iSCSI安全之IP访问控制

在上一节中的PC架构的基础上修改。做IP控制的话,iscsi客户端不需要做什么。只需要修改iscsi target上的配置文件就行了。

1、修改/etc/iet/ietd.conf

[root@Target iet]# vi ietd.conf

Target iqn.2013-09.com.xfzhou.Target:sdb

Lun 0 Path=/dev/sdb,Type=fileio,ScsiId=xyz,ScsiSN=xyz


Target iqn.2013-09.com.xfzhou.Target:sdc

Lun 0 Path=/dev/sdc,Type=fileio,ScsiId=xyz,ScsiSN=xyz


注意这里的Target和Lun是成对出现的!


2、修改/etc/iet/initiators.allow

[root@Target iet]# vi initiators.allow

#iqn.2001-04.com.example:storage.disk1.sys1.xyz 192.168.0.0/16, .*:mscs1-[1-4]\.example\.com

#iqn.2001-04.com.example:storage.disk1.sys2.xyz [3ffe:302:11:1:211:43ff:fe31:5ae2], [3ffe:505:2:1::]/64, 192.168.22.0/24

#iqn.2001-04.com.example:storage.disk1.sys3.xyz ALL

#iqn.2001-04.com.example:storage.disk1.sys4.xyz 192.168.22.3, iqn\.1998-01\.com\.vmware:.*\.example\.com

iqn.2013-09.com.xfzhou.Target:sdb 192.168.10.10

iqn.2013-09.com.xfzhou.Target:sdc 192.168.10.201


从上面的注释可以看出:

a、在控制的时候可以写ip地址,还可以写一个网络地址;

b、还可以是一个域名,但是域名中的点要使用\来转义;

c、如果有多个不同网段的IP需要访问同一块共享的磁盘的时候,可以用逗号“,”来分隔他们。



3、在Linux客户端测试:

如果使用ip访问控制的话,那么客户端就不需要什么配置,直接重启一下iscsi服务就可以看出来了:

[root@file /]# service iscsi restart

Logging out of session [sid: 1, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]

Logout of [sid: 1, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]: successful


Message from syslogd@ at Sat Sep  7 12:14:53 2013 ...

file kernel: journal commit I/O errorStopping iSCSI daemon:

iscsid dead but pid file exists

[  OK  ]off network shutdown. Starting iSCSI daemon: [  OK  ]

[  OK  ]

Setting up iSCSI targets: Logging in to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]

Logging in to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdb, portal: 192.168.10.50,3260]

iscsiadm: Could not login to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdc, portal: 192.168.10.50,3260]:

iscsiadm: initiator reported error (19 - encountered non-retryable iSCSI login failure)

Login to [iface: default, target: iqn.2013-09.com.xfzhou.Target:sdb, portal: 192.168.10.50,3260]: successful

iscsiadm: Could not log into all portals. Err 19.

[  OK  ]

[root@file /]#

可以发现,那个共享的sdc没有登陆成功,而新共享的那个sdb却可以登陆,说明IP访问控制生效了!


再来看下本地的磁盘:

[root@file /]# fdisk -l


Disk /dev/sda: 16.1 GB, 16106127360 bytes

255 heads, 63 sectors/track, 1958 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes


  Device Boot      Start         End      Blocks   Id  System

/dev/sda1   *           1          25      200781   83  Linux

/dev/sda2              26         286     2096482+  82  Linux swap / Solaris

/dev/sda3             287        1958    13430340   83  Linux


Disk /dev/sdb: 4294 MB, 4294967296 bytes

255 heads, 63 sectors/track, 522 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes


  Device Boot      Start         End      Blocks   Id  System

/dev/sdb1               1         522     4192933+  fd  Linux raid autodetect


Disk /dev/sdc: 4294 MB, 4294967296 bytes

255 heads, 63 sectors/track, 522 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes


  Device Boot      Start         End      Blocks   Id  System

/dev/sdc1               1         522     4192933+  fd  Linux raid autodetect


Disk /dev/sdd: 4294 MB, 4294967296 bytes

255 heads, 63 sectors/track, 522 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes


  Device Boot      Start         End      Blocks   Id  System

/dev/sdd1               1         522     4192933+  fd  Linux raid autodetect


Disk /dev/md0: 8586 MB, 8586919936 bytes

255 heads, 63 sectors/track, 1043 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes


   Device Boot      Start         End      Blocks   Id  System

/dev/md0p1               1        1043     8377866    5  Extended

/dev/md0p5               1        1043     8377834+  83  Linux


Disk /dev/sdf: 10.7 GB, 10737418240 bytes

64 heads, 32 sectors/track, 10240 cylinders

Units = cylinders of 2048 * 512 = 1048576 bytes


Disk /dev/sdf doesn't contain a valid partition table

[root@file /]#


Windows上的话,直接去刷新一下就就行了,没有什么别的操作。