Skip to content

Instantly share code, notes, and snippets.

@wtnbgo
Last active October 3, 2018 10:26
Show Gist options
  • Save wtnbgo/726440a495455bfb33f11cd6c66d3a8c to your computer and use it in GitHub Desktop.
Save wtnbgo/726440a495455bfb33f11cd6c66d3a8c to your computer and use it in GitHub Desktop.
RTXなルータでさくらのVPSから IPv4 over IPv6 のトンネルで固定IPv4なおうちサーバを準備する手順 ref: https://qiita.com/wtnbgo/items/12145621e1a16cb81065
# for tun0
net.ipv4.conf.all.forwarding=1
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.tun0.rp_filter=0
net.nf_conntrack_max=65535
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
TYPE=IPIP6
MODE=ip4ip6
PEER_OUTER_IPADDR=XXXX:XXXX:XXXX:XXXX::1
MY_OUTER_IPADDR=AAAA:AAAA:AAAA:AAAA::1
MY_INNER_IPADDR=192.168.BBB.1/24
ZONE=trusted
ip route default gateway pp 1 filter 1 gateway tunnel 1
pp select 1
pp name MyPPPoE
接続設定は省略
ip pp nat descriptor 1000
pp enable 1
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 192.168.YYY.20 tcp 80,443,22
ip filter 1 pass 192.168.YYY.20 * * * *
192.168.YYY.0/24 dev tun0
sudo sysctl -p
sudo systemctl restart network
modprobe ip6_tunnel
ip -6 tunnel add tun0 mode ip4ip6 \
remote XXXX:XXXX:XXXX:XXXX::1 \
local AAAA:AAAA:AAAA:AAAA::1
ip link set tun0 up
ip addr add 192.168.BBB.1/24 dev tun0
route add -net 192.168.YYY.0/24 dev tun0
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.tun0.rp_filter=0
sysctl -w net.nf_conntrack_max=65535
# eth0 を external に移す
sudo firewall-cmd --zone=external --change-interface=eth0 --permanent
# tun0 は trusted に設定
sudo firewall-cmd --zone=trusted --add-interface=tun0 --permanent
# 個別ポート転送設定例
# 以下の例では自宅側の 192.168.YYY.10 に 80,443,8022 をポート転送している
# 22は VPS 自身がつかってるので、入り口は 8022 を別途設定
sudo firewall-cmd --zone=external --permanent \
--add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.YYY.10
sudo firewall-cmd --zone=external --permanent \
--add-forward-port=port=443:proto=tcp:toport=443:toaddr=192.168.YYY.10
sudo firewall-cmd --zone=external --permanent \
--add-forward-port=port=8022:proto=tcp:toport=22:toaddr=192.168.YYY.10
# 有効化
sudo firewall-cmd --reload
ipv6 filter 100000 pass AAAA:AAAA:AAAA:AAAA::1 * 4 * *
ipv6 lan2 secure filter in 100000 ...
tunnel select 1
tunnel encapsulation ipip
tunnel endpoint address XXXX:XXXX:XXXX:XXXX::1 AAAA:AAAA:AAAA:AAAA::1
ip tunnel tcp mss limit auto
ip tunnel address 192.168.BBB.2/24
tunnel enable 1
ip route default gateway tunnel 1
ip route default gateway pp 1 filter 1 gateway tunnel 1
ip filter 1 pass 192.168.YYY.1-192.168.YYY.128 * * * *
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment