用nmcli可以成功建立pppoe連線
: (在下列例子中,我將pppoe連線命名為ppp0,刻意設定為需要時才手動進行撥接,
: 網卡的裝置名稱為對外enp1s0f0, 對內enp1s0f1)1. 安裝模組 NetworkManager-ppp ppp
enp1s0f0設定IP:192.168.0.254
enp1s0f0設定IP:192.168.1.254
1.安裝模組
- dnf install NetworkManager-ppp -y
- dnf install ppp -y
複製代碼
2. 下載re-pppoe rpm
載點
3. 安裝rpm
- rpm -ivh rp-pppoe-3.14-7.el8.lux.x86_64.rpm
複製代碼
# nmcli connection edit type pppoe con-name "ppp0"
: ===| nmcli 互動式連線編輯程式 |===
: 新增一項「pppoe」連線
: 輸入「help」或是「?」以取得可用指令。
: 鍵入“print”以顯示所有連接屬性。
: 輸入「describe [<setting>.<prop>]」以取得詳細的內容描述。
: 您可編輯以下設定:connection, pppoe, 802-3-ethernet (ethernet), ppp, 802-1x,
: ethtool, match, ipv4, ipv6, tc, proxy
nmcli> set connection.autoconnect yes
nmcli> set connection.interface-name ppp0
nmcli> set pppoe.parent enp1s0f0
nmcli> set pppoe.username (您的帳號名稱)
nmcli> set pppoe.password (您的連線密碼)
nmcli> save persistent
: 雖說可以成功撥接連線,但還是開機後有時候撥接會出狀況,還要重開一次
# nmcli connection up ppp0
4. 停止及關閉firewalld
- systemctl stop firewalld
- systemctl disable firewalld
複製代碼
5. 遮罩firewalld
6. 安裝iptables
- yum install iptables-services
複製代碼
7. 開始跟啟動 iptables
- systemctl start iptables
- systemctl enable iptables
複製代碼
8. 檢查 iptables規則
- iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT icmp -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
- ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
- REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
複製代碼
9. 清除規則並建立NAT
- FW_IP="你的PPPOE IP
- EXTERNAL=PPP0
- #EXTERNAL=enp1s0f0
- INTERNAL=enp1s0f1
- iptables -F
- iptables -X
- iptables -Z
- iptables -t nat -F
- iptables -t nat -X
- iptables -t nat -Z
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t mangle -Z
-
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -t nat -P PREROUTING ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- iptables -t nat -P OUTPUT ACCEPT
-
- echo "1" > /proc/sys/net/ipv4/ip_forward
- modprobe ip_nat_ftp
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- modprobe ip_conntrack_irc
-
- iptables -t nat -A POSTROUTING -o $EXTERNAL -s 192.168.1.0/24 -j SNAT --to $FW_IP
-
- iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-
- if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
- fi
複製代碼
10. 最後iptable rule 中再加上
- iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
複製代碼
詳細請參考文章
http://www.tshopping.com.tw/thread-264352-1-1.html
http://www.tshopping.com.tw/thread-264354-1-1.html
http://www.tshopping.com.tw/thread-264355-1-1.html
網站架設NETYEA 網頁設計
文章定位: