Litao OK Blog

A little blog for my life.

学习Android开发中小记录

1. AndroidManifest.xml文件

1) 包名简化

application中声明类名时可以用简写方式:

1
2
3
4
5
6
7
8
<manifest . . . >
    <application . . . >
        <service android:name="com.example.project.SecretService" . . . >
            . . .
        </service>
        . . .
    </application>
</manifest>

可以简写成,包名可以省略,句点不能省:

1
2
3
4
5
6
7
8
<manifest package="com.example.project" . . . >
    <application . . . >
        <service android:name=".SecretService" . . . >
            . . .
        </service>
        . . .
    </application>
</manifest>

2) Intent

为了确保应用的安全性,启动 Service 时,请始终使用显式 Intent,且不要为服务声明 Intent 过滤器。使用隐式 Intent 启动服务存在安全隐患,因为您无法确定哪些服务将响应 Intent,且用户无法看到哪些服务已启动。从 Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

更新Ubuntu的源列表

先备份原有源列表

1
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak

然后替换下面源

国内建议网易:

1
2
3
4
5
6
7
8
9
10
deb http://mirrors.163.com/ubuntu/ trusty main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ trusty-security main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ trusty main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ trusty-security main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ trusty-updates main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ trusty-backports main restricted universe multiverse

欧洲源:

1
2
3
4
5
6
7
8
9
10
11
12
13
deb http://archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ trusty-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ trusty-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
## other 
deb http://archive.canonical.com/ubuntu/ trusty partner
deb http://extras.ubuntu.com/ubuntu/ trusty main

参与文档

http://wiki.ubuntu.org.cn/Qref/Source

通过VPS建立自己的代理服务器

原理

原理其实很简单,在国外申请个VPS,然后在上面搭建HTTP或SOCKS5代理,然后再安装个加密通道stunnel;再找一台本地电脑,也安装一个stunnel,和服务器使用同样的证书,再配置一个pac代理脚本,指定哪些网站用代理,哪些不用,然后给电脑或手机配置自动代理,最后就可以通过这个加密通道代理上网了。

1. 申请一台国外VPS

这个就不多说了,例如linode.com,oneasiahost.com, digitalocean.com, aws.amazon.com等等,自己考察性价比吧…

2. 搭建代理服务

1) 搭建SOCKS5代理

SOCSK5代理很多种,我这里介绍的是比较简单python版本的shadowsocks,直接使用python工具安装即可:

1
pip install shadowsocks

如果提示无pip,要先安装一下:

1
2
yum install python-setuptools && easy_install pip
pip install pip --upgrade

创建一个配置文件 /etc/shadowsocks.json,内容如下:

1
2
3
4
5
6
7
8
9
{
    "server":"127.0.0.1",
    "server_port":1080,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"test",
    "timeout":30,
    "method":"rc4-md5"
}

注意,我这里server的IP设置为127.0.0.1,是因为客户端不会直接访问VPS,后面会建立个加密通道来访问,这个1080端口就是给加密通道使用的。

然后启动:

1
/usr/local/bin/python /usr/local/bin/ssserver -c /etc/shadowsocks.json -d start

2) 搭建HTTP代理

这里我使用的squid-3.1.23,安装简单,使用方便:

1
yum install squid

修改配置文件: /etc/squid/squid.conf,下面只列出了要修改的部分:

1
2
http_access allow localhost
http_port 3128 # 可以改成你需要的端口号,这个端口号是给后面的stunnel加密通道用的

然后启动服务:

1
/etc/init.d/squid start

3. 搭建加密通道stunnel

1) 下载,解压:

1
2
wget http://www.stunnel.org/downloads/stunnel-5.35.tar.gz
tar -zxf stunnel-5.35.tar.gz

2) 编译安装:

1
2
3
4
5
yum install openssl-devel
cd stunnel-5.35
./configure
make
make install

3) 生成签名证书

1
2
3
4
cd /usr/local/etc/stunnel/
openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem
# 如果报错找不到openssl.cnf,可以把-config openssl.cnf去掉,即:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

4) 修改配置文件:

HTTP代理:

/usr/local/etc/stunnel/stunnel-http.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cert = /usr/local/etc/stunnel/stunnel.pem
CAfile = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = stunnel
setgid = stunnel

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
sslVersion = TLSv1
fips=no

#debug = 7
#syslog = no
#output = /var/log/stunnel.log

[sproxy]
accept = 8686
connect = 127.0.0.1:3128

SOCKS5代理:

/usr/local/etc/stunnel/stunnel-sockd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cert = /usr/local/etc/stunnel/stunnel.pem
CAfile = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = stunnel
setgid = stunnel

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
sslVersion = TLSv1
fips=no

#debug = 7
#syslog = no
#output = /var/log/stunnel.log

[sproxy]
accept = 8787
connect = 127.0.0.1:1080

5) 启动两个stunnel

1
2
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-http.conf
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-sockd.conf

4. 在本地电脑安装stunnel客户端:

1) stunnel安装方法和上面一样,只不过需要把服务器生成的密钥文件stunnel.pem下载到本地电脑

放在相同位置: /usr/local/etc/stunnel/

2) 修改本地配置:

HTTP代理加密通道: /etc/local/etc/stunnel/stunnel-http.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cert = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CAfile = /usr/local/etc/stunnel/stunnel.pem
client=yes
compression = zlib
ciphers = AES256-SHA
delay = no
failover = prio
sslVersion = TLSv1
fips = no

setuid = stunnel
setgid = stunnel

debug = 7
syslog = no
output = /var/log/stunnel.log

[sproxy]
accept  = 0.0.0.0:8118
connect = 你的国外VPS的IP:8686

SOCKS5代理加密通道: /etc/local/etc/stunnel/stunnel-sockd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cert = /usr/local/etc/stunnel/stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CAfile = /usr/local/etc/stunnel/stunnel.pem
client=yes
compression = zlib
ciphers = AES256-SHA
delay = no
failover = prio
sslVersion = TLSv1
fips = no

setuid = stunnel
setgid = stunnel

debug = 7
syslog = no
output = /var/log/stunnel.log

[sproxy]
accept  = 0.0.0.0:8008
connect = 你的国外VPS的IP:8787

然后启动

1
2
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-http.conf
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel-sockd.conf

5. 本地设置pac文件:

1) 首先要搭建一个HTTP服务器,方便电脑或手机访问你配置的pac文件,这里我用的是nginx

我本地系统用的是debian,安装nginx比较方便:

1
apt-get install nginx

修改nginx的配置文件: /etc/nginx/conf.d/default.conf

1
2
3
4
5
6
7
8
9
10
11
12
server {
    listen   80;

    root /usr/share/nginx/www;
    index index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ /index.html;
    }
}

重新启动nginx

1
/etc/init.d/nginx restart

2) 建立pac文件

/usr/share/nginx/www/a.pac

内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
var proxy = "PROXY your_local_ip:8118;SOCKS your_local_ip:8008";
var direct = "DIRECT";
var blocked_domains = [
    ".4shared.com",
    ".9apps.com",
    ".9lessons.info",
    ".akamaihd.net",
    ".amazon.com",
    ".amazonaws.com",
    ".android.com",
    ".appannie.com",
    ".appspot.com",
    ".apkpure.com",
    ".blogspot.com",
    ".blogger.com",
    ".blogblog.com",
    ".blogspot.sg",
    ".cloudfront.net",
    ".cloudinsights.com",
    ".codespot.com",
    ".dailymotion.com",
    ".danielfett.de",
    ".dmcdn.net",
    ".dotabuff.com",
    ".dropbox.com",
    ".dropboxusercontent.com",
    ".facebook.com",
    ".facebook.net",
    ".fastly.net",
    ".fbcdn.net",
    ".findproxyforurl.com",
    ".gdaily.org",
    ".gist.github.com",
    ".gmail.com",
    ".ggpht.com",
    ".golang.org",
    ".goo.gl",
    ".google.com",
    ".google.com.sg",
    ".google.com.hk",
    ".google.com.tw",
    ".google.com.sg",
    ".google.co.in",
    ".google.co.uk",
    ".google.co.jp",
    ".googlesource.com",
    ".googlecode.com",
    ".googleapis.com",
    ".googleusercontent.com",
    ".googlevideo.com",
    ".gstatic.com"
];
function FindProxyForURL(url, host) {
    for (var i = 0; i < blocked_domains.length; ++i) {
        if (dnsDomainIs(host, blocked_domains[i])) {
            return proxy;
        } else if (blocked_domains[i].substr(1) === host) {
            return proxy;
        }
    }
    return direct;
}

其中,PROXY your_local_ip:8118一个就能应付大多数场景,SOCKS your_local_ip:8008是可选的

然后,在手机或电脑网络代理里面配置一下自动代理:

http://your local ip/a.pac

最后,试下,看看是否能上一些被墙的网站哈,另外,如果还有访问不了的,自己把域名加到a.pac中,格式不要改变。

Building Go 1.5.x on the Raspberry Pi

参考资料: http://dave.cheney.net/2015/09/04/building-go-1-5-on-the-raspberry-pi

下面讲到方法在我的Pi 1 Model B(ARMv6 512MHz, 512M RAM, BCM2708)和Pi 2 Model B(ARMv7 1GHz, 1G RAM)测试通过。

步骤一: 下载Go 1.4编译器

Go1.5采用了Go开发虚拟机,所以需要Go1.4进行编译,可以直接下载编译好的二进制包: http://dave.cheney.net/paste/go-linux-arm-bootstrap-c788a8e.tbz

1
2
% cd $HOME
% curl http://dave.cheney.net/paste/go-linux-arm-bootstrap-c788a8e.tbz | tar xj

步骤二: 下载Go 1.5源码包

1
2
% cd $HOME
% curl https://storage.googleapis.com/golang/go1.5.src.tar.gz | tar xz

步骤三: 配置环境,开始build

Go 1.5编译需要设置个别参数来保证编译过程顺利。

降低默认堆栈大小从8MB改为1MB

这是因为runtime测试时会创建很多系统线程,每个线程8MB,会突破32位用户模式地址空间。

1
2
3
% ulimit -s 1024  # set the thread stack limit to 1mb
% ulimit -s       # check that it worked
1024

增加scaling因子来避免测试超时

默认scaling因子针对amd64的设备很适用,但是对于32位机器来说太激进了。可以通过参数GO_TEST_TIMEOUT_SCALE来调整。

步骤四: Build

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
% cd $HOME/go/src
% env GO_TEST_TIMEOUT_SCALE=10 GOROOT_BOOTSTRAP=$HOME/go-linux-arm-bootstrap ./all.bash
# Building C bootstrap tool.
cmd/dist

# Building compilers and Go bootstrap tool for host, linux/arm.
lib9
libbio
liblink
...
##### ../test

##### API check
Go version is "go1.5", ignoring -next /home/pi/go/api/next.txt

ALL TESTS PASSED

---
Installed Go for linux/arm in /home/pi/go
Installed commands in /home/pi/go/bin

在我们的设备上测试,整个build过程很漫长,一个小时以上。

最后,把$HOME/go添加到$PATH环境中,然后可以删除$HOME/go-linux-arm-bootstrap目录,以便节省树莓派的磁盘空间。

Linux下批量杀掉包含某个关键字的进程

确认有杀掉相关进程的用户权限

一般来说同一用户肯定可以,或者root用户,或者同组的用户

通过cut命令来处理

1
ps -ef|grep 关键字|grep -v grep|cut -c 9-15|xargs kill

其中:

  • ‘ps -ef’ 是列出所有进程
  • ‘grep 关键字’ 是过滤,只保留该关键字相关进程
  • ‘grep -v grep’ 是去除保护'grep'关键字的进程,其实就是'grep 关键字'本身
  • ‘cut -c 9-15’ 截取行的第9-15个字符,即进程PID号
  • ‘xargs kill’ 对前面列出的PID,依次执行kill命令

通过awk命令来处理

1
ps x|grep 关键字|grep -v grep|awk '{print $1}'|xargs kill

Nginx安装Lua插件

1 下载luajit 2.0并安装

http://luajit.org/download.html

下载后进入目录直接

1
make && make install

添加环境中

1
2
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0

2 下载ngx_devel_kit

http://github.com/simpl/ngx_devel_kit/tags

解压到

1
/root/src/ngx_devel_kit-0.2.19

3 下载nginx_lua_module

http://github.com/chaoslawful/lua-nginx-module/tags

解压到

1
/root/src/lua-nginx-module-0.9.15

4 下载nginx源码

http://nginx.org

下载稳定版,解压到

1
/root/src/nginx-1.6.2

进去目录进行编译

5 修改源码

进入到

1
/root/src/nginx-1.6.2/src/http/modules

修改

1
ngx_http_static_module.c

注释下面:

1
2
3
4
5
/*
if (r->method & NGX_HTTP_POST) {
    return NGX_HTTP_NOT_ALLOWED;
}
*/

6 编译

参数如下:

1
2
3
./configure --prefix=/home/server/nginxlua --add-module=/root/src/ngx_devel_kit-0.2.19 --add-module=/root/src/lua-nginx-module-0.9.15
make -j2
make install

添加软连接

1
2
ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
ldconfig

7 测试是否成功:

nginxconfig中加入

1
2
3
4
location /hello {
    default_type 'text/plain';
    content_by_lua 'ngx.say("hello, lua")';
}

访问127.0.0.1/hello,如果出现“hello,lua”,则安装成功!

CentOS创建Go应用启动脚本

可以基于下面脚本进行修改:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/bin/bash
# revel-app go/revel daemon
# chkconfig: 345 20 80
# description: revel-app daemon
# processname: revel-app

NAME="revel-app"
PIDFILE=/var/run/$NAME.pid

DAEMON_PATH="/opt/revel-app"
DAEMON="/bin/bash run.sh"
DAEMON_OPTS=""

case "$1" in
start)
    printf "%-50s" "Starting $NAME..."
    if [ -f $PIDFILE ]; then
        echo "Already running? (pid=`cat $PIDFILE`)"
    else
        cd $DAEMON_PATH
        PID=`$DAEMON $DAEMON_OPTS > /dev/null 2>&1 & echo $!`
        echo "$PID" > $PIDFILE
        echo "Ok. (pid=$PID)"
    fi
;;
status)
    printf "%-50s" "Checking $NAME..."
    if [ -f $PIDFILE ]; then
        PID=`cat $PIDFILE`
        if [ -z "`ps axf | grep ${PID} | grep -v grep`" ]; then
            printf "%s\n" "Process dead but pidfile exists."
        else
            echo "Running. (pid=$PID)"
        fi
    else
        printf "%s\n" "Service not running."
    fi
;;
stop)
    printf "%-50s" "Stopping $NAME"
    if [ -f $PIDFILE ]; then
        PID=`cat $PIDFILE`
        pkill -9 -P $PID
        printf "%s\n" "Ok."
        rm -f $PIDFILE
    else
        printf "%s\n" "Already stoppied? $PIDFILE not found."
    fi
;;
restart)
    $0 stop
    sleep 5
    $0 start
;;
*)
    echo "Usage: $0 {status|start|stop|restart}"
    exit 1
esac

Linux常用命令

1. 进程和内存占用查看

1
2
ps axo pid,comm,rss,vsz,sz,size | grep 进程名称
ps axo pid,comm,rss,vsz | grep 进程名称
  • 说明:
    • rss: 进程在物理内存中实际驻留的大小,即进程占用的物理内存大小,这里面包含了共享内存的大小(比如各种共享lib库的内存占用)
    • vsz: 进程的虚拟地址空间,这是程序运行可能占用到的大小,它一般比 实际占用的 大小(rss)要大
    • sz: 我们算一下 27924/4 正好是6918 ,这个值是虚拟地址空间对应的系统页的个数,当然实际可能没有分配这么多页个进程,默认系统页大小是4096B ,如果我们更改了系统的页大小,这里也会相应改变
    • size: 进程可能申请的swap 的大小,当然物理rom 没有用光之前,这个值没有什么意义

2. 查看监听端口

1
netstat -pnta

3. 结合netstat和awk命令来统计网络连接数,两种方法

1
2
3
netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key,"\t",state[key]}'

ss -ant | awk 'NR>1 {++s[$1]} END {for(k in s) print k,s[k]}'

4. 去除配置文件注释和空行

1
grep -v ^#  redis.conf | grep -v ^$ > redis.conf.new

5. iptables常用设置 (CentOS)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT  # 或者 iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -m tcp -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -m tcp -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P INPUT DROP

# 查看所有已经设置的规则,显示行号
iptables -L --line-numbers -n

# 按照行号删除某一个INPUT规则
iptables -D INPUT 行号

保存:
/etc/init.d/iptables save

6. SYN flooding攻击,防火墙配置

1
2
3
4
iptables -N SYN_Flood
iptables -A INPUT -p tcp --syn -j SYN_Flood
iptables -A SYN_Flood -m limit --limit 1000/s --limit-burst 3000 -j RETURN
iptables -A SYN_Flood -j DROP

7. 创建用户

1
adduser

8. 内存清理

1
echo 1 > /proc/sys/vm/drop_caches

9. Mac OS X 某些服务器启动

1) mysql-server

1
mysql.server start

2) memcached

1
/usr/local/bin/memcached -d -m 100  -l 127.0.0.1 -p 11211 -c 256 -P /tmp/memcached.pid

10. 连接数过大影响SSH登录修改参数:

修改 /etc/sysctl.conf

1
2
net.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_max = 1048576

12. 给用户添加更多组权限

1
usermod -G coobrowser nginx  

说明: 将用户nginx添加到coobrowser组中,即nginx除了属于原来nginx组,还属于coobrowser组,方便nginx用户访问coobrowser组的资源,需要将coobrowser组的目录设置成710以上权限,文件设置成640以上权限。

CentOS 6.x 安装PPTP VPN

一、安装PPTPd

yum默认不能直接安装pptpd,只能装pptp

先装yum源:

1
rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm

然后再手工安装

1
yum -y install pptpd

二、配置文件

  1. 文件 /etc/pptpd.conf
1
2
3
4
option /etc/ppp/options.pptpd
logwtmp
localip 10.10.20.1
remoteip 10.10.20.100-150
  1. 文件/etc/ppp/options.pptpd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
name pptpd

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128

ms-dns 8.8.8.8
ms-dns 8.8.4.4

proxyarp
nodefaultroute
lock
nobsdcomp
novj
novjccomp
  1. 文件 /etc/ppp/chap-secrets
1
2
这是账号文件,注意格式:
test    *    testpassword    *

三、重要的网络设置

前面两步很简单,经常配置好可以连接VPN,但是不能上网,一般来说都是网络设置问题。

  1. 内核参数修改 /etc/sysctl.conf
1
2
3
4
5
6
7
net.ipv4.ip_forward=1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_max = 1048576

修改完要执行sysctl -p使之生效。

  1. 网络软件防火墙设置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -p tcp --syn -s 10.10.20.0/24 -j TCPMSS --set-mss 1356

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.20.0/24 -j SNAT --to-source 106.187.103.132
iptables -P INPUT DROP

/etc/init.d/iptables save
  1. 测试VPN