1.配置SELinux
vim /etc/selinux/config
SELINUX =enforcing
setenforce 1
getenforce
2. 配置SSH访问
本题考查firewall-cmd --add-rich-rule配置
可通过man firewalld.richlanguage查看语法规
man firewalld.richlanguage | grep rule.也可以查看example
firewall-cmd --add-rich-rule=' rule family=ipv4 source address=172.25.0.0/16 service name=ssh accept ' --permanent
firewall-cmd --add-rich-rule=' rule family=ipv4 source address=172.24.1.0/24 service name=ssh drop ' --permanent
firewall-cmd --reload
firewall-cmd --list-all
3.自定义用户环境
vim /etc/bashrc
alias psa='/bin/ps -aux'
tail -n1 /etc/bashrc
source /etc/bashrc #source命令的作用:修改了/etc/profile文件,可使其立刻生效,而不用重新登录
4.配置防火墙转发
此题考查仍然为firewall-cmd --add-rich-rule配置
参考man firewalld.richlanguage | grep rule.中的example
firewall-cmd --add-rich-rule ' rule family=ipv4 source address=172.25.0.0/16 forward-port port=5423 to-port=80 protocol=tcp ' --permanent
firewall-cmd --reload
firewall-cmd --list-all
5.配置链路聚合
config参数可通过man teamd.conf,接着/EXAMPLE查看
也可以man teamd.conf | grep active
nmcli connection add con-name team0 type team ifname team0 config '{"runner":"activebackup"}'
nmcli connection add con-name port1 type team-slave ifname eth1 master team0
nmcli connection add con-name port2 type team-slave ifname eth2 master team0
nmcli connection modify team0 ipv4.method manual ipv4.addresses 192.168.0.11/24 connection.autoconnect yes
systemctl restart network #重启网络服务
nmcli device status #查看网卡状态
teamdctl team0 state #查看链路聚合的状态
6.配置IPv6地址
nmcli connection modify 'System eth0' ipv6.method manual ipv6.addresses fddb:fe2a:ab1e::0:64/64 connection.autoconnect yes
systemctl restart network
7.配置本地邮件服务
postconf -e "inet_interfaces=loopback-only"
postconf -e "mynetwork=127.0.0.0/8 [::1]/128"
postconf -e "relayhost=[classroom.example.com]"
postconf -e "myorigin=classroom.example.com"
postconf -e "mydestinaton="
postconf -e "local_transport=error:disable"
systemctl restart postfix
systemctl enable postfix
mail -s 'ldapuser0test' [email protected]
test
.
EOT
8.在server0上配置SAMBA服务
systemctl enable smb nmb
----------------------------
vim /etc/samba/smb.conf
workgroup=STAFF
[common]
path=/common
hosts allow =172.25.
browseable =yes
valid users =floyd
---------------------
mkdir /common
useradd floyd
setfacl -m u:floyd:rw /common
ll -d /common
getfacl /common
semanage fcontext -a -t samba_share_t '/common(/.*)?'
restorecon -RvF /common
systemctl restart smb nmb
smbpasswd -a floyd
firewall-cmd --add-service=samba --per
-------------------------
客户端:
yum -y install samba*
yum -y install cifs_utils
mount -t cifs -o username=floyd,password=flectrag //server0/common
smbclient -L //server0 -U floyd
9.配置多用户samba挂载
mkdir /devops
semanage fcontext -a -t samba_share_t '/devops(/.*)?'
restorecon -RvF /devops
useradd kenji
useradd chihiro
passwd kenji
passwd chihiro
---------------------
smbpasswd -a kenji
smbpasswd -a chihiro
-----------------------
vim /etc/samba/smb.conf
[devops]
path=/devops
hosts allow =172.25.
browseable = yes
valid users =kenji,chihiro
write list=chihiro
systemctl restart smb nmb
setfacl -m u:kenji:rx /devops
seftacl -m u:chihiro:rwx /devops
getfacl /devops
systemctl restart smb nmb
------------------------------
客户端:
mkdir /mnt/dev
umount /test 释放题目8中得临时挂载点
vim /etc/fstab
//server0/devops /mnt/dev cifs defaults,multiuser,sec=ntlmssp,cred=/pass.txt 0 0
vim /pass.txt
username=kenji
password=redhat
mount -a
mount | grep devops
----------------------------
测试
useradd kenji
useradd chihiro
cifscreds add server0
ll /mnt/dev
touch /mnt/dev/test 测试写入
10.在server0上配置NFS服务
mkdir /public
mkdir /protected
systemctl enable nfs-server nfs-secure-server
---------------------------------------
vim /etc/exports
/public *.example.com(ro)
/protected *.example.com(rw,sec=krb5p)
-------------------------------------------
wget -O /etc/krb5.keytab http://.......
systemctl restart nfs-server nfs-secure-server
----------------------------------------------
mkdir /protected/project
chown ldapuser1 /protected/project
ll -d /protected/project
---------------------------------------------
semanage fcontext -a -t public_content-t '/public(/.*)?'
semanage fcontext -a -t public_content_t '/protected(/.*)?'
restorecon -RvF /public
restorecon -RvF /protected
------------------------------------------------
firewall-cmd --add-service=nfs --permanent
firewall-cmd --add-service=rpc-bind --permanent
firewall-cmd --add-service=mountd --permanent
firewall-cmd --reload
firewall-cmd --list-all
----------------------------------------------------
systemctl restart nfs-server nfs-secure-server
11.在desktop0上挂载server0得NFS共享
mkdir /mnt/nfsmount
mkdir /mnt/nfssecure
systemctl enable nfs-secure
-------------------------------------------
wget -O /etc/krb5.keytab http://.......
systemctl restart nfs-secure
-------------------------------------------------
vim /etc/fstab
server0:/public /mnt/nfsmonut nfs defaults 0 0
server0:/protected /mnt/nfssecure nfs defaults ,sec=krb5p 0 0
--------------------------------------------------
mount -a
mount | grep public
mount | grep protected #检查挂载情况
df -h
----------------------------------------------------
#测试:
ssh ldapuser1@desktop0 # passwd=kerberos
touch /mnt/nfssecure/project/test-file-ldapuser1
ll /mnt/nfssecure/project #通过创建文件,检查用户权限
12.在server0上配置一个web站点http://www0.example.com
yum -y install httpd*
systemctl enable httpd
wget -O /var/www/html/index.html http:... #下载密钥并命名为index.html
systemctl restart httpd
---------------------------------------------
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=httpd --permanent
firewall-cmd --reload
firewall-cmd --list-all
-------------------------------------------------
打开http://server0.manual页面
vim /etc/httpd/conf.d/www0.conf #也可以cd /etc/httpd/conf.d vim www0.conf
ServerName www0.example.com
DocumentRoot /var/www/html
---------------------------------------------
vim /etc/httpd/conf/httpd.conf
/Directory
复制:
AllowOverride None
Require all granted
---------------------------------------
vim /etc/httpd/conf.d/www0.conf
ServerName www0.example.com
DocumentRoot /var/www/html
Require ip 172.25
---------------------------------------------------
ll -Z /var/www/html/index.html