CentOS6 PPTP服务搭建

操作系统：CentOS 6.2

外网IP：192.168.101.168

部署操作：

1、检查系统内核是否支持MPPE补丁

# modprobe ppp-compress-18 && echo ok

# 显示ok则系统支持MPPE补丁，如不支持，需先安装kernel-devel

# yum install kernel-devel

2、检查系统是否开启TUN/TAP支持

# cat /dev/net/tun

# 如果显示以下信息，则表明通过

cat: /dev/net/tun: File descriptor in bad state

3、检查系统是否开启ppp支持

# cat /dev/ppp

# 如果显示以下信息，则表明通过

cat: /dev/ppp: No such device or address

# 注意：上面三条必须同时满足，否则不能安装pptp ***。

4、安装pptp依赖包ppp

# yum install ppp

5、安装pptpd

# 也可以直接使用EPEL源

# yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/pptpd-1.4.0-3.el6.x86_64.rpm

6、配置pptp

# vim /etc/ppp/options.pptpd

name pptpd

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

ms-dns 202.96.128.166

ms-dns 114.114.114.114

lock

nobsdcomp

novj

novjccomp

nologfd

# vim /etc/pptpd.conf

option /etc/ppp/options.pptpd

logwtmp

localip 10.0.0.1-100                        # ***拨入用户服务器IP地址

remoteip 10.0.0.101-200                # ***拨入用户客户端动态分配地址池

# vim /etc/ppp/chap-secrets

# 客户端用户名              服务器        认证密码        *为自动分配IP

# clientserver                server         secret            IP addresses

test1@redhat.com        pptpd        123456            *

test2@redhat.com        pptpd        123456            *

7、开启服务器系统路由模式，支持包转发

# vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

# /sbin/sysctl -p

# 注意：遇到以下错误

error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key

error: "net.bridge.bridge-nf-call-iptables" is an unknown key

error: "net.bridge.bridge-nf-call-arptables" is an unknown key

# 解决方法

# modprobe bridge

# lsmod | grep bridge

8、启动pptpd

# service pptpd start

# chkconfig pptpd on

9、开启1723防火墙端口并设置防火墙相应规则

# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 1723 -j ACCEPT

# iptables -A INPUT -p gre -m state --state ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 1723 -j ACCEPT

# iptables -A OUTPUT -p gre -m state --state NEW,ESTABLISHED -j ACCEPT

# 开启转发规则和MTU控制规则

# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.101.168

# iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356

# 开启ssh、icmp、loopback

# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT

# iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT

# iptables -A INPUT -i lo -j ACCEPT

# iptables -A OUTPUT -o lo -j ACCEPT

# 开启服务器可访问web

# iptables -I OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 80,443 -j ACCEPT

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -I OUTPUT 5 -p udp --dport 53 -j ACCEPT

# 修改INPUT和OUTPUT链默认策略为DROP

# iptables -P INPUT DROP

# iptables -P OUTPUT DROP

# iptables -P FORWARD ACCEPT

# 重启iptables

# service iptables save

10、设置开机自动建立ppp设备节点（系统重新启动后有可能会丢失此文件，导致pptp客户端拨号出现错误619）

vim /etc/rc.d/rc.local

mknod /dev/ppp c 108 0

转载于:https://blog.51cto.com/yuyucat/1658590