ãããã®èšäºã§ã¯ãè€æ°ã®äŒç€Ÿã®ãªãã£ã¹ã«æ¥ç¶ãããããã¯ãŒã¯ãžã®å¶éãããã¢ã¯ã»ã¹ããã©ãã£ãã¯ã®åªå é äœä»ãïŒQoSïŒãããã³2ã€ã®ãããã€ããŒéã®ãã£ãã«äºçŽã«ããåçŽãªè² è·åæ£ãå¯èœã«ããLinuxã§ã®ã€ã³ã¿ãŒãããã²ãŒããŠã§ã€ã®æ§ç¯ãæ€èšããŸãã
ç¹ã«ãã®éšåã§ã¯ïŒ
- æãã·ã³ãã«ãªShorewallã»ããã¢ãã
- éåžžã«è€éãªdnsmasqã»ããã¢ãã
- ããã»ã©è€éã§ã¯ãªãOpenVPNã»ããã¢ãã
- ãããŠãå€ãã®ç¶ç¶çãªç®¡çè ã«ãšã£ãŠãéå®åã®åçã«ãŒãã£ã³ã°ãäŸãã°OSPF
ãããŠã第2éšã§ã¯æ¬¡ã®ããšãæ€èšããŸãã
- Shorewallã®ãã詳现ãªã»ããã¢ãã
- æããŠç解ã§ããªãQoS
- è² è·åæ£ãšåé·æ§
第äžéšã§ã¯ ïŒ
- Shorewallã§ã®QoS
- Shorewallã®ãã詳现ãªã»ããã¢ãã
- ãããã³ã«ã«åŸã£ãŠãã£ãã«ãä»ããŠãã©ãã£ãã¯ãæ¡æ£ãã
- æŸèæãããããªãã§ãã©ãã«ã
4çªç®ã®éšåã§ã¯ ïŒ
- èªåã€ãã³ã
- ãã¯ã
以äžã«èª¬æãããã¹ãŠã¯CentOS 7.1ã«åœãŠã¯ãŸããŸãïŒäžèšã§ã¯ã6çªç®ã®ã·ãªãŒãºãé©ããŠããŸããããã€ããŒãªæ©èœããããŸãïŒ
ç§ãã¡ãæã£ãŠãããšããäºå®ããé²ã¿ãŸãïŒ
- æåã®æ¯åºã®ãã«ã«ã«ïŒ172.16.0.0/23
- æåã®ãã©ã³ãã®OpenVPNãµããããïŒ172.16.3.0/25
- 2çªç®ã®ãã©ã³ãïŒãããã172.16.8.0/23ããã³172.16.11.0/25
äžè¬ã«ãç§ã®IPãã©ã³ã«ã¯ã172.16.0.0 / 12ã®ç¯å²ããåãã©ã³ãã®/ 21ãããã¯ãŒã¯ã®äºçŽãå«ãŸããŠããŸããã å/ 21ãã³ãã¯ãããŸããŸãªããŒãºã«åãããŠãµããããã«ã«ãããããŸãïŒè©³çŽ°ã¯æ¬¡ã®èšäºã§èª¬æããŸãïŒã
æãã·ã³ãã«ãªShorewallã»ããã¢ãã
ãããŸã§èããããšããªã人ã®ããã«ãShorewallã¯Linuxã«ãŒãã«ã§NetFilterãèšå®ããããã®iptablesãŠãŒãã£ãªãã£ã®ã¢ããªã³ã§ãã Iptablesèªäœã¯ããã»ã©è€éã§ã¯ãããŸããããã²ãŒããŠã§ã€ã®æ§æã倧ãããªãããã®éã®iptablesã³ãã³ããç解ããããšãé£ãããªããšãç°¡åã§ã¯ãããŸããã
ãã®ãããªç¶æ³ã§ã¯ãShorewallã«é¡äŒŒããããŸããŸãªèªäœã¹ã¯ãªãããŸãã¯èªäœã§ã¯ãªãã·ã¹ãã ãå©ãã«ãªããŸãã
Shorewallã§ã¯ããã¹ãŠããŸãŒã³ã®æŠå¿µãäžå¿ã«å±éããŸãã ãã¹ãã¯ãŸãŒã³ã«å«ãŸããŸãïŒã€ã³ã¿ãŒãã§ã€ã¹ãèšå®ãããããããã¯ãŒã¯ããã³/ãŸãã¯åã ã®ã¢ãã¬ã¹ãçŽæ¥èšå®ããŸãïŒã
ãŸãŒã³ãã¡ã€ã«ãèŠãŠã¿ãŸããã
# # Shorewall -- /etc/shorewall/zones # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall red ipv4 grn ipv4 tun ipv4
次ã«ãã²ãŒããŠã§ã€èªäœãè¡šãç¹å¥ãªãŸãŒã³ãfwãã«å ããŠã3ã€ã®ãŸãŒã³ïŒipv4ãããã³ã«çšïŒãå®çŸ©ããŸããã
- èµ€-ã€ã³ã¿ãŒããããŸãŒã³
- grn-LANãŸãŒã³
- tun-ãã³ãã«ã®ãŸãŒã³
ãããã®ãŸãŒã³ã«ã€ã³ã¿ãŒãã§ãŒã¹ãé 眮ããæãæ¥ãŸããïŒä»ã®ãšããåå¥ã®ãã¹ãã¯äœ¿çšããŸããïŒãããã®åã«ãã¡ã€ã«ã«ããã€ãã®å€æŽãå ããŸãã
params
# # Shorewall -- /etc/shorewall/params # # Assign any variables that you need here. # # It is suggested that variable names begin with an upper case letter # to distinguish them from variables used internally within the # Shorewall programs # # Example: # # NET_IF=eth0 # NET_BCAST=130.252.100.255 # NET_OPTIONS=routefilter,norfc1918 # # Example (/etc/shorewall/interfaces record): # # net $NET_IF $NET_BCAST $NET_OPTIONS # # The result will be the same as if the record had been written # # net eth0 130.252.100.255 routefilter,norfc1918 # ############################################################################### IF_RED1=eth0 IF_GRN=eth1 NET_GRN=172.16.0.0/23 IF_TUN=tap+ #LAST LINE -- DO NOT REMOVE
ãã®ãã¡ã€ã«ã§ã¯ãåŸã§ä»ã®ãã¡ã€ã«ã§äœ¿çšããããŸããŸãªå€æ°ãèšå®ã§ããŸãããããã®å€æ°ã¯ãã·ã¹ãã éã§ã®æ§æã®ç§»æ€æ§ãé«ããã®ã«åœ¹ç«ã¡ãŸãã ããã§ãç©çã€ã³ã¿ãŒãã§ã€ã¹ãšãã©ã³ãã®ããŒã«ã«ãµãããããããã«ç»é²ãããŸããã tap +ã¯ãtapXã該åœãããã¹ã¯ã®äœ¿çšã«ã€ããŠèª¬æããŠããããšã«æ³šæããŠãã ããïŒãã¿ããããé€ãïŒã
ããŠãä»ãã¡ã€ã«ïŒ
ã€ã³ã¿ãŒãã§ãŒã¹
# # Shorewall -- /etc/shorewall/interfaces # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS red $IF_RED1 dhcp,routeback,optional grn $IF_GRN dhcp,routeback,optional tun $IF_TUN dhcp,routeback,optional
ããã§ã¯ããŸãè€éãªããšã¯ãããŸããããªãã·ã§ã³ãã次ã®ããšãããããŸãã
- dhcp-DHCPã¯ã€ã³ã¿ãŒãã§ãŒã¹äžã§æ©èœããŸãïŒã¯ã©ã€ã¢ã³ããšãµãŒããŒã®äž¡æ¹ïŒ
- ã«ãŒãããã¯-å°æ¥çã«äŸ¿å©ã§ããªã¯ãšã¹ãã®éä¿¡å ãšåãã€ã³ã¿ãŒãã§ãŒã¹ãä»ããŠåçãè¿ããŸã
- ãªãã·ã§ã³-ã€ã³ã¿ãŒãã§ã€ã¹ãã¢ã¯ãã£ãã§ãªãå Žåã«ãããã¯ããå¿ èŠããªãããšã瀺ããŸãïŒShorewallãå¿ èŠãªã€ã³ã¿ãŒãã§ã€ã¹ãèŠã€ããããªãå Žåãå®å šã«èµ·åããŸããïŒ
ãshorewall.confããã¡ã€ã«ã«ããã€ãã®å€æŽãå ããŸããããã¯éåžžã«å€§ãããããåãæšãŠããããã¥ãŒïŒå€æŽãããå€ã®ã¿ïŒãæäŸããŸãã
shorewall.conf
############################################################################### # # Shorewall Version 5 -- /etc/shorewall/shorewall.conf # # For information about the settings in this file, type "man shorewall.conf" # # Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html ############################################################################### # STARTUPENABLED ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # FIREWALL OPTIONS ############################################################################### BLACKLIST="ALL" CLAMPMSS=Yes IP_FORWARDING=Yes ################################################################################ # PACKETMARKLAYOUT ################################################################################ TC_BITS=14 PROVIDER_BITS=8 PROVIDER_OFFSET=16 MASK_BITS=16 ZONE_BITS=0
ãã¹ãŠã®ãã©ã¡ãŒã¿ãŒã¯ååã«æ確ã§ãããããã±ããããŒã¯ã¬ã€ã¢ãŠããã»ã¯ã·ã§ã³ã«ã€ããŠã¯æ¬¡ã®ããŒãã§èª¬æããŸããããã©ãã¯ãªã¹ããã¯ãä»åŸãçŠæ¢ã¢ãã¬ã¹ã®ãããã¯ããããã±ããïŒãã¹ãŠïŒã®ã¿ã€ããèšå®ããŸãã
ããã©ã«ãã®ããªã·ãŒãäœæããŸãã
æ¿ç
# # Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all ACCEPT grn all ACCEPT red all DROP tun grn ACCEPT tun red REJECT tun $FW ACCEPT
ããŒã¯ãŒãã®æå³ã¯æ¬¡ã®ãšããã§ãã
- ACCEPT-ãã±ãããåä¿¡ïŒè»¢éãå«ãïŒ
- æåŠ-ãã±ãããããããããéä¿¡è ã«æçŽãå±ããªãããšãéç¥ããŸã
- ãããã-ãã±ãããããããããç¥ç§çã«èŠåããŠã誰ã«ãäœãèšããªã
3çªç®ã®åã§ã¯ãããã«ããã€ãã®ãã©ã¡ãŒã¿ãŒãèšè¿°ã§ããŸãããã®ãã¡ã®1ã€ã¯ããã®ããªã·ãŒã®ãã®ã³ã°ãèšå®ããŸãïŒDROPããã³REJECTã«æå³ããããŸããããã§ãªãå ŽåãACCEPTã¯ãã°ã§ããµããŸãïŒã
èšå®ããªã·ãŒã¯åºæ¬çãªãã®ã§ãããæ·±å»ãªãããžã§ã¯ãã«ã¯é©ããŠããŸãããã»ãšãã©ã®ããŒã ã«ãŒã¿ãŒã®æ§æã«å¯Ÿå¿ããŠããŸãããæåã¯ãããé©ããŠããŸãã
ã€ãŸãããã¹ã«ã¬ãŒããæ§æããããšïŒIPv6æ代ã§ã¯å¿ èŠãããŸããïŒã¯å°ãæ®ã£ãŠããŸãã
ãã¹ã¯
# # Shorewall -- /etc/shorewall/masq # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ################################################################################################################################### #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL PROBABILITY # GROUP DEST $IF_RED1 $NET_GRN
æããã«ããããã¯ãŒã¯$ NET_GRNããã€ã³ã¿ãŒãã§ã€ã¹$ IF_RED1ã«åãããã¹ãŠã®ãã®ããã¹ã¯ããå¿ èŠããããŸãã 3çªç®ã®åADDRESSã¯SNATã«äœ¿çšãããŸãã
ãã¡ã€ã¢ãŠã©ãŒã«ã«ãŒã«ãé©å®ç£èŠããã³å€æŽããããã«ãã€ã³ã¿ãŒãã§ã€ã¹ã®æå¹å/ç¡å¹åã«å¿ããŠãå°ããªã¹ã¯ãªããã圹ç«ã¡ãŸãã
/etc/NetworkManager/dispatcher.d/30-shorewall.sh
#!/bin/bash IF=$1 # , STATUS=$2 # case $STATUS in up) # shorewall enable $IF shorewall6 enable $IF ;; down) # shorewall disable $IF shorewall6 disable $IF ;; esac
ã³ãã³ã "systemctl enable shorewall.service && systemctl restart shorewall.service"ãäžããåŸããã¡ã€ã¢ãŠã©ãŒã«èšå®ãé©çšããŸãããåäœããŸããïŒã»ãšãã©ïŒãå°ãæ¬ ããŠããŸãïŒDNSããã³DHCPãµãŒããŒã®ãã£ãã·ã³ã°ã¯ãããŸããïŒããŸããïŒãã¹ãŠã®ã¯ã©ã€ã¢ã³ããã·ã³ãæ§æããŸãïŒã
æãç°¡åãªdnsmasqã»ããã¢ãã
ãã®ãµãŒãã¹ã¯éåžžã«åªããã¿ã¹ã¯ãå®è¡ãã/ 23ãããã¯ãŒã¯ã¯åé¡ã«ãªããŸãããèšå®ã®åçŽããšæè»æ§ã«ãããç§ãã¡ã®ç¶æ³ã«éåžžã«é©ããŠããŸãã
èšå®ãã¡ã€ã«ã¯å€§ãããããåãæšãŠåœ¢åŒã§ãæå®ããŸãã
/etc/dnsmasq.conf
# Configuration file for dnsmasq. # # Format is one option per line, legal options are the same # as the long options legal on the command line. See # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=eth1 # Set the domain for dnsmasq. this is optional, but if it is set, it # does the following things. # 1) Allows DHCP hosts to have fully qualified domain names, as long # as the domain part matches this setting. # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" domain=domain.local # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. dhcp-range=172.16.0.50,172.16.0.150,255.255.254.0,12h # Set the DHCP server to authoritative mode. In this mode it will barge in # and take over the lease for any client which broadcasts on the network, # whether it has a record of the lease or not. This avoids long timeouts # when a machine wakes up on a new network. DO NOT enable this if there's # the slightest chance that you might end up accidentally configuring a DHCP # server for your campus/company accidentally. The ISC server uses # the same option, and this URL provides more information: # http://www.isc.org/files/auth.html dhcp-authoritative
ããã§ã¯äœã説æããå¿ èŠã¯ãªããšæããŸããDNSããã³DHCPãªã¯ãšã¹ããåŠçããã€ã³ã¿ãŒãã§ã€ã¹ãèšå®ããé åžããã¢ãã¬ã¹ã®ç¯å²ãèšå®ããDHCPã«æž¡ããã©ã¡ãŒã¿ãèšå®ããæš©åšäž»çŸ©çãªåäœã¢ãŒããèšå®ããŸãã
ãsystemctl enable dnsmasq.service && systemctl restart dnsmasq.serviceãã®åŸãå éšã¯ã©ã€ã¢ã³ãããã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ãååŸããŸãïŒDHCPãªãŒã¹ãååŸãããšããã«ïŒã
OpenVPNãæ§æãã
ãã®éšåã¯èª°ã«ãšã£ãŠãé£ããããšã§ã¯ãªããšæããŸãããæé ã¯æ¬¡ã®ãšããã§ãã
- epelããããã±ãŒãžãã€ã³ã¹ããŒã«ïŒopenvpn easy-rsa
- / usr / share / easy-rsaãã/ etc / openvpnã«ãã©ã«ããŒãã³ããŒããeasy-rsaã«ååãå€æŽããŸãã
- / etc / openvpn / easy-rsaã«ç§»åããå¿ èŠã«å¿ããŠvarsãã¡ã€ã«ãç·šéããŸã
- å®è¡ããŠã¿ãŸãããïŒ "ã./Vars && ./clean-all &&ã./Build-dh && openvpn --genkey --secret ./keys/ta.key &&ã/ Build-ca && ./build-key-server serverïŒ gentushnikããããã«ã¡ã¯ïŒ1ã€ã®ã³ãã³ãã§Gentooãã€ã³ã¹ããŒã«ããæ¹æ³ãããã¯å¯èœã§ãïŒïŒ
ãµãŒããŒæ§æãã¡ã€ã«ãå¿ èŠã§ãã
/etc/openvpn/inter-lan.conf
port 1194 proto udp topology subnet dev tap0 ca ./easy-rsa/keys/ca.crt cert ./easy-rsa/keys/server.crt key ./easy-rsa/keys/server.key dh ./easy-rsa/keys/dh1024.pem client-config-dir ./ccd/inter-lan/ client-to-client keepalive 10 120 tls-server tls-auth ./easy-rsa/keys/ta.key 0 cipher AES-256-OFB comp-lzo no auth SHA256 status /var/run/openvpn/inter-lan.status sndbuf 393216 rcvbuf 393216 push "sndbuf 393216" push "rcvbuf 393216" mode server push "topology subnet" ifconfig 172.16.3.1 255.255.255.128 ifconfig-pool 172.16.3.2 172.16.3.126 255.255.255.128 ifconfig-pool-persist /var/run/openvpn/inter-lan.db 3600 verb 1
ã¯ã©ã€ã¢ã³ãã®OpenVPNã«æž¡ãããããã©ã«ããã©ã¡ãŒã¿ã®ãã¡ã€ã«ïŒ
/ etc / openvpn / ccd / inter-lan / DEFAULT
push "comp-lzo no"
ã¯ã©ã€ã¢ã³ãæ§æãã³ãã¬ãŒããã¡ã€ã«ïŒ
/etc/openvpn/easy-rsa/templates/inter-lan.conf
client port 1194 dev tap4 proto udp remote < > 1194 tls-client ns-cert-type server cipher AES-256-OFB auth SHA256 verb 1 comp-lzo no <ca> -----CERTIFICATE-CA----- </ca> <cert> -----CERTIFICATE----- </cert> <key> -----KEY----- </key> key-direction 1 <tls-auth> -----TLS----- </tls-auth>
ãããŠãè£å©çãªèªå·±èšè¿°ã¹ã¯ãªããïŒ
/etc/openvpn/easy-rsa/build-ovpn.sh
#!/bin/bash # $2 - [ "$2" == "-r" ] && ./build-key $1 CWD=$(pwd) RUN=$(dirname $0) cd "$RUN" mkdir -p ../ovpn/$1 for i in $(ls -1 ./templates/); do TEMPLATE=$(basename $i .conf) sed -e '/-----CERTIFICATE-CA-----/{r /etc/openvpn/easy-rsa/keys/ca.crt' -e 'd}' ./templates/${TEMPLATE}.conf | \ sed -e '/-----CERTIFICATE-----/{r /etc/openvpn/easy-rsa/keys/'"$1.crt"'' -e 'd}' | \ sed -e '/-----KEY-----/{r /etc/openvpn/easy-rsa/keys/'"$1.key"'' -e 'd}' | \ sed -e '/-----TLS-----/{r /etc/openvpn/easy-rsa/keys/ta.key' -e 'd}' > ../ovpn/$1/${TEMPLATE}-$1.ovpn done cd "$CWD"
tunã¯OpenVPNã«ãŒãã«ã«ãã£ãŠã«ãŒãã£ã³ã°ãããããã¯ãã¹ãŠirouteãã£ã¬ã¯ãã£ãã§æ§æãããŠãããããã¿ããã®ãããªã€ã³ã¿ãŒãã§ã€ã¹ã䜿çšããŸãã ãããŠæ²ããããšã«ãã«ãŒããå¿ èŠãªãµãŒããŒã«ãã1ã€ã®ãµãŒããŒãããå Žåããã®ã«ãŒããccdã«æ瀺çã«ç»é²ããå¿ èŠããããŸããirouteãã£ã¬ã¯ãã£ãã¯ãéåžžã®ã«ãŒãã«å ããŠãäžå¿ èŠãªå°é£ïŒ OSPFã»ã¯ã·ã§ã³ã§ïŒã
次ã«ãã¯ã©ã€ã¢ã³ãã®æ§æãçæããŸãã
./build-ovpn.sh <ã¯ã©ã€ã¢ã³ãå> -r
ã¯ã©ã€ã¢ã³ãçšã®ccdãã¡ã€ã«ãäœæããŸãã
/ etc / openvpn / ccd / inter-lan / <ã¯ã©ã€ã¢ã³ãå>
# , :), , DEFAULT
ãã®åŸããã¡ã€ã«ããã£ã¬ã¯ããª/etc/openvpn/ovpn/<clientname>/<clientname>.ovpnããã¯ã©ã€ã¢ã³ãã³ã³ãã¥ãŒã¿ãŒïŒã²ãŒããŠã§ã€ïŒã«ã³ããŒããæ¡åŒµåã.confããä»ããŠ/ etc / openvpn /ã«é 眮ããå¿ èŠããããŸãã
ã¯ã©ã€ã¢ã³ããšãµãŒããŒã§openvpnãå®è¡ããŸãã
systemctl enable openvpn@< conf conf>.service && systemctl start openvpn@< conf conf>.service
ãããŠçµæã¯ãµãŒããŒäžã§ã®ã¿ã§ãïŒ ã¯ã©ã€ã¢ã³ãã¯ç解ã§ããŸããã 岞å£ã¯ãã¹ãŠã®ããã«ããããšã§ããããããç§ãã¡ã®ããªã·ãŒã§ã¯ãã€ã³ã¿ãŒãããïŒã¬ãããŸãŒã³ïŒããã®æ¥ç¶ãèš±å¯ããŸããã§ããïŒ
ãã¡ã€ã«ã«èš±å¯ã«ãŒã«ãè¿œå ããŸãã
/ etc / shorewall /ã«ãŒã«
# # Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # : /usr/share/shorewall/macro.OpenVPN # , /etc/shorewall, OpenVPN(ACCEPT) red $FW # , : #ACCEPT red $FW udp 1194
ãshorewall restartããå®è¡ããã¯ã©ã€ã¢ã³ããæ£åžžã«æ¥ç¶ãããããšã確èªããŸãã
OpenVPNã«ãã£ãŠçºè¡ãããã¯ã©ã€ã¢ã³ãIPãpingããŠã¿ãŸãããããã¹ãŠãOKã§ãã ããã§ããããã¯ãŒã¯ã¯ã¯ã©ã€ã¢ã³ãïŒ172.16.8.0/23ïŒã®èåŸã«ããããã³ãã«ã§åã³pingãéä¿¡ãããŸããããããã¯ãŒã¯ã¯ååšããŸãããã«ãŒãããªããããOSPFã¯ããããæäŸããŸãã
Quaggaã§ã®OSPFåçã«ãŒãã£ã³ã°ãããã³ã«ã®æ§æ
ããã«ã¯ãåçã«ãŒãã£ã³ã°ããããã©ã®ããã«æ©èœããããªã©ã«çŠç¹ãåœãŠãäžé£ã®å€§ããªèšäºããããŸããããã§ããããããå®éã«çµãåºããŠãæ§æèªäœã説æããŸãã
ç§ãåããŠããäŒç€Ÿãåæ°åã®æ¯åºãšä»£è¡šçãªãªãã£ã¹ãè²·åããåŸãOSPFã䜿çšããããã«ãªããŸããããŸãããããã®éã®ãã³ãã«ã¯æã ãã§ãªããåã ã®æ¯åºéã§ãŸã£ããã§ããïŒãã®ãããæã掻çºãªããåãã¯çŽç·ã§è¡ãããŸããããã»ã³ãã©ã«ããŒãã§ã¯ãããŸããïŒã ã«ãŒãã®æ°ãšãã®èšå®ããå°ãè «ãããšãã«ãèªè»¢è»ãäœæããŸããïŒèŠå®ã®ãããã«åŸã£ãŠéçã«ãŒãæ§æãåæ§ç¯ããã¹ã¯ãªããïŒãèªè»¢è»ã¯çŸãããè»èŒªã¯å è§åœ¢ã§ã10åã®ããã«ãããããã®é£ãæ©ããŠããéã«èªåã§ä¹ããŸã...沌å°ã«ãç§ã¯èããããã«OSPFãç¥ããå®è£ ãéå§ããŸããã
quaggaããã±ãŒãžãå¿ èŠã§ããã€ã³ã¹ããŒã«åŸãåææ§æãã¡ã€ã«ãã³ããŒããŠãµãŒãã¹ãéå§ããŸãã
cp /usr/share/doc/quagga-0.99.22.4/ospfd.conf.sample /etc/quagga/ospfd.conf && chown quagga. /etc/quagga/ospfd.conf systemctl enable ospfd.service && systemctl start ospfd.service
ããã§ãã«ãŒãããã¯ã€ã³ã¿ãŒãã§ã€ã¹ã§IPã¢ãã¬ã¹ãæ§æããå¿ èŠããããŸããããã¯ãä»ã®é ç®ïŒä»ã®èšäºã§æå³ãããããŸãïŒã§ã«ãŒã¿ãŒIDãšããŠæ©èœããŸãã
/ etc / sysconfig / network-scripts / ifcfg-loãã¡ã€ã«ã«æ¬¡ã®è¡ãè¿œå ããŸãã
IPADDR2=172.16.248.1 NETMASK2=255.255.255.255
ã€ã³ã¿ãŒãã§ãŒã¹ãåæ§ç¯ããŸãïŒifup lo
次ã«ãospfdãµãŒãã¹ã«æ¥ç¶ããŠæ§æããŸãã
telnet localhost ospfd # zebra ospfd# enable # ospfd# configure terminal # ospfd(config)# password <> # ospfd(config)# hostname < > # , ospfd(config)# log syslog # ospfd(config)# interface < tap0> # ospfd(config-if)# ip ospf network point-to-multipoint # tap ( , ) ospfd(config-if)# exit # ospfd(config)# router ospf # ospf ospfd(config-router)# router-id 172.16.248.1 # ospfd(config-router)# passive-interface default # OSPF ospfd(config-router)# no passive-interface < > # , ospf ( tap0) ospfd(config-router)# network 172.16.0.0/12 area 0.0.0.0 # , , , . /12 , ospfd(config-router)# write memory #
çµæã®æ§æãã¡ã€ã«ïŒ
/etc/quagga/ospfd.conf
ãã®ãã¡ã€ã«ã«ã¯ãã³ã³ãœãŒã«ã«å ¥åããæ§æã³ãã³ããåæ ãããŠããããšã«æ°ä»ããããããŸããã ãip ospf cost 3ãã衚瀺ãããªãéããã€ã³ã¿ãŒãã§ã€ã¹ã®ã³ã¹ãã瀺ããŸããïŒããããŸãå°æ¥ã1ã€ã®ãã€ã³ãã«ç°ãªãã«ãŒããããå ŽåïŒã
! ! Zebra configuration saved from vty ! 2016/01/05 14:20:08 ! hostname ospfd password zebra log stdout log syslog ! ! ! interface eth0 ! interface eth1 ! interface lo ! interface tap0 ip ospf network point-to-multipoint ip ospf cost 3 ! router ospf ospf router-id 172.16.248.1 passive-interface default no passive-interface tap0 network 172.16.0.0/12 area 0.0.0.0 ! line vty !
ãã®ãã¡ã€ã«ã«ã¯ãã³ã³ãœãŒã«ã«å ¥åããæ§æã³ãã³ããåæ ãããŠããããšã«æ°ä»ããããããŸããã ãip ospf cost 3ãã衚瀺ãããªãéããã€ã³ã¿ãŒãã§ã€ã¹ã®ã³ã¹ãã瀺ããŸããïŒããããŸãå°æ¥ã1ã€ã®ãã€ã³ãã«ç°ãªãã«ãŒããããå ŽåïŒã
ãã®ãã¡ã€ã«ãå¥ã®ã²ãŒããŠã§ã€ïŒOpenVPNãä»ããŠæ¥ç¶ãããŠããïŒã«ã³ããŒããããã§é©åãªå€æŽãè¡ãããšã«ããã2ã€ã®ã²ãŒããŠã§ã€éã§æ©èœããæ§æãååŸããŸãïŒ2çªç®ã®ã²ãŒããŠã§ã€ã®ospfdãµãŒãã¹ãéå§ããå¿ èŠããããŸãïŒã
ããã§ãip route listã³ãã³ãã§æ¬¡ã®ããã«è¡šç€ºãããŸãã
default via 192.168.10.1 dev eth0 proto static metric 100 172.16.0.0/23 dev eth1 proto kernel scope link src 172.16.0.1 metric 100 172.16.3.0/25 dev tap0 proto kernel scope link src 172.16.3.1 172.16.3.1 dev tap0 proto zebra 172.16.8.0/23 via 172.16.3.2 dev tap0 proto zebra metric 13 172.16.11.1 via 172.16.3.2 dev tap0 proto zebra metric 3 172.16.12.129 via 172.16.3.2 dev tap0 proto zebra metric 3 172.16.248.2 via 172.16.3.2 dev tap0 proto zebra metric 13 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.37 metric 100 192.168.10.1 dev eth0 scope link src 192.168.10.37
OSPFã䜿çšããŠãããããŒãã©ã®ã«ãŒããè¿œå ãããŸããã
ãã©ã³ãã2ã€ãããªãå Žåã§ããåçã«ãŒãã£ã³ã°ã䜿çšããããšããå§ãããŸãã ããã«ããå Žåã¯ãå¥ã®ããŒãããããã¯ãŒã¯ã«ç°¡åã«è¿œå ã§ããŸãã
ãããŠãã¡ãããææ¡ãããOSPFæ§æã¯éåžžã«åå§çã§ãããäŸãå«ãŸããããè€éãªãªãã·ã§ã³ã«ã€ããŠã¯ã次ã®èšäºãåç §ããŠãã ããïŒãŸãã¯ããæèœãªä»²éã«ãã£ãŠèšäºãèªãã§ãã ãããå®éãç§ã¯ãŸã OSPFãæ·±ãç 究ããŠããŸããïŒã