diff options
| author | lijia <[email protected]> | 2021-08-13 10:53:20 +0800 |
|---|---|---|
| committer | lijia <[email protected]> | 2021-08-13 10:53:20 +0800 |
| commit | dc7daf192953cb88ff7863560c6e94c09d0a3232 (patch) | |
| tree | 733492f8f793bddec9ca089cf6bfeeef2beb7a81 | |
| parent | 0860100f1f94dfc20b72d9f9e44f6eb32c7fb7e1 (diff) | |
更新natgw.service iptablesdevelop
| -rw-r--r-- | deploy_env/group_vars/all.yml | 11 | ||||
| -rw-r--r-- | roles/natgw/templates/monit_natgw.j2 | 29 | ||||
| -rw-r--r-- | roles/natgw/templates/natgw.conf.j2 | 8 | ||||
| -rw-r--r-- | roles/natgw/templates/natgw.service.j2 | 6 |
4 files changed, 13 insertions, 41 deletions
diff --git a/deploy_env/group_vars/all.yml b/deploy_env/group_vars/all.yml index e04a4a9..597921c 100644 --- a/deploy_env/group_vars/all.yml +++ b/deploy_env/group_vars/all.yml @@ -18,15 +18,14 @@ wannat_global: NAT_GW_tunnel_remote_port: 3544 natgw: - run_type: 0 - config_type: 1 wannat_ip: "192.168.40.161" wannat_port: 3545 natgw_bind_port: 3544 - device: "eth0" - vpn_client_ip_cidr: "10.10.120.0/24" - country_location: "private" - province_location: "private" + layer2_gateway_device: "eth0" + location_compare_type: 0 + country_location: "Set_your_geographic_location" + province_location: "Set_your_geographic_location" + ctrl_device_ip_addr: "192.168.40.134" toroad: http_server_listen_port: 8888 diff --git a/roles/natgw/templates/monit_natgw.j2 b/roles/natgw/templates/monit_natgw.j2 deleted file mode 100644 index e15619d..0000000 --- a/roles/natgw/templates/monit_natgw.j2 +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -while [ 1 ]; do - count=`ls -l core.* |wc -l` - if [ $count -lt 3 ] - then -# echo "set unlimited" - ulimit -c unlimited - else - ulimit -c 0 - fi - PROCESS_NUM=`ps -ef | grep "wannat_natgw" | grep -v "grep" | wc -l` -# echo $PROCESS_NUM - if [ $PROCESS_NUM -lt 1 ] - then - ./wannat_natgw & - sleep 1 - ifconfig tun_natgw 192.168.1.254/24 up - ifconfig tun_natgw mtu 2000 - ethtool -K tun_natgw gro off - ethtool -K tun_natgw gso off - ethtool -K tun_natgw tso off - - ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001 - ip route add default via 192.168.1.253 table 1001 - echo program crashed, restart at `date +"%w %Y/%m/%d, %H:%M:%S"` >> RESTART.log - fi - sleep 30 -done diff --git a/roles/natgw/templates/natgw.conf.j2 b/roles/natgw/templates/natgw.conf.j2 index 75fdb14..a851d09 100644 --- a/roles/natgw/templates/natgw.conf.j2 +++ b/roles/natgw/templates/natgw.conf.j2 @@ -2,11 +2,11 @@ logger_conf=./conf/natgw_log.conf logger_path=./log/natgw_log #0:vxlan;1:socket_test -run_type={{wannat_global.natgw.run_type}} +run_type=0 #0:nerver;1:LRU cache_overflow_elimination_mode=1 #0:only conpare country;1:compare country and province -location_compare_type=1 +location_compare_type={{wannat_global.natgw.location_compare_type}} country_location={{wannat_global.natgw.country_location}} province_location={{wannat_global.natgw.province_location}} hash_max_elem_num=100000 @@ -18,7 +18,7 @@ compile_tableinfo_path=./conf/compile_tableinfo.conf max_thread_num=10 json_cfg_file=./conf/natgw_test.json #0:maat_json;1:maat_redis -config_type={{wannat_global.natgw.config_type}} +config_type=1 [NATGW_CONVERT] snat_mask_ip=192.168.50.147 @@ -26,7 +26,7 @@ wannat_ip={{wannat_global.natgw.wannat_ip}} wannat_port={{wannat_global.natgw.wannat_port}} dnat_mask_ip=10.10.10.10 natgw_bind_port={{wannat_global.natgw.natgw_bind_port}} -device={{wannat_global.natgw.device}} +device={{wannat_global.natgw.layer2_gateway_device}} [NATGW_SNAT] diff --git a/roles/natgw/templates/natgw.service.j2 b/roles/natgw/templates/natgw.service.j2 index 6baa924..0217bd8 100644 --- a/roles/natgw/templates/natgw.service.j2 +++ b/roles/natgw/templates/natgw.service.j2 @@ -7,7 +7,6 @@ Type=notify WorkingDirectory=/opt/tsg/wannat/natgw ExecStart=/opt/tsg/wannat/natgw/wannat_natgw -#ExecStartPost=/bin/sh -c "sysctl -w net.ipv4.ip_forward=0" #pptp vpn mode must set ipv4.ip_forward=1 ExecStartPost=/bin/sh -c "sysctl -w net.ipv4.ip_forward=1" ExecStartPost=/bin/sh -c "ifconfig tun_natgw 100.64.1.254/24 up" @@ -21,7 +20,10 @@ ExecStartPost=/bin/sh -c "ethtool -K {{wannat_global.natgw.device}} tso off" ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001" ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001" -#ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP" + +ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" +ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type redirect -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" +ExecStartPost=/bin/sh -c "iptables -I FORWARD ! -d {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" TimeoutSec=300s RestartSec=10s |