iSCSI安全之IP访问控制
在上一节中的PC架构的基础上修改。做IP控制的话,iscsi客户端不需要做什么。只需要修改iscsi target上的配置文件就行了。
1、修改/etc/iet/ietd.conf
[root@Target iet]# vi ietd.conf
Target iqn.2013-09.com.xfzhou.Target:sdb
Lun 0 Path=/dev/sdb,Type=fileio,ScsiId=xyz,ScsiSN=xyz
Target iqn.2013-09.com.xfzhou.Target:sdc
Lun 0 Path=/dev/sdc,Type=fileio,ScsiId=xyz,ScsiSN=xyz
注意这里的Target和Lun是成对出现的!
2、修改/etc/iet/initiators.allow
[root@Target iet]# vi initiators.allow
#iqn.2001-04.com.example:storage.disk1.sys1.xyz 192.168.0.0/16, .*:mscs1-[1-4]\.example\.com
#iqn.2001-04.com.example:storage.disk1.sys2.xyz [3ffe:302:11:1:211:43ff:fe31:5ae2], [3ffe:505:2:1::]/64, 192.168.22.0/24
#iqn.2001-04.com.example:storage.disk1.sys3.xyz ALL
#iqn.2001-04.com.example:storage.disk1.sys4.xyz 192.168.22.3, iqn\.1998-01\.com\.vmware:.*\.example\.com
iqn.2013-09.com.xfzhou.Target:sdb 192.168.10.10
iqn.2013-09.com.xfzhou.Target:sdc 192.168.10.201
从上面的注释可以看出:
a、在控制的时候可以写ip地址,还可以写一个网络地址;
b、还可以是一个域名,但是域名中的点要使用\来转义;
c、如果有多个不同网段的IP需要访问同一块共享的磁盘的时候,可以用逗号“,”来分隔他们。
3、在Linux客户端测试:
如果使用ip访问控制的话,那么客户端就不需要什么配置,直接重启一下iscsi服务就可以看出来了:
[root@file /]# service iscsi restart
Logging out of session [sid: 1, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]
Logout of [sid: 1, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]: successful
Message from syslogd@ at Sat Sep 7 12:14:53 2013 ...
file kernel: journal commit I/O errorStopping iSCSI daemon:
iscsid dead but pid file exists
[ OK ]off network shutdown. Starting iSCSI daemon: [ OK ]
[ OK ]
Setting up iSCSI targets: Logging in to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]
Logging in to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdb, portal: 192.168.10.50,3260]
iscsiadm: Could not login to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]:
iscsiadm: initiator reported error (19 - encountered non-retryable iSCSI login failure)
Login to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdb, portal: 192.168.10.50,3260]: successful
iscsiadm: Could not log into all portals. Err 19.
[ OK ]
[root@file /]#
可以发现,那个共享的sdc没有登陆成功,而新共享的那个sdb却可以登陆,说明IP访问控制生效了!
再来看下本地的磁盘:
[root@file /]# fdisk -l
Disk /dev/sda: 16.1 GB, 16106127360 bytes
255 heads, 63 sectors/track, 1958 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 25 200781 83 Linux
/dev/sda2 26 286 2096482+ 82 Linux swap / Solaris
/dev/sda3 287 1958 13430340 83 Linux
Disk /dev/sdb: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 1 522 4192933+ fd Linux raid autodetect
Disk /dev/sdc: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdc1 1 522 4192933+ fd Linux raid autodetect
Disk /dev/sdd: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdd1 1 522 4192933+ fd Linux raid autodetect
Disk /dev/md0: 8586 MB, 8586919936 bytes
255 heads, 63 sectors/track, 1043 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/md0p1 1 1043 8377866 5 Extended
/dev/md0p5 1 1043 8377834+ 83 Linux
Disk /dev/sdf: 10.7 GB, 10737418240 bytes
64 heads, 32 sectors/track, 10240 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Disk /dev/sdf doesn't contain a valid partition table
[root@file /]#
Windows上的话,直接去刷新一下就就行了,没有什么别的操作。