
match dscp cs3
class-map match-all WEBUI-BULK_DATA-DSCP
match dscp af11
class-map match-all WEBUI-BROADCAST_VIDEO-DSCP
match dscp cs5
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class multimedia-conferencing
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-DSCP
match dscp ef
class-map match-all WEBUI-NETWORK_MANAGEMENT-NBAR
match protocol attribute traffic-class ops-admin-mgmt
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-MULTIMEDIA_STREAMING-DSCP
match dscp af31
class-map match-all WEBUI-REALTIME_INTERACTIVE-NBAR
match protocol attribute traffic-class real-time-interactive
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-TRANSACTIONAL_DATA-DSCP
match dscp af21
class-map match-all WEBUI-REALTIME_INTERACTIVE-DSCP
match dscp cs4
class-map match-all WEBUI-TRANSACTIONAL_DATA-NBAR
match protocol attribute traffic-class transactional-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_MANAGEMENT-DSCP
match dscp cs2
class-map match-all WEBUI-MULTIMEDIA_STREAMING-NBAR
match protocol attribute traffic-class multimedia-streaming
match protocol attribute business-relevance business-relevant
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name home.lab
ip domain look-up
ip dns server
!
interface VirtualPortGroup0
ip address 192.168.2.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
no mop enabled
no mop sysid
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
ip nat inside source list 1 interface Dialer1 overload
access-list 1 permit 192.168.0.0 0.0.255.255
!
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.2.100 netmask 255.255.0.0
app-default-gateway 192.168.2.1 guest-interface 0
name-server0 192.168.2.1 - 进入Guestshell准备依赖库与软件包
Gateway#guestshell
[guestshell@guestshell ~]$ sudo su
[root@guestshell guestshell]#cd /tmp
yum install -y nano
yum install -y epel-release
yum install -y systemd-sysv
pip install --upgrade pip
pip install http://192.168.0.64/shadowsocks-master.zip -U #相关提供请自行github或联系我
rpm -i http://192.168.0.64/privoxy-3.0.26-1.el7.x86_64.rpm
wget http://192.168.0.64/gfwlist.action - 配置SS与Privoxy-Pac
#==================配置SS====================
mkdir /etc/shadowsocks
nano /etc/shadowsocks/shadowsocks.json
{
"server": "64.64.239.111",
"server_port": 53160,
"local_address": "192.168.2.100",
"local_port": 1080,
"password": "*********",
"method": "**********",
"fast_open": true,
"workers": 1
}
#==============配置SS服务启动脚本===============
nano /etc/systemd/system/shadowsocks.service
[Unit]
Description=Shadowsocks
[Service]
TimeoutStartSec=0
ExecStart=/usr/bin/sslocal -c /etc/shadowsocks/shadowsocks.json
[Install]
WantedBy=multi-user.target
#
systemctl enable shadowsocks.service
#================检查SS服务启动状态=============
[root@guestshell tmp]#systemctl start shadowsocks.service
[root@guestshell tmp]#systemctl status -l shadowsocks.service
#
● shadowsocks.service - Shadowsocks
Loaded: loaded (/etc/systemd/system/shadowsocks.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-01-23 19:26:31 UTC; 7h ago
Main PID: 33 (sslocal)
CGroup: /system.slice/libvirtd.service/system.slice/shadowsocks.service
└─33 /usr/bin/python /usr/bin/sslocal -c /etc/shadowsocks/shadowsocks.json
#
[root@guestshell tmp]# curl --socks5 192.168.2.100:1080 http://httpbin.org/ip #测试返回ip
{
"origin": "64.XX.2XX.11X"
}
#===============配置privoxy服务启动脚本================
[Unit]
Description=Privoxy Web Proxy With Advanced Filtering Capabilities
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
PIDFile=/run/privoxy.pid
ExecStart=/usr/sbin/privoxy --no-daemon --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config
[Install]
WantedBy=multi-user.target
#
systemctl enable privoxy.service
#================检查privoxy服务启动状态=============
[root@guestshell tmp]# systemctl start privoxy
[root@guestshell tmp]# systemctl status privoxy
● privoxy.service - Privoxy Web Proxy With Advanced Filtering Capabilities
Loaded: loaded (/etc/systemd/system/privoxy.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-01-23 19:44:51 UTC; 7h ago
Main PID: 1967 (privoxy)
CGroup: /system.slice/libvirtd.service/system.slice/privoxy.service
└─1967 /usr/sbin/privoxy --no-daemon --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config
#================配置PAC及http代理=============
[root@guestshell tmp]# ll
total 76
-rw-r--r-- 1 root root 74726 Jan 23 19:44 gfwlist.action
cp gfwlist.action /etc/privoxy/
echo 'actionsfile gfwlist.action' >> /etc/privoxy/config
echo 'listen-address 192.168.2.100:8118' >> /etc/privoxy/config
#================配置PROFILE =================
nano /etc/profile
export http_proxy=http://192.168.2.100:8118
export https_proxy=http://192.168.2.100:8118
#================重启服务====================
systemctl restart privoxy.service
#================检查NAT生效====================
Gateway#sh ip nat translations | inc 192.168.2.100
tcp 49.113.73.239:5696 192.168.2.100:60516 64.64.239.111:53160 64.64.239.111:53160
tcp 49.113.73.239:5674 192.168.2.100:60526 64.64.239.111:53160 64.64.239.111:53160
tcp 49.113.73.239:5689 192.168.2.100:60554 64.64.239.111:53160 64.64.239.111:53160
tcp 49.113.73.239:5688 192.168.2.100:60550 64.64.239.111:53160 64.64.239.111:53160
tcp 49.113.73.239:5665 192.168.2.100:60562 64.64.239.111:53160 64.64.239.111:53160 - 配置终端(win/mac/ios)
