一、环境
系统: CentOS 6.4x64最小化安装
eth0: 192.168.3.254 gw-***
eth1: 172.16.1.254 gw-***
eth0: 172.16.1.1 ***-client
IP: 192.168.3.2 ***-client-win7
二、安装yum源,同步时间
[root@gw-*** ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm Retrieving http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm warning: /var/tmp/rpm-tmp.oks108: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Preparing... ########################################### [100%] 1:epel-release ########################################### [100%] [root@gw-*** ~]# sed -i 's@#b@b@g' /etc/yum.repos.d/epel.repo [root@gw-*** ~]# sed -i 's@mirrorlist@#mirrorlist@g' /etc/yum.repos.d/epel.repo [root@gw-*** ~]# yum install ntpdate -y [root@gw-*** ~]# echo "*/10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org &>/dev/null" >/var/spool/cron/root [root@gw-*** ~]# crontab -l */10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org &>/dev/null
三、安装mysql和pam和sasl组件
1.安装相关软件包
[root@gw-*** ~]# yum install -y mysql mysql-devel mysql-server [root@gw-*** ~]# yum install -y pam_krb5 pam_mysql pam pam-devel [root@gw-*** ~]# yum install -y cyrus-sasl cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-lib cyrus-sasl-gssapi
2.创建Open×××使用的数据库与表
[root@gw-*** ~]# service mysqld start [root@gw-*** ~]# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database ***; Query OK, 1 row affected (0.00 sec) mysql> grant all privileges on ***.* to '***'@'localhost' identified by '***123'; mysql> flush privileges; mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | test | | *** | +--------------------+ 4 rows in set (0.00 sec) mysql> use ***; Database changed mysql> CREATE TABLE ***user ( name char(20) NOT NULL, password char(128) default NULL, active int(10) NOT NULL DEFAULT 1, PRIMARY KEY (name) ); Query OK, 0 rows affected (0.01 sec) mysql> show tables; +---------------+ | Tables_in_*** | +---------------+ | ***user | +---------------+ 1 row in set (0.00 sec)
3.创建测试用户
mysql> insert into ***user (name,password) values('user1',password('123456'));
Query OK, 1 row affected (0.00 sec)
mysql> insert into ***user (name,password) values('user2',password('123456'));
Query OK, 1 row affected (0.00 sec)
mysql> insert into ***user (name,password) values('user3',password('123456'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from ***user;
+-------+-------------------------------------------+--------+
| name | password | active |
+-------+-------------------------------------------+--------+
| user1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 1 |
| user2 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 1 |
| user3 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 1 |
+-------+-------------------------------------------+--------+
3 rows in set (0.00 sec)
4.配置PAM mysql认证模块
[root@gw-*** ~]# cat /etc/pam.d/open*** auth required pam_mysql.so user=*** passwd=***123 host=127.0.0.1 db=*** \ table=***user usercolumn=name passwdcolumn=password \ where=active=1 sqllog=0 crypt=2 account required pam_mysql.so user=*** passwd=***123 host=127.0.0.1 db=*** \ table=***user usercolumn=name passwdcolumn=password \ where=active=1 sqllog=0 crypt=2
5.启动saslauthd,并测试pam.d和mysql连接是否正常
[root@gw-*** ~]# /etc/init.d/saslauthd start Starting saslauthd: [ OK ] [root@gw-*** ~]# chkconfig saslauthd on [root@gw-*** 2.0]# testsaslauthd -u user1 -p 123456 -s open*** 0: OK "Success." #这里如果有报错请查看系统日志: /var/log/messages与安全日志: /var/log/secure并解决
6.配置Open×××服务器及客户端配置文件
[root@gw-*** 2.0]# ll /etc/open***/ |grep auth-pam #这里的open***路径是安装完open***后的目录,可以暂时先不管这,把后面配置完,再来回配置这个 -rwxr-xr-x 1 root root 12040 May 29 11:40 open***-auth-pam.so #该文件请使用find / -name open***-auth-pam.so查找路径
四、安装***
[root@gw-*** ~]# yum install openssl openssl-devel lzo -y [root@gw-*** ~]# yum install open*** easy-rsa -y #修改vars文件信息 [root@gw-*** 2.0]# pwd /usr/share/easy-rsa/2.0 [root@gw-*** 2.0]# vim vars #修改下面几项 export KEY_COUNTRY="CN" export KEY_PROVINCE="GUANGDONG" export KEY_CITY="GUANGZHOU" export KEY_ORG="MY COMPANY" export KEY_EMAIL="lyao@weyee.com" #重新加载环境变量 [root@gw-*** 2.0]# source vars #清除所有证书和相关文件 [root@gw-*** 2.0]# ./clean-all #生成新的根证书和根秘钥 [root@gw-*** 2.0]# ./build-ca #整个过程回车即可 Generating a 2048 bit RSA private key .....................................................+++ .........................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #这里的信息是我们在上面事先设置的 State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [MY COMPANY CA]: Name [EasyRSA]: Email Address [lyao@weyee.com]:
给服务器端生成证书和秘钥
[root@gw-*** 2.0]# ./build-key-server server Generating a 2048 bit RSA private key .+++ ...........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [lyao@weyee.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GUANGDONG' localityName :PRINTABLE:'GUANGZHOU' organizationName :PRINTABLE:'MY COMPANY' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'lyao@weyee.com' Certificate is to be certified until May 24 07:01:16 2025 GMT (3650 days) Sign the certificate? [y/n]:y #输入y 1 out of 1 certificate requests certified, commit? [y/n]y #输入y Write out database with 1 new entries Data Base Updated
给***客户端创建证书和秘钥,这里我们给win7-3创建
[root@gw-*** 2.0]# ./build-key win7-3 Generating a 2048 bit RSA private key ..............................+++ .........................................................................................+++ writing new private key to 'win7-3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [win7-3]: Name [EasyRSA]: Email Address [lyao@weyee.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GUANGDONG' localityName :PRINTABLE:'GUANGZHOU' organizationName :PRINTABLE:'MY COMPANY' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'win7-3' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'lyao@weyee.com' Certificate is to be certified until May 26 02:59:31 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
生成Diffie Hellman文件
#生成过程可能有点慢,等待一会就好 [root@gw-*** 2.0]# ./build-dh #生成ta.key文件(防DDos***、UDP淹没等恶意***) [root@gw-*** 2.0]# open*** --genkey --secret keys/ta.key
操作完成后查看keys路径下的文件
[root@gw-*** 2.0]# pwd /usr/share/easy-rsa/2.0 [root@gw-*** 2.0]# ll keys/ total 88 -rw-r--r-- 1 root root 5604 May 29 10:58 01.pem -rw-r--r-- 1 root root 5483 May 29 10:59 02.pem -rw-r--r-- 1 root root 1801 May 29 10:57 ca.crt -rw------- 1 root root 1708 May 29 10:57 ca.key -rw-r--r-- 1 root root 424 May 29 11:01 dh2048.pem -rw-r--r-- 1 root root 294 May 29 10:59 index.txt -rw-r--r-- 1 root root 21 May 29 10:59 index.txt.attr -rw-r--r-- 1 root root 21 May 29 10:58 index.txt.attr.old -rw-r--r-- 1 root root 147 May 29 10:58 index.txt.old -rw-r--r-- 1 root root 3 May 29 10:59 serial -rw-r--r-- 1 root root 3 May 29 10:58 serial.old -rw-r--r-- 1 root root 5604 May 29 10:58 server.crt -rw-r--r-- 1 root root 1098 May 29 10:58 server.csr -rw------- 1 root root 1704 May 29 10:58 server.key -rw------- 1 root root 636 May 29 11:02 ta.key -rw-r--r-- 1 root root 5483 May 29 10:59 win7-3.crt -rw-r--r-- 1 root root 1098 May 29 10:59 win7-3.csr -rw------- 1 root root 1708 May 29 10:59 win7-3.key
五、创建服务器端配置文件
# 在open***的配置目录下新建一个keys目录
[root@gw-*** 2.0]# mkdir -p /etc/open***/keys
#将open***服务端需要用到的证书和秘钥复制到/etc/open***/keys目录下
[root@gw-*** 2.0]# cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/open***/keys/
[root@gw-*** 2.0]# ll /etc/open***/keys/
total 24
-rw-r--r-- 1 root root 1801 May 29 11:03 ca.crt
-rw-r--r-- 1 root root 424 May 29 11:03 dh2048.pem
-rw-r--r-- 1 root root 5604 May 29 11:03 server.crt
-rw------- 1 root root 1704 May 29 11:03 server.key
-rw------- 1 root root 636 May 29 11:03 ta.key
#复制服务端配置文件到/etc/open***
[root@gw-*** 2.0]# cp /usr/share/doc/open***-2.3.6/sample/sample-config-files/server.conf /etc/open***/
#编辑server.conf文件参数
[root@gw-*** ~]# egrep -v "^#|^$|^;" /etc/open***/server.conf
#open***监听的端口
port 1194
#这里请使用tcp协议,不要使用udp
proto tcp
dev tun
#证书和秘钥的路径,我们放在/etc/open***/keys目录下
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
#这里是默认的虚拟局域网网段,不要和实际网段相同
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#这里因为我的内网是172.16.1.0/24网段的,所以我修改成172.16.1.0网段
push "route 172.16.1.0 255.255.255.0"
#client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
#这是open***的日志文件,默认在/etc/open***/open***.log
status open***-status.log
#启动日志追加
log-append open***.log
plugin ./open***-auth-pam.so open*** #申明open***使用的插件, open***为插件参数,和pam_mysql的service name是一样的
client-cert-not-required #不请求客户的CA证书, 使用用户名/密码验证 (本配置中没指定, 使用双重认证, 证书和密码验证)
#调试级别
verb 4
启动open***服务
#将open***添加到开机自启动 [root@gw-*** 2.0]# chkconfig open*** on [root@gw-*** 2.0]# service open*** start Starting open***: [ OK ] [root@gw-*** 2.0]# netstat -anpt |grep *** tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 2080/open*** [root@gw-*** 2.0]# iptables -I INPUT -p tcp --dport 1194 -j ACCEPT [root@gw-*** 2.0]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
六、客户端测试连接
Open××× 2.3.3 Windows 32位 安装文件:
http://swupdate.open***.org/community/releases/open***-install-2.3.3-I002-i686.exe
Open××× 2.3.3 Windows 64位 安装文件:
http://swupdate.open***.org/community/releases/open***-install-2.3.3-I002-x86_64.exe
将open***服务器上的ca.crt,win7.crt,win7.csr,win7.key,下载到C:\Program Files\Open×××\config目录下
新建客户端配置文件open***3.o***
open***3.o*** 文件内容:
client dev tun # 改为tcp proto tcp remote 192.168.3.254 1194 # Open×××服务器的外网IP和端口 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert win7-3.crt # win7的证书 key win7-3.key # win7的密钥 ns-cert-type server # 去掉前面的注释 #tls-auth ta.key 1 comp-lzo verb 3 auth-user-pass #在客户端配置文件中加入中加入这一行,重新启动客户端连接到*** server时就需要输入用户名和密码了。
最后的验证出现一点问题,通过google查找发现是open***版本不兼容的问题,具体安装可以查看一下链接
http://renzhenxing.blog.51cto.com/728846/1341147
七、配置一台Linux系统做客户端进行测试
这里我们在/etc/open***/server.conf中取出有关pam认证的选项,配置成普通的***服务
[root@gw-*** ~]# vim /etc/open***/server.conf #去除以下2行 plugin ./open***-auth-pam.so open*** client-cert-not-required [root@gw-*** ~]# service open*** restart Shutting down open***: [ OK ] Starting open***: [ OK ]
linux IP:192.168.3.86
这里我们给linux客户端创建证书
[root@gw-*** ~]# cd /usr/share/easy-rsa/2.0/ [root@gw-*** 2.0]# ./build-key linux Generating a 2048 bit RSA private key ..+++ .........................................+++ writing new private key to 'linux.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [linux]: Name [EasyRSA]: Email Address [lyao@weyee.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GUANGDONG' localityName :PRINTABLE:'GUANGZHOU' organizationName :PRINTABLE:'MY COMPANY' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'linux' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'lyao@weyee.com' Certificate is to be certified until May 26 06:21:08 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@gw-*** 2.0]# ll keys/ |grep linux -rw-r--r-- 1 root root 5482 May 29 14:21 linux.crt -rw-r--r-- 1 root root 1094 May 29 14:21 linux.csr -rw------- 1 root root 1704 May 29 14:21 linux.key
客户端安装open***
[root@***-client-linux ~]# yum install openssl openssl-devel lzo -y [root@***-client-linux ~]# yum install open*** easy-rsa -y
将客户端的证书和秘钥复制到客户端去
[root@gw-*** 2.0]# scp keys/linux.* 192.168.3.86:/root [root@gw-*** 2.0]# scp keys/ca.crt 192.168.3.86:/root #配置客户端的client.conf文件 [root@gw-*** 2.0]# cp /usr/share/doc/open***-2.3.6/sample/sample-config-files/client.conf ~ [root@gw-*** ~]# egrep -v "^#|^$|^;" client.conf client dev tun proto tcp remote 192.168.3.254 1194 #填写*** server的IP地址 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert linux.crt #key的名称 key linux.key remote-cert-tls server comp-lzo verb 3 #将client.conf复制到客户端去 [root@gw-*** ~]# scp client.conf 192.168.3.86:/root
在客户端上将复制过来的证书和配置文件放到/etc/open***目录下
[root@***-client-linux ~]# cp linux.* /etc/open***/ [root@***-client-linux ~]# cp ca.crt /etc/open***/ [root@***-client-linux ~]# cp client.conf /etc/open***/ #启动***服务 [root@***-client-linux open***]# service open*** start Starting open***: [ OK ] [root@***-client-linux open***]# netstat -anpt |grep *** tcp 0 0 192.168.3.86:48187 192.168.3.254:1194 ESTABLISHED 1661/open*** [root@***-client-linux open***]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:c2:2d:e1 brd ff:ff:ff:ff:ff:ff inet 192.168.3.86/24 brd 192.168.3.255 scope global eth0 inet6 fe80::20c:29ff:fec2:2de1/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/[65534] inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0 #测试连通性 [root@***-client-linux open***]# ping 172.16.1.254 PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data. 64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=2.74 ms 64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=1.36 ms ^C --- 172.16.1.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1148ms rtt min/avg/max/mdev = 1.360/2.054/2.748/0.694 ms [root@***-client-linux open***]# ping 172.16.1.1 PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data. From 10.8.0.1 icmp_seq=1 Destination Host Prohibited From 10.8.0.1 icmp_seq=2 Destination Host Prohibited From 10.8.0.1 icmp_seq=3 Destination Host Prohibited ^C --- 172.16.1.1 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2069ms #从结果我们能看出,linux客户端已经连接到***-server上,但是应为***-server没有配置NAT规则,还不能ping通内网服务器
在***-server配置一条NAT规则
#配置SNAT [root@gw-*** ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 172.16.1.254 #在filter中默认有一条拒绝路由转发请求的规则,需要清除掉 [root@gw-*** ~]# iptables -t filter -F FORWARD [root@gw-*** ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@gw-*** ~]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:172.16.1.254 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@gw-*** ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] #查看路由转发是否开始,编辑文件/etc/sysconfig/ [root@gw-*** ~]# sysctl -p net.ipv4.ip_forward = 1 #确保此项是1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
再次测试linux客户端和内网的连通性
[root@***-client-linux open***]# ping 172.16.1.1 PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data. 64 bytes from 172.16.1.1: icmp_seq=1 ttl=63 time=3.86 ms 64 bytes from 172.16.1.1: icmp_seq=2 ttl=63 time=1.49 ms ^C --- 172.16.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1929ms rtt min/avg/max/mdev = 1.496/2.678/3.861/1.183 ms
到此linux--linux的***配置完成
转载于:https://blog.51cto.com/ly36843/1656276
864
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
