1. 搭建chrony服务完成多个主机的时间同步。
[root@centos8 ~]# yum -y install chrony
[root@centos8 ~]# vim /etc/chrony.conf
[root@centos8 ~]# cat /etc/chrony.conf
server ntp.aliyun.com iburst
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow 0.0.0.0/0
local stratum 10
keyfile /etc/chrony.keys.
leapsectz right/UTC
logdir /var/log/chrony
[root@centos8 ~]# systemctl restart chronyd
[root@centos8 ~]# ss -ntlu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 100 [::1]:25 [::]:*
[root@centos7 ~]#vim /etc/chrony.conf
server 10.0.0.152 iburst
[root@centos7 ~]#systemctl restart chronyd.service
[root@centos7 ~]#chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
^* 10.0.0.152 3 6 77 29 -229us[-1154us] +/- 17m
2. 自制光盘,PXE, Cobbler完成自动安装系统。
自制光盘方式
1)制作光盘
[root@centos8 ~]# mkdir -pv /data/myiso
mkdir: created directory '/data/myiso'
[root@centos8 ~]# mount /dev/cdrom /mnt
[root@centos8 mnt]# cp -r /mnt/isolinux /data/myiso/
[root@centos8 mnt]# tree /data/myiso
/data/myiso
└── isolinux
├── boot.cat
├── boot.msg
├── grub.conf
├── initrd.img
├── isolinux.bin
├── isolinux.cfg
├── ldlinux.c32
├── libcom32.c32
├── libutil.c32
├── memtest
├── splash.png
├── TRANS.TBL
├── vesamenu.c32
└── vmlinuz
1 directory, 14 files
[root@centos8 mnt]# vim /data/myiso/isolinux/isolinux.cfg
label linux
menu label ^Install CentOS Linux 8
kernel vmlinuz
append initrd=initrd.img text ks=cdrom:/myks.cfg
2)应答文件
[root@centos8 ks]# cat myks.cfg
ignoredisk --only-use=nvme0n1
zerombr
text
reboot
clearpart --all --initlabel
selinux --disabled
firewall --disabled
url --url=http://10.0.0.152/centos/
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
bootloader --append="net.ifnames=0" --location=mbr --boot-drive=sda
network --bootproto=dhcp --device=eth0 --ipv6=auto --activate
network --hostname=centos8.magedu.org
rootpw --iscrypted $6$j9YhzDUnQVnxaAk8$qv7rkMcPAEbV5yvwsP666DXWYadd3jYjkA9fpxAo9qYotjGGBUclCGoP1TRvgHBpqgc5n0RypMsPTQnVDcpO01
firstboot --enable
skipx
services --disabled="chronyd"
timezone Asia/Shanghai --isUtc --nontp
user --name=wang --password=6oUfb/02CWfLb5l8f$sgEZeR7c7DpqfpmFDH6huSmDbW1XQNR4qKl2EPns.gOXqlnAIgv9pTogtFVaDtEpMOC.SWXKYqxfVtd9MCwxb1 --iscrypted --gecos="wang"
#autopart --type=lvm
#part / --fstype xfs --size 1 --grow --ondisk sda
part / --fstype="xfs" --ondisk=nvme0n1 --size=102400
part /data --fstype="xfs" --ondisk=nvme0n1 --size=51200
part swap --fstype="swap" --ondisk=nvme0n1 --size=2048
part /boot --fstype="ext4" --ondisk=nvme0n1 --size=1024
%packages
@^minimal-environment
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
%post
useradd mage
echo magedu | passwd --stdin mage &> /dev/null
%end
3)启动httpd
[root@centos8 ~]#dnf -y install httpd
[root@centos8 ~]#systemctl enable --now httpd
[root@centos8 ~]#mkdir /var/www/html/centos/8/ -p
[root@centos8 ~]#mount /dev/sr0 /var/www/html/centos/8/
4)开始安装
PXE方式
1)安装相关文件
[root@centos8 ~]#dnf -y install dhcp-server tftp-server httpd syslinuxnonlinux(或者syslinux-tftpboot)
[root@centos8 ~]#systemctl enable --now httpd tftp dhcpd
2)配置DHCP服务
(1)关闭VW DHCP服务
(2)修改配置文件
[root@centos8 ~]# cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite '/etc/dhcp/dhcpd.conf'? y
[root@centos8 ~]# vim /etc/dhcp/dhcpd.conf
[root@centos8 ~]# cat /etc/dhcp/dhcpd.conf
option domain-name "example.org";
option domain-name-servers 180.76.76.76, 223.5.5.5;
default-lease-time 86400;
max-lease-time 106400;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.160 10.0.0.180;
option routers 10.0.0.2;
next-server 10.0.0.152;
filename "pxelinux.0";
}
[root@centos8 ~]# systemctl restart dhcpd
[root@centos8 ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-07-23 01:45:02 CST; 10s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 1455 (dhcpd)
Status: "Dispatching packets…"
Tasks: 1 (limit: 12254)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─1455 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Source compiled to use binary-leases
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Wrote 0 class decls to leases file.
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Wrote 0 deleted host decls to leases file.
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Wrote 0 new dynamic host decls to leases file.
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Wrote 1 leases to leases file.
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Listening on LPF/ens160/00:0c:29:d6:88:e0/10.0.0.0/24
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Sending on LPF/ens160/00:0c:29:d6:88:e0/10.0.0.0/24
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Sending on Socket/fallback/fallback-net
Jul 23 01:45:02 centos8.linux.org dhcpd[1455]: Server starting service.
Jul 23 01:45:02 centos8.linux.org systemd[1]: Started DHCPv4 Server Daemon.
(3)配置httpd服务
[root@centos8 ~]#mkdir -pv /var/www/html/centos/8/os/x86_64/
[root@centos8~]#mount /dev/sr0 /var/www/html/centos/6/os/x86_64/
[root@centos8 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 980372 0 980372 0% /dev
tmpfs 998404 0 998404 0% /dev/shm
tmpfs 998404 8896 989508 1% /run
tmpfs 998404 0 998404 0% /sys/fs/cgroup
/dev/nvme0n1p1 104806400 2496056 102310344 3% /
/dev/nvme0n1p2 52403200 398400 52004800 1% /data
/dev/nvme0n1p5 999320 144280 786228 16% /boot
tmpfs 199680 0 199680 0% /run/user/0
/dev/sr0 10540998 10540998 0 100% /var/www/html/centos/8/os/x86_64
(4)配置应答文件
[root@centos8 ~]# mkdir /var/www/html/centos/ks
[root@centos8 ~]# vim /var/www/html/centos/ks/centos8.cfg
[root@centos8 ~]# cat /var/www/html/centos/ks/centos8.cfg
ignoredisk --only-use=nvme0n1
zerombr
text
reboot
clearpart --all --initlabel
selinux --disabled
firewall --disabled
url --url=http://10.0.0.100/centos/8/os/x86_64/
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
network --bootproto=dhcp --device=eth0 --ipv6=auto --activate
bootloader --append="net.ifnames=0" --location=mbr --boot-drive=nvme0n1
network --hostname=centos8.magedu.org
rootpw --iscrypted $6$j9YhzDUnQVnxaAk8$qv7rkMcPAEbV5yvwsP666DXWYadd3jYjkA9fpxAo9qYotjGGBUclCGoP1TRvgHBpqgc5n0RypMsPTQnVDcpO01
firstboot --enable
skipx
services --disabled="chronyd"
timezone Asia/Shanghai --isUtc --nontp
user --name=wang --password=6oUfb/02CWfLb5l8f$sgEZeR7c7DpqfpmFDH6huSmDbW1XQNR4qKl2EPns.gOXqlnAIgv9pTogtFVaDtEpMOC.SWXKYqxfVtd9MCwxb1 --iscrypted --gecos="wang"
#autopart --type=lvm
#part / --fstype xfs --size 1 --grow --ondisk nvme0n1
part / --fstype="xfs" --ondisk=nvme0n1 --size=102400
part /data --fstype="xfs" --ondisk=nvme0n1 --size=51200
part swap --fstype="swap" --ondisk=nvme0n1 --size=2048
part /boot --fstype="ext4" --ondisk=nvme0n1 --size=1024
%packages
@^minimal-environment
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
(5)配置PXE启动相关文件
root@centos8 ~]# mkdir /var/lib/tftpboot/centos8
[root@centos8 ~]# cp /var/www/html/centos/8/os/x86_64/isolinux/{vmlinuz,initrd.img} /var/lib/tftpboot/centos8
[root@centos8 ~]# cp /usr/share/syslinux/{pxelinux.0,menu.c32} /var/lib/tftpboot/
[root@centos8 ~]# cp /var/www/html/centos/8/os/x86_64/isolinux/{ldlinux.c32,libcom32.c32,libutil.c32} /var/lib/tftpboot/
[root@centos8 ~]# mkdir /var/lib/tftpboot/pxelinux.cfg/
[root@centos8 ~]# cp /var/www/html/centos/8/os/x86_64/isolinux/isolinux.cfg /var/lib/tftpboot/pxelinux.cfg/default
[root@centos8 ~]# cp /var/www/html/centos/8/os/x86_64/isolinux/isolinux.cfg /var/lib/tftpboot/pxelinux.cfg/default
[root@centos8 ~]# tree /var/lib/tftpboot/
/var/lib/tftpboot/
├── centos8
│ ├── initrd.img
│ └── vmlinuz
├── ldlinux.c32
├── libcom32.c32
├── libutil.c32
├── menu.c32
├── pxelinux.0
└── pxelinux.cfg
└── default
2 directories, 8 files
(6)准备启动菜单
[root@centos8 centos]# vim /var/lib/tftpboot/pxelinux.cfg/default
[root@centos8 centos]# cat /var/lib/tftpboot/pxelinux.cfg/default
default menu.c32
timeout 600
menu title Install CentOS Linux
label linux8
menu label Auto Install CentOS Linux ^8
kernel centos8/vmlinuz
append initrd=centos8/initrd.img ks=http://10.0.0.152/centos/ks/centos8.cfg
label manual
menu label ^Manual Install CentOS Linux 8.0
kernel centos8/vmlinuz
append initrd=centos8/initrd.img
inst.repo=http://10.0.0.152/centos/8/os/x86_64/
label rescue
menu label ^Rescue a CentOS Linux system 8
kernel centos8/vmlinuz
append initrd=centos8/initrd.img
inst.repo=http://10.0.0.152/centos/8/os/x86_64/ rescue
label local
menu default
menu label Boot from ^local drive
localboot 0xffff
(7)开始安装
注意:安装前内存要调大,不然会出现failed to start switch root;/dev/root does not exits的报错!
Cobbler自动化安装
1)安装相关包,启动服务
[root@centos7 ~]#yum install cobbler dhcp -y
[root@centos7 ~]#systemctl enable --now cobblerd httpd tftp dhcpd
2)修改cobbler配置
[root@centos7 ~]#cobbler check
The following are potential configuration items that you may want to fix:
1 : The 'server' field in /etc/cobbler/settings must be set to something other
than localhost, or kickstarting features will not work. This should be a
resolvable hostname or IP for the boot server as reachable by all machines that
will use it.
2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings
must be set to something other than 127.0.0.1, and should match the IP of the
boot server on the PXE network.
3 : change 'disable' to 'no' in /etc/xinetd.d/tftp4 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may
run 'cobbler get-loaders' to download them, or, if you only want to handle
x86/x86_64 netbooting, you may ensure that you have installed a *recent* version
of the syslinux package installed and can ignore this message entirely. Files
in this directory, should you want to support all architectures, should include
pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is
the easiest way to resolve these requirements.
5 : enable and start rsyncd.service with systemctl
6 : debmirror package is not installed, it will be required to manage debian
deployments and repositories
7 : ksvalidator was not found, install pykickstart
8 : The default password used by the sample templates for newly installed
machines (default_password_crypted in /etc/cobbler/settings) is still set to
'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrasehere' 'your-password-here'" to generate new one
9 : fencing tools were not found, and are required to use the (optional) power
management features. install cman or fence-agents to use them
[root@centos7 ~]#openssl passwd -1 'magedu'
$1$1spuisnh$j34LNmyTQWs3l6xKxCZY60
[root@centos7 ~]#vim /etc/cobbler/settings
default_password_crypted: "$1$1spuisnh$j34LNmyTQWs3l6xKxCZY60"
next_server:< tftp服务器的 IP 地址>
server:
manage_dhcp:1
pxe_just_once: 1
[root@centos7 ~]#systemctl restart cobblerd
3)DHCP服务
[root@centos7 ~]#vim /etc/cobbler/dhcp.template
subnet 192.168.100.0 netmask 255.255.255.0 {
option routers 192.168.100.1;
option domain-name-servers 180.76.76.76,223.6.6.6;
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.100.1 192.168.100.200;
[root@centos7 ~]#cobbler sync
4)导入文件
root@centos7 ~]#cobbler import --name=centos-8.1-x86_64 --path=/misc/cd --
arch=x86_64
[root@centos7 ~]#mount /dev/sr1 /mnt
mount: /dev/sr1 is write-protected, mounting read-only
[root@centos7 ~]#cobbler import --name=centos-7.7-x86_64 --path=/mnt --
arch=x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.cfg
[root@centos7 ~]#du -sh /var/www/cobbler/ks_mirror/*
11G /var/www/cobbler/ks_mirror/centos-7.7-x86_64
7.2G /var/www/cobbler/ks_mirror/centos-8.1-x86_64
12K /var/www/cobbler/ks_mirror/config
[root@centos7 ~]#cobbler distro list
centos-7.7-x86_64
[root@centos7 ~]#cobbler profile list
centos-7.7-x86_64
3. 搭建配置主从DNS服务器,实现区域传送,并实现智能DNS。
DNS主服务端:192.168.150.128
DNS从服务端:192.168.150.129
web服务器:192.168.150.139
DNS客户端:192.168.150.130
主服务器:
[root@OS ~]#yum install bind -y
[root@OS ~]#vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#只允许从服务器进行区域传输,为了数据安全
allow-transfer { 192.168.150.129;};
[root@OS ~]#vim /etc/named.rfc1912.zones
zone "zhang.com" IN {
type master;
file "zhang.com.zone";
};
[root@OS ~]#cp -ap /var/named/named.localhost /var/named/magedu.org.zone
[root@OS ~]#vim /var/named/zhang.com.zone
$TTL 1D
@ IN SOA master admin.zhang.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.150.128
slave A 192.168.150.129
www A 192.168.150.139
[root@OS ~]#systemctl start named #第一次启动服务
[root@OS ~]#rndc reload #不是第一次启动服务
[root@OS ~]#named-checkconf #语法检查
从服务器:
[root@os7 ~]#
vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#不允许其它主机进行区域传输,为了数据安全必须操作
allow-transfer { none;};
[root@os7 ~]# vim /etc/named.rfc1912.zones
zone "zhang.com" IN {
type slave;
masters { 192.168.150.128;};
file "slaves/zg.com.slave";
};
[root@os7 ~]# ls /var/named/slaves/magedu.org.slave #查看区域数据库文件是否生成
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
web服务器:
[root@os7 ~]#yum -y install httpd
[root@os7 ~]#echo www.zhang.com > /var/www/html/index.html
[root@os7 ~]#systemctl start httpd
客户端:
[root@OS ~]# yum -y install bind bind-utils
[root@OS ~]# systemctl start named
[root@OS ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=192.168.150.130
PREFIX=24
DNS1=192.168.150.128
DNS2=192.168.150.129
ONBOOT=yes
#验证从DNS服务器是否可以查询
[root@OS ~]# curl www.zhang.com
www.zhang.com
[root@OS ~]# dig www.zhang.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> www.zhang.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56249
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c822e0403af8d0438ff2fc5562c84aef88531745f920cb3c (good)
;; QUESTION SECTION:
;www.zhang.com. IN A
;; ANSWER SECTION:
www.zhang.com. 86400 IN A 192.168.150.139
;; AUTHORITY SECTION:
zhang.com. 86400 IN NS master.zhang.com.
zhang.com. 86400 IN NS slave.zhang.com.
;; ADDITIONAL SECTION:
master.zhang.com. 86400 IN A 192.168.150.128
slave.zhang.com. 86400 IN A 192.168.150.129
;; Query time: 0 msec
;; SERVER: 192.168.150.128#53(192.168.150.128)
;; WHEN: Fri Jul 08 23:19:12 CST 2022
;; MSG SIZE rcvd: 156
4. 配置iptables 打开常用端口加固linux。使用iptables DNAT完成暴露内网端口,使用SNAT,让内网可以上网。并抓包分析过程。 可以尝试firewalld实现iptables的结果。
外界机器:192.168.159.130 gateway:192.168.159.2 仅主机模式
防火墙:192.168.159.2 192.168.150.2 仅主机和nat模式(双网卡)
内部服务器:192.168.150.128 192.168.150.129 nat模式
防火墙机器增添:ip——forward功能
[root@centos8 ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward=1
内部服务器:安装http服务,
192.168.150.129: echo 192.168.150.129 > /var/www/html/index.html
192.168.150.128: echo 192.168.150.128 > /var/www/html/index.html
此时就可以互相ping通和访问了:
[root@OS ~]# curl 192.168.150.128
192.168.150.128
[root@OS ~]# curl 192.168.150.129
192.168.150.129
当在防火墙加一条iptables规则时: 禁止192.168.150网段的机器访问
[root@OS ~]# iptables -A FORWARD ! -s 192.168.150.0/24 -m state --state NEW -j REJECT
[root@OS ~]# ping 192.168.150.128
PING 192.168.150.128 (192.168.150.128) 56(84) bytes of data.
From 192.168.159.2 icmp_seq=1 Destination Port Unreachable
From 192.168.159.2 icmp_seq=2 Destination Port Unreachable
From 192.168.159.2 icmp_seq=3 Destination Port Unreachable
From 192.168.159.2 icmp_seq=4 Destination Port Unreachable
From 192.168.159.2 icmp_seq=5 Destination Port Unreachable
[root@OS ~]# curl 192.168.150.128
curl: (7) Failed to connect to 192.168.150.128 port 80: Connection refused
[root@OS ~]# curl 192.168.150.129
curl: (7) Failed to connect to 192.168.150.129 port 80: Connection refused
外界机器:192.168.159.130 gateway:192.168.159.2 仅主机模式
防火墙:192.168.159.2 192.168.150.2 仅主机和nat模式(双网卡)
内部服务器:192.168.150.128 192.168.150.129 nat模式
防火墙机器增添:ip——forward功能
[root@centos8 ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward=1
内部服务器:安装http服务,
192.168.150.129: echo 192.168.150.129 > /var/www/html/index.html
192.168.150.128: echo 192.168.150.128 > /var/www/html/index.html
此时就可以互相ping通和访问了:
[root@OS ~]# curl 192.168.150.128
192.168.150.128
[root@OS ~]# curl 192.168.150.129
192.168.150.129
当在防火墙加一条iptables规则时: 禁止192.168.150网段的机器访问
[root@OS ~]# iptables -A FORWARD ! -s 192.168.150.0/24 -m state --state NEW -j REJECT
[root@OS ~]# ping 192.168.150.128
PING 192.168.150.128 (192.168.150.128) 56(84) bytes of data.
From 192.168.159.2 icmp_seq=1 Destination Port Unreachable
From 192.168.159.2 icmp_seq=2 Destination Port Unreachable
From 192.168.159.2 icmp_seq=3 Destination Port Unreachable
From 192.168.159.2 icmp_seq=4 Destination Port Unreachable
From 192.168.159.2 icmp_seq=5 Destination Port Unreachable
[root@OS ~]# curl 192.168.150.128
curl: (7) Failed to connect to 192.168.150.128 port 80: Connection refused
[root@OS ~]# curl 192.168.150.129
curl: (7) Failed to connect to 192.168.150.129 port 80: Connection refused
[root@OS ~]# iptables -I FORWARD ! -s 192.168.150.0/24 -d 192.168.150.129 -m state NEW -p tcp --dport 80 -j ACCEPT
当在前一条iptables插入允许访问129的80端口时:
[root@centos7_6 ~]# iptables -I FORWARD ! -s 192.168.150.0/24 -d 192.168.150.129 -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@centos7_6 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 29 packets, 1700 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * !192.168.150.0/24 192.168.150.129 state NEW tcp dpt:80
464 38928 REJECT all -- * * !192.168.150.0/24 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 17 packets, 1260 bytes)
pkts bytes target prot opt in out source destination
[root@OS ~]# curl 192.168.150.129
192.168.150.129
NAT的实现分为下面类型:
SNAT:source NAT ,支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问
外部网络,实现地址伪装,请求报文:修改源IP
DNAT:destination NAT 支持PREROUTING , OUTPUT,把本地网络中的主机上的某服务开放给外
部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
PNAT: port nat,端口和IP都进行修改
网络最终实现———— NAT+PAT 不仅仅ip地址进行了转换,port端口也进行了转换。
结合上面实验,实现SNAT DNAT(删除客户端的网关)!!!
SNAT
[root@centos7_6 ~]# iptables -F #清空上面的iptables规则
[root@centos7_6 ~]# iptables -t nat -A POSTROUTING -s 192.168.150.0/24 ! -d 192.168.150.0/24 -j MASQUERADE
#只要是192.168.150.0/24网段的机器访问其它网段,都做地址转换。
[root@OS ~]# ping 192.168.159.130
PING 192.168.159.130 (192.168.159.130) 56(84) bytes of data.
64 bytes from 192.168.159.130: icmp_seq=1 ttl=128 time=0.784 ms
64 bytes from 192.168.159.130: icmp_seq=2 ttl=128 time=0.694 ms
64 bytes from 192.168.159.130: icmp_seq=3 ttl=128 time=1.50 ms
64 bytes from 192.168.159.130: icmp_seq=4 ttl=128 time=1.28 ms
64 bytes from 192.168.159.130: icmp_seq=5 ttl=128 time=0.546 ms
64 bytes from 192.168.159.130: icmp_seq=6 ttl=128 time=0.767 ms
[root@OS ~]# tcpdump -i eth0 -nn icmp #在外部机器上抓包发现ip地址不显示内部访问地址
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:57:24.466670 IP 192.168.159.1 > 192.168.159.130: ICMP echo request, id 5, seq 1, length 64
20:57:24.466703 IP 192.168.159.130 > 192.168.159.1: ICMP echo reply, id 5, seq 1, length 64
20:57:25.476241 IP 192.168.159.1 > 192.168.159.130: ICMP echo request, id 5, seq 2, length 64
20:57:25.476271 IP 192.168.159.130 > 192.168.159.1: ICMP echo reply, id 5, seq 2, length 64
20:57:26.501190 IP 192.168.159.1 > 192.168.159.130: ICMP echo request, id 5, seq 3, length 64
20:57:26.501222 IP 192.168.159.130 > 192.168.159.1: ICMP echo reply, id 5, seq 3, length 64
DNAT #访问192.168.159.2时,转发给192.168.120.129
[root@centos7_6 ~]# iptables -t nat -A PREROUTING -d 192.168.159.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.150.129:80
[root@OS ~]# curl 192.168.159.2
192.168.150.129
5. 脚本实现openvpn的一键安装,日常管理:加用户,吊销用户等。
[root@OS ~]#vim install_openvpn.sh
#!/bin/bash
openvpn脚本
#需要保证有网络
yum -y install openssl openssl-devel easy-rsa openvpn
#判断是否安装成功
if [ $? -eq 0 ];then
echo "安装成功!"
else
echo "未能安装成功!请检查网络环境或yum源配置情况"
fi
#准备配置文件
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
#初始化PKI生成PKI相关目录和文件
cd /etc/openvpn/easy-rsa-server/3/
./easyrsa init-pki
./easyrsa build-ca nopass
echo "请输入证书名称"
./easyrsa gen-req server nopass
./easyrsa sign server server
echo "是否同意颁发证书,同意请输入yes"
#生成算法
./easyrsa gen-dh
echo "请稍候"
mkdir /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
echo "**将****CA****和服务器证书相关文件已复制到服务器相应的目录"
rm -rf /etc/openvpn/server.conf
touch /etc/openvpn/server.conf
cat > /etc/openvpn/server.conf <<eof
yum -y install epel-release
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 内网地址 255.255.255.0
push "route 公网地址 255.255.0.0 "
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
#tls-auth /etc/openvpn/certs/ta.key 0 #ka秘钥生成后
crl-verify /etc/openvpn/easy-rsa-server/3/pki/crl.pem #吊销证书的存放地址
eof
mkdir /var/log/openvpn
chown openvpn.openvpn /var/log/openvpn
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
echo 'iptables -t nat -A POSTROUTING -s 内网网段/24 -j MASQUERADE' >> /etc/rc.d/rc.local
if [ ! -d "/usr/lib/systemd/system/openvpn@.service" ];then
mkdir -p /usr/lib/systemd/system/openvpn@.service
echo "openvpn@.service创建成功"
cat > /usr/lib/systemd/system/openvpn@.service<<eof
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
eof
[root@OS ~]# vim openvpn-create-newuser-crt.sh
. /etc/init.d/functions
OPENVPN_SERVER=公网ip
PASS=123456
remove_cert () {
rm -rf /etc/openvpn/client/${NAME}
find /etc/openvpn/ -name "$NAME.*" -delete
}
create_cert () {
cd /etc/openvpn/easy-rsa-client/3
./easyrsa gen-req ${NAME} nopass <<EOF
EOF
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}
./easyrsa sign client ${NAME} <<EOF
yes
EOF
mkdir /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key /etc/openvpn/client/${NAME}
cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/${NAME}
./easyrsa sign client ${NAME} <<EOF
yes
EOF
mkdir /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key /etc/openvpn/client/${NAME}
cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/${NAME}
cat > /etc/openvpn/client/${NAME}/client.ovpn <<EOF
client
dev tun
proto tcp
remote $OPENVPN_SERVER 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert $NAME.crt
key $NAME.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
EOF
echo "证书存放路径:/etc/openvpn/client/${NAME},证书文件如下:"
echo -e "\\E\[1;32m\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\\E\[0m"
ls -l /etc/openvpn/client/${NAME}
echo -e "\\E\[1;32m\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\\E\[0m"
cd /etc/openvpn/client/${NAME}
zip -qP "$PASS" /root/${NAME}.zip \*
action "证书的打包文件已生成: /root/${NAME}.zip"
}
read -p "请输入用户(如:zhang): " NAME
remove_cert
create_cert
7. 总结数据库原理。
数据的分类:
结构化的数据:即有固定格式和有限长度的数据。例如填的表格就是结构化的数据,国籍:中华人 民共和国,民族:汉,性别:男,这都叫结构化数据
非结构化的数据:非结构化的数据越来越多,就是不定长、无固定格式的数据,例如: 网页,图片文 件,有时候非常大,有时候很小;例如语音,视频都是非结构化的数据
半结构化数据:比如:XML或者HTML的格式的数据
数据库系统发展阶段
萌芽阶段:文件系统 使用磁盘文件来存储数据
初级阶段:第一代数据库 出现了网状模型、层次模型的数据库
中级阶段:第二代数据库 关系型数据库和结构化查询语言
高级阶段:新一代数据库 "关系-对象"型数据库
DBMS 数据库管理系统
Database:数据库是数据的汇集,它以一定的组织形式存于存储介质上
DBMS:Database Management System, 是管理数据库的系统软件,它实现数据库系统的各种功 能。是数据库系统的核心
DBA:Database Administrator, 负责数据库的规划、设计、协调、维护和管理等工作
Application:应用程序,指以数据库为基础的应用程序
数据库管理系统的优点
程序与数据相互独立
保证数据的安全、可靠
最大限度地保证数据的正确性
数据可以并发使用并能同时保证一致性
相互关联的数据的集合
较少的数据冗余
数据库管理系统的基本功能
数据定义
数据处理
数据安全
数据备份
数据库系统的架构
单机架构
大型主机/终端架构
主从式架构(C/S)
分布式架构
手机扫一扫
移动阅读更方便
你可能感兴趣的文章