Shell脚本一键部署DNS-FTP-DHCP-Firewall服务
阶段一项目实战
场景
初创公司是一家新成立的创业公司,公司根据业务需求准备部署一个小型网络,包含四台服务器和若干客户机。工程师规划的网络拓扑如图 1 所示。考虑到后期需要在全国多个城市开分公司,公司希望通过 Shell 的方式,可以在不同的分支机构进行快速复制现有网络。
在管理员PC上编写shell脚本,实现一键部署,实现以下项目需求:
- 分别部署防火墙、DHCP 服务器、DNS 服务器和 FTP 服务器。
- 防火墙使用 Firewalld 服务,并允许来自内网客户端(192.168.0.0/24)
同时防火墙作为公司的边界设备,要允许内网客户端(192.168.0.0/24)对互联网的访问。
管理员也可以通过互联网 SSH 连接到内网管理员 PC(192.168.0.10) - Firewalld 上配置 DHCP 中继服务,使内网客户端(192.168.0.0/24)可以动态获取由 DHCP
服务器分配的 IP 地址。 - 内外客户端(192.168.0.0/24)可以通过DNS Server解析bdqn.com中的域名。
- 内网客户端(192.168.0.0/24)可以通过被动模式以匿名身份访问FTP Server,并具备上传,下载,修改目录以及删除权限
准备环境
- 管理员PC配置IP地址
- 防火墙配置三张网卡,分别配置IP
- 三台服务器分别配置IP
- 外网配置IP
- 因为防火墙使用Linux代替,需要提前开启路由转发
配置SSH免交互式访问
- 在管理员PC上生成密钥对
- 将密钥发送到服务器和防火墙上实现免密登录
编写脚本
1)编写yum源配置脚本yum.sh,并完成调试(此环境使用的是本地yum源)
#!/bin/sh
ServerIP="$FW_IP $DHCP_Server_IP $DNS_Server_IP $FTP_Server_IP"
for i in $FW_IP $DHCP_Server_IP $DNS_Server_IP $FTP_Server_IP
do
cmd="ssh $i"
$cmd 'df | grep /dev/sr0' > /dev/null
if [ $? == 0 ]
then
$cmd 'umount /dev/sr0' &> /dev/null
$cmd 'umount /mnt' &> /dev/null
fi
$cmd 'mount /dev/cdrom /mnt' &> /dev/null
$cmd 'rm -rf /etc/yum.repos.d/*'
$cmd 'echo "[yum]" > /etc/yum.repos.d/yum.repo'
$cmd 'echo "name=yum" >> /etc/yum.repos.d/yum.repo'
$cmd 'echo "baseurl=file:///mnt" >> /etc/yum.repos.d/yum.repo'
$cmd 'echo "gpgcheck=0" >> /etc/yum.repos.d/yum.repo'
$cmd 'echo "enabled=1" >> /etc/yum.repos.d/yum.repo'
$cmd 'yum clean all' &> /dev/null
$cmd 'yum makecache' &> /dev/null
if [ $? == 0 ]
then
echo "yum is ok($i)"
else
echo "yum is aa($i)"
fi
done
2) 编写Firewalld配置脚本firewall.sh,并完成调试
#!/bin/sh
FW_cmd="ssh $FW_IP"
route="$FW_cmd cat /proc/sys/net/ipv4/ip_forward"
if [ "$route" == 1 ]
then
$FW_cmd "firewall-cmd --permanent --add-masquerade &> /dev/null"
echo "firewall route is yes"
else
$FW_cmd "firewall-cmd --permanent --add-masquerade &> /dev/null"
$FW_cmd "echo 1 > /proc/sys/net/ipv4/ip_forward"
echo "route on firewall is open"
fi
$FW_cmd firewall-cmd --zone=internal --query-interface=ens33 &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --zone=internal --add-interface=ens33 &> /dev/null
fi
$FW_cmd firewall-cmd --permanent --zone=internal --add-masquerade &> /dev/null
$FW_cmd firewall-cmd --zone=dmz --query-interface=ens37 &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --zone=dmz --add-interface=ens37 &> /dev/null
fi
$FW_cmd firewall-cmd --permanent --zone=dmz --add-masquerade &> /dev/null
$fw_cmd firewall-cmd --zone=external --query-interface=ens38 &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --zone=external --add-interface=ens38 &> /dev/null
fi
$FW_cmd firewall-cmd --permanent --zone=external --add-masquerade &> /dev/null
#FTP
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 20000:20100 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 20000:20100 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
#ssh
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 22 -j ACCEPT &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 22 -j ACCEPT &> /dev/null
fi
#dns
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
#端口转发
$FW_cmd firewall-cmd --permanent --zone=external --query-forward-port=port=22:proto=tcp:toport=22:toaddr=$Admin_IP &> /dev/null
if [ $? != 0 ]
then
$FW_cmd firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=$Admin_IP &> /dev/null
fi
$FW_cmd firewall-cmd --reload &> /dev/null
echo "firewalld rules are ok"
3)编写DHCP配置脚本dhcp.sh,并完成调试
#!/bin/bash
DHCP_Server_cmd="ssh $DHCP_Server_IP"
$DHCP_Server_cmd "rpm -qa | grep dhcp-4" &> /dev/null
if [ $? == 0 ]
then
$DHCP_Server_cmd "yum -y remove dhcp" &> /dev/null
fi
$DHCP_Server_cmd yum -y install dhcp &> /dev/null
if [ $? == 0 ]
then
$DHCP_Server_cmd 'echo "ddns-update-style none;" > /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "default-lease-time 21600;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "max-lease-time 43200;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "option domain-name \"bdqn.com\";" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "option domain-name-servers '$DNS_Server_IP';" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "subnet 192.168.10.0 netmask 255.255.255.0 {" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo " range 192.168.10.100 192.168.10.150;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo " option routers 192.168.10.254;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "}" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "subnet 192.168.0.0 netmask 255.255.255.0 {" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo " range 192.168.0.100 192.168.0.150;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo " option routers 192.168.0.254;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "}" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd systemctl enable firewalld &> /dev/null
$DHCP_Server_cmd systemctl restart firewalld &> /dev/null
$DHCP_Server_cmd firewall-cmd --permanent --zone=public --query-service=dhcp &> /dev/null
if [ $? != 0 ]
then
$DHCP_Server_cmd firewall-cmd --permanent --add-service=dhcp &> /dev/null
$DHCP_Server_cmd firewall-cmd --reload &> /dev/null
fi
$DHCP_Server_cmd systemctl enable dhcpd &> /dev/null
$DHCP_Server_cmd systemctl restart dhcpd &> /dev/null
if [ $? != 0 ]
then
echo dhcpd boot error
else
echo DHCP Server is OK
fi
else
echo dhcp install error!!!
fi
4)编写DHCP中继配置脚本dhcrelay.sh,并完成调试
#!/bin/sh
DHCP_relay_cmd="ssh $DHCP_relay_IP"
$DHCP_relay_cmd "rpm -qa | grep dhcp-4" &> /dev/null
if [ $? == 0 ]
then
$DHCP_relay_cmd yum -y remove dhcp &> /dev/null
fi
$DHCP_relay_cmd yum -y install dhcp &> /dev/null
$DHCP_relay_cmd "sed -i 's/--no-pid/& 192.168.10.10/' /usr/lib/systemd/system/dhcrelay.service"
$DHCP_relay_cmd systemctl enable dhcrelay &> /dev/null
$DHCP_relay_cmd systemctl start dhcrelay &> /dev/null
if [ $? == 0 ]
then
echo "dhcrelay is ok"
else
echo "dhcrelay boot error"
fi
5)编写DNS配置脚本dns.sh,并完成调试
#!/bin/sh
DNS_Server_cmd="ssh $DNS_Server_IP"
$DNS_Server_cmd "rpm -qa | grep '^bind-9'" &> /dev/null
if [ $? == 0 ]
then
$DNS_Server_cmd yum -y remove bind &> /dev/null
fi
$DNS_Server_cmd yum -y install bind &> /dev/null
$DNS_Server_cmd sed -i 's/127.0.0.1/any/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/localhost/any/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/\"\.\"/\"bdqn.com\"/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/hint/master/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/named.ca/bdqn.zone/g' /etc/named.conf
$DNS_Server_cmd touch /var/named/bdqn.zone
$DNS_Server_cmd chown root.named /var/named/bdqn.zone
$DNS_Server_cmd 'echo "\$TTL 1D" > /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN SOA bdqn.com. admin.bdqn.com. (200 1H 15M 1W 1D)" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN NS bdqn.com." >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN AAAA ::1" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "dhcp IN A 192.168.10.10" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "dns IN A 192.168.10.20" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "ftp IN A 192.168.10.30" >> /var/named/bdqn.zone'
$DNS_Server_cmd systemctl enable firewalld &> /dev/null
$DNS_Server_cmd systemctl restart firewalld &> /dev/null
$DNS_Server_cmd firewall-cmd --permanent --zone=public --query-service=dns &> /dev/null
if [ $? != 0 ]
then
$DNS_Server_cmd firewall-cmd --permanent --zone=public --add-service=dns &> /dev/null
$DNS_Server_cmd firewall-cmd --reload
fi
$DNS_Server_cmd systemctl enable named &> /dev/null
$DNS_Server_cmd systemctl restart named &> /dev/null
if [ $? != 0 ]
then
echo named boot error
else
echo named is ok
fi
6)编写FTP配置脚本ftp.sh,并完成调试
#!/bin/bash
FTP_Server_cmd="ssh $FTP_Server_IP"
$FTP_Server_cmd 'rpm -qa | grep vsftpd' &> /dev/null
if test $? == 0
then
$FTP_Server_cmd yum -y remove vsftpd &> /dev/null
fi
$FTP_Server_cmd yum -y install vsftpd &> /dev/null
$FTP_Server_cmd sed -i 's/#anon_upload_enable=YES/anon_upload_enable=YES/g' /etc/vsftpd/vsftpd.conf
$FTP_Server_cmd sed -i 's/#anon_mkdir_write_enable=YES/anon_mkdir_write_enable=YES/g' /etc/vsftpd/vsftpd.conf
$FTP_Server_cmd sed -i '/anon_mkdir_write_enable=YES/aanon_other_write_enable=YES' /etc/vsftpd/vsftpd.conf
$FTP_Server_cmd sed -i 's/listen=NO/listen=YES/g' /etc/vsftpd/vsftpd.conf
$FTP_Server_cmd sed -i '/listen_ipv6=YES/d' /etc/vsftpd/vsftpd.conf
$FTP_Server_cmd "echo pasv_max_port=20100 >> /etc/vsftpd/vsftpd.conf"
$FTP_Server_cmd "echo pasv_min_port=20000 >> /etc/vsftpd/vsftpd.conf"
$FTP_Server_cmd chmod 777 /var/ftp/pub/
$FTP_Server_cmd systemctl enable firewalld &> /dev/null
$FTP_Server_cmd systemctl restart firewalld &> /dev/null
$FTP_Server_cmd firewall-cmd --permanent --zone=public --query-service=ftp &> /dev/null
if test $? != 0
then
$FTP_Server_cmd firewall-cmd --permanent --add-service=ftp &> /dev/null
$FTP_Server_cmd firewall-cmd --reload &> /dev/null
fi
$FTP_Server_cmd systemctl enable vsftpd &> /dev/null
$FTP_Server_cmd systemctl restart vsftpd &> /dev/null
if test $? == 0
then
echo ftp is ok
else
echo ftp boot error
fi
7)编写最终执行脚本main.sh,并完成调试
#!/bin/sh
Admin_IP=192.168.0.10
FW_IP=192.168.0.254
DHCP_Server_IP=192.168.10.10
DHCP_relay_IP=192.168.0.254
DNS_Server_IP=192.168.10.20
FTP_Server_IP=192.168.10.30
source ./firewall.sh
source ./yum.sh
source ./dhcp.sh
source ./dhcrelay.sh
source ./dns.sh
source ./ftp.sh
8)在管理员PC上执行main.sh,实现一键部署
完成验证
1.一台机器使用内网同一网卡,调成动态DHCP方式获取IP地址
2.一台机器使用DMZ同一网卡,调试动态DHCP方式获取IP地址
3.使用动态获取IP地址的机器,使用nslookup命令查看DNS服务器的IP地址
4.验证DNS和FTP服务器
注意
1)注意搭建环境的时候,服务器开启路由转发
2)防火墙需要开启地址伪装才可以远程其他网段的IP
3)IP地址根据自身的情况来配置
4)注意语法
5)符号