通过 SSH 隧道实现访问内网机器

适用场景:本地无法直接 ssh 到内网机器,如果内网机器可以访问公网,就可以通过公网的机器打通 ssh 隧道进行访问

假设 IP 信息如下:

  1. 内网机器:172.16.0.1
  2. 公网机器:1.2.3.4

首先需要确认公网机器的 ssh 配置允许反向隧道

1
2
cat /etc/ssh/sshd_config | grep GatewayPorts
GatewayPorts yes

在内网机器上,与公网机器进行隧道打通,这里的 ssh 认证使用公网机器的用户名密码

1
2
3
# -N 表示不执行远程命令,仅用于转发端口
# -R 用于设置反向隧道,本示例中会将公网机器的 2222 端口转发到内网机器的 22 端口
ssh -N -R 2222:0.0.0.0:22 root@1.2.3.4

然后在本地,ssh 到公网机器的 2222 端口即可,这里的 ssh 认证使用内网机器的用户名密码

1
ssh root@1.2.3.4 -p 2222

linux文件系统

文件系统是一种用于组织和管理计算机存储设备上数据的系统。它将存储设备上的物理空间划分为逻辑结构,并提供对数据的访问和管理机制。

文件系统的基本功能包括:

  1. 将数据组织成文件和目录
  2. 提供对文件的读写访问
  3. 管理存储空间
  4. 提供文件安全和保护

常见的文件系统有:

  1. ext4:最常用的 Linux 文件系统之一,支持大容量存储、高性能和良好的扩展性
  2. xfs:另一种高性能文件系统,支持大文件和高 I/O 负载
  3. fat32:兼容 Windows 和其他操作系统的文件系统,适用于需要跨平台文件共享的场景
  4. ntfs:Windows 的默认文件系统,支持大容量存储和一些高级功能,例如文件权限和加密

ext4 和 xfs 的区别

  1. xfs 相比于 ext4 有更高的性能,例如在 IO 密集型的负载下
  2. ext4 的最大文件系统大小为 1EB,而 xfs 的最大文件系统大小为 8EB
  3. ext4 的最大文件大小为 16TB,而 xfs 的最大文件大小为 16EB
  4. ext4 相比于 xfs 有着更高的兼容性,被大多数 linux 发行版都支持

linux基础网络服务

一、DHCP服务

1.1 DHCP服务介绍

DHCP服务即动态主机配置协议,被运用在局域网中,主要的作用是分配IP地址。

DHCP服务采用的是UDP协议,发送采用UDP67端口,接受则采用UDP68端口。

1.2 DHCP服务部署

  1. 安装DHCP
1
yum -y install dhcp
  1. DHCP配置文件详解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cat /etc/dhcp/dhcpd.conf
# DHCP服务配置文件分为全局配置和作用域配置,很好区分:subnet的就是作用域 不在subnet里面的就是全局设置。
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# DNS全局选项,指定DNS服务器的地址,可以是IP,也可以是域名。
# option definitions common to all supported networks...
# DNS的域名
option domain-name "example.org";
# 具体的DNS服务器
option domain-name-servers ns1.example.org, ns2.example.org;
# 租约设置,默认租约为600s
default-lease-time 600;
# 租约设置,最大租约为7200s,当客户端未请求明确的租约时间。
max-lease-time 7200;
# 动态DNS更新方式(none:不支持;interim:互动更新模式;ad-hoc:特殊更新模式)
# Use this to enble / disable dynamic dns updates globally.
# ddns-update-style none;
# 如果该DHCP服务器是本地官方DHCP就将此选项打开,避免其他DHCP服务器的干扰。
# 当一个客户端试图获得一个不是该DHCP服务器分配的IP信息,DHCP将发送一个拒绝消息,而不会等待请求超时。
# 当请求被拒绝,客户端会重新向当前DHCP发送IP请求获得新地址。
# 保证IP是自己发出去的
#
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
# 开启此项表权威DHCP
# authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
# 日志级别
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#作用域相关设置指令
# subnet 定义一个作用域
# netmask 定义作用域的掩码
# range 允许发放的IP范围
# option routers 指定网关地址
# option domain-name-servers 指定DNS服务器地址
# option broadcast-address 广播地址
#
#
# 案例:定义一个作用域 网段为10.152.187.0 掩码为255.255.255.0
# 此作用域不提供任何服务
subnet 10.152.187.0 netmask 255.255.255.0 {
}
# This is a very basic subnet declaration.
# 案例:定义一个基本的作用域
# 网段10.254.239.0 掩码255.255.255.224
# 分发范围10.254.239.10-20
# 网关为rtr-239-0-1.example.org, rtr-239-0-2.example.org
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
# 案例:允许采用bootp协议的客户端动态获得地址
# bootp DHCP的前身
# BOOTP用于无盘工作站的局域网中,可以让无盘工作站从一个中心服务器上获得IP地址。通过BOOTP协议可以为局域网中的无盘工作站分配动态IP地址,
# 这样就不需要管理员去为每个用户去设置静态IP地址。
subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}
# 案例:一个简单的作用域案例
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#
# 保留地址:可以将指定的IP分发给指定的机器,根据网卡的MAC地址来做触发
# host: 启用保留。
# hardware:指定客户端的mac地址
# filename:指定文件名
# server-name:指定下一跳服务器地址
# fixed-address: 指定保留IP地址
#
#
# 案例:这个案例中分发给客户端的不是IP地址信息,而是告诉客户端去找toccata.fugue.com服务器,并且下载vmunix.passacaglia文件
host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.fugue.com";
}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
# 案例:保留地址,将指定IP(fantasia.fugue.com对应的IP)分给指定客户端网卡(MAC:08:00:07:26:c0:a5)
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.fugue.com;
}
# 超级作用域
# 超级作用域是DHCP服务中的一种管理功能,使用超级作用域,可以将多个作用域组合为单个管理实体。
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
# 在局域网中,可以配置策略根据各个机器的具体信息分配IP地址和其他的网络参数,客户机的具体信息:客户机能够给dhcp服务提供的信息由两个,
# 第一个就是网卡的dhcp-client-identifier(mac地址),
# 第二个就是设备的vendor-class-identifier。
# 管理员可以根据这两个信息给不同的机器分组。
# 案例:
# 按client某种类型分组DHCP,而不是按物理接口网段
# 例子: SUNW 分配地址段10.17.224.0/24
# 非SUNW的主机,分配地址段10.0.29.0/24
# 定义一个dhcp类:foo
# request广播中vendor-class-identifier字段对应的值前四个字节如果是"SUNW",则视合法客户端.
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
# 定义一个超级作用域: 224-29
shared-network 224-29 {
# 定义第一个作用域
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
# 定义第二个作用域
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
# 关连池,如果客户端匹配foo类,将获得该池地址
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
# 关连池,如果客户端配置foo类,则拒绝获得该段地址
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}

1.3 配置作用域

  1. 配置作用域
1
2
3
4
5
6
7
8
subnet 192.168.88.0 netmask 255.255.255.0 {
range 192.168.88.150 192.168.88.160; # 发放地址范围
option routers 192.168.88.0; # 网关
option broadcast-address 192.168.88.255; # 广播地址
option domain-name-servers 8.8.8.8, 114.114.114.114; # 设置DNS
default-lease-time 7200; # 默认租约2小时
max-lease-time 10800; # 最大租约3小时
}
  1. 将另一台主机网卡设置为DHCP模式

DHCP一

1
2
# 重启网络服务
systemctl restart network
  1. 用dhclient命令进行测试
1
2
3
4
# 释放IP
dhclient -r ens33
# 获取IP
dhclient -d ens33

DHCP二

  1. 查看是否获取了150-160网段内的地址

DHCP三

1.4 保留地址

当租约到期的时候,client端只能乖乖交出IP地址,下一次获取就未必是同样的地址了,但公司中往往有些机器要用固定的地址,例如打印机、文件服务器等等,所以在DHCP中可以设置保留地址为其使用。

DHCP是根据主机网卡的MAC地址来做匹配,将保留的IP地址分给相应的主机网卡MAC地址。

  1. 获取网卡MAC地址

DHCP四

  1. 添加保留地址配置
1
2
3
4
5
vim /etc/dhcp/dhcpd.conf
host fantasia {
hardware ethernet 00:0c:29:6c:6f:0d;
fixed-address 192.168.88.155;
}
  1. 查看是否获取相应地址
1
2
dhclient -r ens37
dhclient -d ens37

DHCP五

1.5 超级作用域

超级作用域简单来说就是将两个或两个以上的不同网段的作用域合成一个作用域。

  1. 添加超级作用域
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 添加作用域之前DHCP必须拥有两个网段的网卡
shared-network supernet {

subnet 192.168.88.0 netmask 255.255.255.0 {
range 192.168.88.150 192.168.88.160;
option routers 192.168.88.2;
option broadcast-address 192.168.88.255;
option domain-name-servers 8.8.8.8, 114.114.114.114;
default-lease-time 7200;
max-lease-time 10800;
}

subnet 192.168.99.0 netmask 255.255.255.0 {
range 192.168.99.150 192.168.99.160;
option routers 192.168.99.0;
option broadcast-address 192.168.99.255;
option domain-name-servers 8.8.8.8, 114.114.114.114;
default-lease-time 7200;
max-lease-time 10800;
}

}

二、DNS服务

2.1 DNS服务介绍

DNS即域名系统,在互联网中为域名和IP地址进行相互映射的一个分布式数据库。

DNS采用UDP协议,使用UDP53端口进行传输。

DNS记录类型:

  • A:ipv4 记录,将域名映射到 ipv4 地址
  • AAAA:ipv6 记录,将域名映射到 ipv6 地址
  • CNAME:别名记录,将域名映射到另一个域名
  • MX:电邮交互记录,将域名映射到邮件服务器地址
  • TXT:文本记录,是任意可读的文本 DNS 记录
  • SRV:服务器资源记录,用来标识某个服务器使用了某个服务,创建于微软系统的目录管理
  • NS:名称服务器记录,支持将子域名委托给其他 DNS 服务商解析
  • CAA:CAA 资源记录,可以限定域名颁发证书和 CA 之间的关系

2.2 DNS服务部署

  1. 安装DNS
1
2
yum -y install bind bind-chroot
# bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中。bind的默认启动方式就是chroot方式。
  1. 将配置文件和区域数据库文件拷贝到chroot目录下
1
2
3
4
5
cp -p /etc/named.conf /var/named/chroot/etc/
cp -pr /var/named/name* /var/named/chroot/var/named/
chown -R named:named /var/named/chroot/*
# 配置文件 /var/named/chroot/etc/named.conf
# 区域数据库文件 /var/named/chroot/var/named/
  1. 配置文件详解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.
See the BIND Administrator's Reference Manual (ARM) for details about the
configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
*/
options
{
// Put files that named is allowed to write in the data/ directory:
#指定区域数据库文件的路径目录
directory "/var/named"; // "Working" directory
#CACHE文件路径,指定服务器在收到rndc dump命令时,转储数据到文件的路径。默认named_dump.db
dump-file "data/cache_dump.db";
#静态文件路径,指定服务器在收到rndc stats命令时,追加统计数据的文件路径。默认named.stats
statistics-file "data/named_stats.txt";
#内存静态文件路径,服务器在退出时,将内存统计写到文件的路径。默认named.memstats
memstatistics-file "data/named_mem_stats.txt";
# 指定服务器在通过rndc recursing命令指定转储当前递归请求到的文件路径。默认named.recursing
recursing-file "data/named.recursing";
#在收到rndc secroots指令后,服务器转储安全根的目的文件的路径名。默认named.secroots
secroots-file "data/named.secroots";
/*
Specify listenning interfaces. You can use list of addresses (';' is
delimiter) or keywords "any"/"none"
*/
#IPV4监听端口为53,允许任何人连接
//listen-on port 53 { any; };
#IPv4监听端口为53,只允许本机连接
listen-on port 53 { 127.0.0.1; };
#IPV6监听端口为53,允许任何人连接
//listen-on-v6 port 53 { any; };
#IPv6监听端口为53,只允许本机连接
listen-on-v6 port 53 { ::1; };
/*
访问控制
Access restrictions
两个重要选项
There are two important options:
allow-query { argument; };
- allow queries for authoritative data
允许查询来自权威数据
allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)
允许查询来自非权威数据
You can use address, network address or keywords "any"/"localhost"/"none" as argument
大括号中可以使用IP地址、网段、或者关键字 any任何人 localhost本机 none任何人不允许
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/
#指定允许哪些主机可以进行普通的DNS查询,可以是关键字:any/localhost/none,也可以是IPV4,IPV6地址
allow-query { localhost; };
#指定允许哪些主机可以对缓存的访问
allow-query-cache { localhost; };
/* Enable/disable recursion - recursion yes/no;
递归查询开关
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
假如你建立的是一个权威DNS你不需要开启递归
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
假如你建立的是一个递归DNS,你需要开启递归服务
- If your recursive DNS server has a public IP address, you MUST enable access
如果你的递归DNS是具有公网IP,你必须要设置访问控制来限制对合法用户的查询.
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
否者你的DNS会被大规模的攻击
attacks. Implementing BCP38 within your network would greatly
在您的网络中实现BCP38将非常重要减少此类攻击面
reduce such attack surface
*/
#开启递归
recursion yes;
#Domain Name System Security Extensions (DNS安全扩展)
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
#开启DNSSEC在权威或者递归服务器之间信任服务
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
#开启DNSSEC验证在递归服务器
dnssec-validation yes;
/* In RHEL-7 we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
#PID文件路径
pid-file "/run/named/named.pid";
#session-keyfile文件路径
session-keyfile "/run/named/session.key";
#指定目录,其中保存着跟踪被管理DNSSEC密钥文件。默认为工作目录。
managed-keys-directory "/var/named/dynamic";
};
logging
{
#开启DNS日志记录
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
/*
##日志分为两种 告警和访问
logging {
channel warning {
file "data/dns_warning" versions 10 size 10m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "data/dns_log" versions 10 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
#默认日志 warning
category default {
warning;
};
#访问日志级别 general_dns info
category queries {
general_dns;
};
};
*/
};
/*
通过Views指令配置智能查询DNS
Views let a name server answer a DNS query differently depending on who is asking.
By default, if named.conf contains no "view" clauses, all zones are in the
"default" view, which matches all clients.
Views are processed sequentially. The first match is used so the last view should
match "any" - it's fallback and the most restricted view.
If named.conf contains any "view" clause, then all zones MUST be in a view.
*/
#配置一个明称为localhost_resolver的智能访问视图
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
#允许使用该视图解析的客户端 localhost本机 any 任何机器 或者网段
match-clients { localhost; };
#允许递归
recursion yes;
# all views must contain the root hints zone:
#根域
zone "." IN {
#域类型为hint,还有master slave forward等类型
type hint;
#区域数据库文件路径
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
#包含子配置文件
include "/etc/named.rfc1912.zones";
};
#定义视图internal
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
/*
NOTE for dynamic DNS zones and secondary zones:
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
If you are using views and DDNS/secondary zones it is strongly
recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multIPle views?" and
"How can I make a server a slave for both an internal and an external
view at the same time?"
*/
zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
#设置DDNS_key
#主从复制加密使用
key ddns_key
{
#加密方式 hmac-md5
algorithm hmac-md5;
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };
zone "." IN {
type hint;
file "/var/named/named.ca";
};
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};
/* Trusted keys
#定义信任的dnssec密钥。
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.
Note that no key written below is valid. Especially root key because root zone
is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIPRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";
// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/
  1. 配置主配文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
vim /var/named/chroot/etc/named.conf

options {
listen-on port 53 { 192.168.88.132; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };

recursion yes;

dnssec-enable yes;
dnssec-validation yes;

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

systemctl start named-chroot
  1. 区域数据库文件详解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 正向解析 named.localhost
;缓存时间
$TTL 1D
;@表示相应的域名
@ IN SOA @ rname.invalid. (
;解析的域名 类型 授权域 授权域名服务器 管理员邮箱
0 ; serial 序列号,每次更新该文件系列号都应该变大
1D ; refresh 刷新时间,即规定从域名服务器多长时间查询一个主服务器,以保证从服务器的数据是最新的
1H ; retry 重试时间,即当从服务试图在主服务器上查询更时,而连接失败了,则这个值规定了从服务多长时间后再试
1W ; expire 过期时间,从服务器在向主服务更新失败后多长时间后清除对应的记录
3H ) ; minimum 这个数据用来规定缓冲服务器不能与主服务联系上后多长时间清除相应的记录
NS @
;NS 名称服务器,表示这个主机为域名服务器
A 127.0.0.1
;主机头 A记录 IP
AAAA ::1
; AAAA 解析为IPV6地址

# 反向解析 named.loopback
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
PTR localhost
;IP 反向指针 域名
;PTR 反向指针 反解

2.3 正向解析

  1. 修改主配文件
1
2
3
4
zone "cqm.com" IN {
type master;
file "cqm.com.zone";
};
  1. 创建区域数据库文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cp /var/named/chroot/var/named/named.localhost /var/named/chroot/var/named/cqm.com.zone
chgrp named cqm.com.zone
vim /var/named/chroot/var/named/cqm.com.zone

$TTL 1D
cqm.com. IN SOA dns.cqm.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
# A:IPv4解析为域名
# PTR:域名解析为IP
# MX
# CNAME:设置别名
NS dns.cqm.com.
# 解析dns为192.168.88.132
dns A 192.168.88.132
# 解析www为192.168.88.132
www A 192.168.88.132
# 用news访问也解析为www
news CNAME www

# 检测文件是否有误
named-checkzone cqm.com cqm.com.zone
  1. 在客户端上配置DNS
1
2
vim /etc/resolve.conf
nameserver 192.168.88.132
  1. 通过host命令进行测试
1
2
3
4
5
6
7
yum -y install bind-utils
host www.cqm.com
www.cqm.com has address 192.168.88.132

host news.cqm.com
news.cqm.com is an alias for www.cqm.com.
www.cqm.com has address 192.168.88.132

2.4 反向解析

  1. 修改主配文件
1
2
3
4
zone "88.168.192.in-addr.arpa" IN {
type master;
file "192.168.88.arpa";
};
  1. 创建区域数据库文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
cp /var/named/chroot/var/named/named.loopback /var/named/chroot/var/named/192.168.88.arpa
vim /var/named/chroot/var/named/192.168.88.arpa

$TTL 1D
88.168.192.in-addr.arpa. IN SOA dns.cqm.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.cqm.com.
132 PTR www.cqm.com.

named-checkzone 88.168.192.in-addr.arpa 192.168.88.arpa
  1. 测试
1
2
host 192.168.88.132
132.88.168.192.in-addr.arpa domain name pointer www.cqm.com.

2.5 主从同步

即配置两台DNS服务器,由于上边我们以及配置过主DNS了,接下来再配置一台辅DNS服务器即可。

主DNS服务器IP:192.168.88.132

辅DNS服务器IP:192.168.88.135

  1. 安装DNS
1
yum -y install bind bind-chroot
  1. 配置主配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
scp root@192.168.88.132:/var/named/chroot/etc/named.conf /var/named/chroot/etc/named.conf
chgrp named /var/named/chroot/etc/named.conf
vim /var/named/chroot/etc/named.conf

options {
listen-on port 53 { 192.168.88.135; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
# 从主DNS服务器拷过来的数据不进行加密
masterfile-format text;

recursion yes;

dnssec-enable yes;
dnssec-validation yes;

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

zone "." IN {
type hint;
file "named.ca";
};

zone "cqm.com" IN {
type slave;
file "cqm.com.zone";
masters { 192.168.88.132; };
};

zone "88.168.192.in-addr.arpa" IN {
type slave;
file "192.168.88.arpa";
masters { 192.168.88.132; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
  1. 配置和主DNS服务器相同的区域数据库文件
1
2
3
4
vim cqm.com.zone
...
vim 192.168.88.arpa
...
  1. 将DNS服务器设为自己后进行测试
1
2
3
4
vim /etc/reslove.comf
nameserver 192.168.88.135
host www.cqm.com
...

2.6 智能解析

在DNS中植入全世界的IP库以及IP对应的地域,当用户发来请求时,会根据用户属于哪个地区来找那个地区的区域数据库文件来进行解析,从而使得不同地域的用户解析不同。

例子:

部署一台智能解析DNS服务器,对cqm.com进行解析

深圳用户解析为1.1.1.1

广州用户解析为2.2.2.2

佛山用户解析为3.3.3.3

  1. 修改主配文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
options {
listen-on port 53 { 192.168.88.132; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };

recursion yes;

dnssec-enable yes;
dnssec-validation yes;

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

acl sz {
# 假设该网段是深圳的IP地址段
192.168.77.0/24;
};

acl gz {
192.168.88.0/24;
};

acl fs {
192.168.99.0/24;
};

view shenzhen {
match-clients { sz; };
zone "." IN {
type hint;
file "named.ca";
};

zone "cqm.com" IN {
type master;
file "cqm.com.zone.SZ";
};
};

view guangzhou {
match-clients { gz; };
zone "." IN {
type hint;
file "named.ca";
};

zone "cqm.com" IN {
type master;
file "cqm.com.zone.GZ";
};
};

view foshan {
match-clients { fs; };
zone "." IN {
type hint;
file "named.ca";
};

zone "cqm.com" IN {
type master;
file "cqm.com.zone.FS";
};
};
  1. 添加区域数据库文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
cp cqm.com.zone cqm.com.zone.SZ
cp cqm.com.zone cqm.com.zone.GZ
cp cqm.com.zone cqm.com.zone.FS
chgrp named cqm.com.zone.*

# 深圳
$TTL 1D
cqm.com. IN SOA dns.cqm.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.cqm.com.
dns A 192.168.88.132
www A 1.1.1.1
news CNAME www

# 广州
$TTL 1D
cqm.com. IN SOA dns.cqm.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.cqm.com.
dns A 192.168.88.132
www A 2.2.2.2
news CNAME www
# 佛山

$TTL 1D
cqm.com. IN SOA dns.cqm.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.cqm.com.
dns A 192.168.88.132
www A 3.3.3.3
news CNAME www
  1. 测试
1
2
3
# 测试主机的地址段为192.168.88.0/24网段的,所以属于广州区域,即匹配解析到2.2.2.2
host www.cqm.com
www.cqm.com has address 2.2.2.2

三、FTP文件传输服务

3.1 FTP服务介绍

FTP即文件传输协议,是TCP/IP协议组的协议之一。

FTP默认采用TCP20和21端口,20用于传输数据,21用于控制传输信息。

FTP分别有主动传输方式和被动传输方式两种,当FTP为主动传输方式时运用20和21端口,而当FTP为被动传输方式时则会随即打开一个大于1024的端口来进行数据的传输。

3.2 FTP服务部署

  1. 安装vsftpd
1
yum -y install vsftpd
  1. 主配文件详解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#匿名用户访问,YES是允许,NO是拒绝
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# 本地用户登录,YES是允许,NO是拒绝.默认访问的是本地用户家目录,如果你开启了selinux
# 请设置开启布尔值ftp_home_dir为ON
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
#允许本地用户上传
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# 上传的权限是022,使用的是umask权限。对应的目录是755,文件是644
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
# 开启匿名用户上传功能,默认是拒绝的
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
# 开启匿名用户创建文件或文件夹权限
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 开启目录欢迎消息,一般对命令行登陆有效
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 开启上传和下载日志记录功能
xferlog_enable=YES
#
#使用标准模式
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
# 声明匿名用户上传文件的所有者
# 允许更改匿名用户上传文件的所有者
#chown_uploads=YES
#所有者为whoever
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
# 日志文件路径
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 日志文件采用标准格斯
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
# 会话超时时间
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
# 数据传输超时时间
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
# FTP子进程管理用户
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
# 是否允许客户端发起“async ABOR”请求,该操作是不安全的默认禁止。
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# 该选项用于指定是否允许上传时以ASCII模式传输数据
#ascii_upload_enable=YES
#该选项用于指定是否允许下载时以ASCII模式传输数据
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
# FTP文本界面登陆欢迎词
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
# 是否开启拒绝的Email功能
#deny_email_enable=YES
# (default follows)
# 指定保存被拒接的Email地址的文件
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# 是否开启对本地用户chroot的限制,YES为默认所有用户都不能切出家目录,NO代表默认用户都可以切出家目录
# 设置方法类似于:YES拒绝所有允许个别;NO允许所有拒绝个别
#chroot_local_user=YES
# 开启特例列表
#chroot_list_enable=YES
# (default follows)
# 如果chroot_local_user的值是YES则该文件中的用户是可以切出家目录,如果是NO,该文件中的用户则不能切出家目录
# 一行一个用户。
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
# 是否开启ls 递归查询功能 ls -R
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# 是否开启ftp独立模式在IPV4
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 是否开启ftp独立模式在ipv6
listen_ipv6=YES
#启用pam模块验证
pam_service_name=vsftpd
#是否开启userlist功能.
定义对列表中的用户做定义
userlist_deny=NO
#NO拒绝所有人访问,对应列表中的用户可以访问,YES允许所有人访问,列表中的用户无法访问。
#只有userlist_file=/etc/vsftpd/user_list定义的用户才可以访问或拒绝访问
userlist_enable=YES
#是否开启tcp_wrappers管理,TCP_Wrappers是一个工作在第四层(传输层)的的安全工具,
#对有状态连接的特定服务进行安全检测并实现访问控制
tcp_wrappers=YES
  1. 匿名用户和本地用户

    • 需要注意的是,匿名用户访问的是/var/ftp,而本地用户访问的话是家目录。

    • 关于权限,在主配文件中设置的权限是反码,文件实际权限 = 666 - 反码。

    • 假如主配文件中设置为022,那么文件实际权限 = 666 - 022 = 644,文件夹实际权限 = 777 - 022 = 755。

    • 在linux端访问FTP服务器时,无论FTP服务器是否开启了匿名用户访问,客户访问时都要输入用户名和密码,匿名用户用户名ftp,密码随意,但是需要为带有@的email地址。

  2. 开启chroot

1
2
3
4
5
6
7
8
9
10
# 是否开启对本地用户chroot的限制,YES为默认所有用户都不能切出家目录,NO代表默认用户都可以切出家目录
# 设置方法类似于:YES拒绝所有允许个别;NO允许所有拒绝个别
chroot_local_user=YES
chroot_list_enable=YES
# 特例列表
chroot_list_file=/etc/vsftpd/chroot_list

# 如果用户家目录有写权限的话,则该用户登陆不上
# 如果想在有写权限的家目录登录的话,需在配置文件加上
allow_writeable_chroot=YES

3.3 FTP命令

登录到FTP服务器后,基本命令如下

1
2
3
4
5
6
7
8
9
help # 打印命令菜单
!+linux命令 # 执行linux命令
lcd 目录路径 # 切换linux当前路径
put mput # 上传 批量上传
get mget # 下载 批量下载
ls dir # 列出目录内容
mkdir cd delete rmdir # 创建目录 进入目录 删除文件 删除目录
pwd # 现实FTP当前路径
open close bye # 开启/关闭/退出FTP

3.4 虚拟用户

由于FTP是采用本地用户来进行登录的,所以会将本地用户暴露在互联网中,如果没有相关安全设置,就会造成FTP不安全。

因此FTP可以设置虚拟用户来解决该问题。

在主配文件中开启虚拟用户

1
2
3
4
5
6
guest_enable=YES
guest_username=cqm
# 虚拟用户不用本地用户的权限
virtual_use_local_privs=NO
# 用户文件存放地址
user_config_dir=/etc/vsftpd/vconf.d

3.5 基于虚拟用户配置的安全FTP

案例要求:

  • 公司公共文件可以通过匿名下载
  • 公式A部门、B部门、C部门分别由自己的文件夹,并相互隔离
  • 部门之间只有主管拥有上传权限,部门员工只有下载权限
  • 禁止用户查看家目录以外的数据
  • 确保FTP账号安全
  1. 创建虚拟用户映射本地账号
1
useradd -s /sbin/nologin -d /var/tmp/vuser_ftp cqm
  1. 创建目录,所有操作都只能在此目录进行
1
2
3
4
chmod 500 /var/tmp/vuser_ftp
mkdir /var/tmp/vuser_ftp/{A,B,C}
chmod 700 /var/tmp/vuser_ftp/*
chown -R cqm:cqm /var/tmp/vuser_ftp
  1. 创建虚拟用户账号密码文件,并生成db文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
vim /etc/vsftpd/vuser
A_01
123
B_01
123
C_01
123
A_02
123
B_02
123
C_02
123
db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/vuser.db
chmod 600 /etc/vsftpd/vuser.db
  1. 设置虚拟用户pam认证
1
2
3
vim /etc/pam.d/vsftpd
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
  1. 要求不能切出家目录,所以要设置chroot_list
1
2
3
4
5
6
7
vim /etc/vsftpd/chroot_list
A_01
B_01
C_01
A_02
B_02
C_02
  1. 创建子配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
mkdir /etc/vsftpd/vconf.d
# A主管文件
vim /etc/vsftpd/vconf.d/A_01
# 指定家目录
local_root=/var/tmp/vuser_ftp/A
# 指定权限
anon_umask=077
# 下载权限
anon_world_readable_only=NO
# 上传权限
anon_upload_enable=YES
# 创建目录权限
anon_mkdir_write_enable=YES
# 删除和重命名目录权限
anon_other_write_enable=YES

# A员工文件
vim /etc/vsftpd/vconf.d/A_02
local_root=/var/tmp/vuser_ftp/A
anon_world_readable_only=NO
  1. 配置主配文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=cqm
virtual_use_local_privs=NO
user_config_dir=/etc/vsftpd/vconf.d
  1. 测试主管用户和员工用户的权限
1
2
3
4
ftp 192.168.88.132
A_01
123
230 Login successful

四、Samba服务

4.1 Samba服务介绍

Samba是可以实现不同计算机系统之间文件共享的服务,即是在Linux和UNIX系统上实现SMB协议的一个免费软件。

SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。

Samba采用到的端口有:

  • UDP 137:NetBIOS 名字服务
  • UDP 138:NetBIOS 数据报服务
  • UDP 139:SMB
  • TCP 389:用于 LDAP (Active Directory Mode)
  • TCP 445:NetBIOS服务在windos 2000及以后版本使用此端口, (Common Internet File System,CIFS,它是SMB协议扩展到Internet后,实现Internet文件共享)
  • TCP 901:用于 SWAT,用于网页管理Samba

4.2 Samba服务部署

  1. 安装samba
1
2
yum -y install samba samba-client
systemctl start smb nmb
  1. 主配文件详解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
cat /etc/samba/smb.conf.example
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
#
#SAMBA selinux相关设置,如果你开启了selinux,请注意下面的说明
#
#
#Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# 如果你在域环境中使用samba那么请设置下面的bool值
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
#
# 假如希望通过samba共享用户家目录请设置下面的bool值
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
#加入你想将目录通过samba共享,请确认其目录标签为sambe_share_t
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# 标签设置方法
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# 对共享目录的权限的bool设置,只读或读写
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================
#全局设置,对整个服务都生效
[global]
#网络设置
# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
#定义计算机的工作组,如果希望和windows共享,可以设置为workgroup,这样就可以在windows的网上邻居中找到linux计算机
workgroup = MYGROUP
#对samba服务器的描述信息
server string = Samba Server Version %v
#设置netbios计算机名称
; netbios name = MYSERVER
#samba使用本机的那块网卡
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
#允许那个网段访问samba服务器共享
; hosts allow = 127. 192.168.12. 192.168.13.
#
#日志选项
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
#samba日志文件路径
# log files split per-machine:
log file = /var/log/samba/log.%m
#日志文件大小,0为不限制,注意不建议这样设置
# maximum size of 50KB per log file, then rotate:
max log size = 50
#独立服务选项
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
#samba安全级别
#share: 不需要账号密码,公开共享
#user: 需要提供sam账号密码才能访问共享,私密共享
#server:依靠其他Windows NT/2000或Samba Server来验证用户的账号和密码,是一种代理验证。此种安全模式下,系统管理员可以把所有的Windows用户和口令集中到一个NT系统上,>使用Windows NT进行Samba认证, 远程服务器可以自动认证全部用户和口令,如果认证失败,Samba将使用用户级安全模式作为替代的方式。
#domain:域安全级别,使用主域控制器(PDC)来完成认证。
#
#一般情况下我们使用share和user的比较多,除非公司有完整的域环境
security = user
#该方式则是使用一个数据库文件来建立用户数据库。数据库文件叫passdb.tdb,默认在/etc/samba目录下。passdb.tdb 用户数据库可以使用smbpasswd –a来建立Samba用户,不过要建立的Samba用户必须先是系统用户。我们也可以使用pdbedit命令来建立Samba账户并由其pdbedit管理。
passdb backend = tdbsam
#域成员选项
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.
#设置域共享
; security = domain
; passdb backend = tdbsam
#定义域名称
; realm = MY_REALM
#域验证服务器
; password server =
#域控选项
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
#这些设置选项主要用于SMB网络中进行浏览时,设置samba服务器的行为。缺省情况不让 samba服务器参加broswser的推举过程,为了使得samba服务器能成为browser,就需要设定local master =yes。然后samba服务就可以根据os level设置的权重进行推举,缺省的os level为0,这个权重不会赢得推举。但可以取消注释,将os level设置为33,这将在与所有Windows计算机(包括Windows NT)的推举竞赛中获得胜利,因为NT server的权重为32。设置比33更高的权重,只是在不同的samba 服务器之间进行选择时才有意义。
#
# preferred master 可以设置自己优先成为浏览服务器候选人
#
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
; local master = no
; os level = 33
; preferred master = yes
#
#
#wins服务,如果网络中配置了wins服务器可以在此设置wins相关项
#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
#设置nmb进程支持wins服务
; wins support = yes
#设置wins服务器ip
; wins server = w.x.y.z
#设置wins代理IP
; wins proxy = yes
#设置Samba服务器是否在无法联系WINS服务器时通过DNS去解析主机的NetBIOS名
; dns proxy = yes
#该部分包括Samba服务器打印机相关设置
# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
#是否启用共享打印机
load printers = yes
cups options = raw
#打印机配置文件
; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
#打印机的系统类型,现在支持的打印系统有:bsd, sysv, plp, lprng, aix, hpux, qnx,cups
; printing = cups
#该部分包括Samba服务器如何保留从Windows客户端复制或移动到Samba服务器共享目录文件的Windows文件属性的相关配置.
# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.
#当Windows客户端将文件复制或移动到Samba服务器共享目录时,是否保留文件在Windows中的存档属性。默认no。
; map archive = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时,是否保留文件在Windows中的隐藏属性。默认no。
; map hidden = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时,是否保留文件在Windows中的只读属性。默认为no。
; map read only = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时,是否保留文件在Windows中的系统文件属性。默认为no。
; map system = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时,是否保留文件在Windows中的相关属性(只读、系统、隐藏、存档属性)。默认为yes
; store dos attributes = yes
#共享设置
#============================ Share Definitions ==============================
#用户家目录共享
#共享名称
[homes]
#描述
comment = Home Directories
#是否支持浏览
browseable = no
#是否允许写入
writable = yes
#允许访问该共享资源的smb用户,@组
; valid users = %S
; valid users = MYDOMAIN\%S
#打印机共享
[printers]
#描述
comment = All Printers
#路径
path = /var/spool/samba
#是否可浏览,no类似隐藏共享
browseable = no
#是否支持guest访问,和public指令类似
guest ok = no
#是否可写
writable = no
#是否允许打印
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
#定义允许哪些smb用户写入
; write list = +staff

4.3 Samba共享

案例:在Windows上访问Samba服务器,共享目录为/common,指定用cqm1、cqm2用户才能访问,且只有cqm2有写权限。

  1. 创建Samba用户
1
2
3
4
5
6
7
8
9
10
# smbpasswd用户命令
# -a 添加用户 smbpasswd -a cqm
# -x 删除用户 smbpasswd -x cqm
# -d 禁用帐号 smbpasswd -d cqm
# -e 取消禁用 smbpasswd -e cqm
# -n 清除密码 smbpasswd -a cqm
useradd -s /sbin/nologin cqm1
useradd -s /sbin/nologin cqm2
smbpasswd -a cqm1
smbpasswd -a cqm2
  1. 创建共享目录
1
2
3
mkdir /common
# 设置757是为了让cqm2有写权限
chmod 757 /common
  1. 修改主配文件
1
2
3
4
5
6
7
8
9
10
11
[global]
workgroup = WORKGROUP
...
[common]
comment = samba share directory
path = /common
browseable = YES
hosts allow = 10.0.0.0/8,192.168.88.0/24
valid users = cqm1,cqm2
writable = No
write list = cqm2
  1. 在Windows中输入 \\192.168.88.132 访问

首先是cqm1用户

Samba一

可以看到cqm1用户没有写入权限

Samba二

cqm2用户

Samba三

可以看到cqm2用户有创建文件夹的权限

Samba四

4.4 Linux挂载

  1. 在客户端上安装samba-client
1
yum -y install samba-client
  1. 通过smbclient命令访问
1
smbclient //192.168.88.132/common -U cqm2%toortoor
  1. 通过mount命令挂载
1
2
3
4
mkdir /common
mount -o username=cqm2,password=toortoor -t cifs //192.168.88.132/common /common
mount
//192.168.88.132/common on /common type cifs (rw,relatime,vers=default,cache=strict,username=cqm2,domain=LOCALHOST,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.88.132,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

五、NFS文件服务

5.1 NFS服务介绍

NFS即网络文件系统,它允许网络中的计算机之间通过TCP/IP网络共享资源。在NFS的应用中,本地NFS的客户端应用可以透明地读写位于远端NFS服务器上的文件,就像访问本地文件一样。

NFS应用场景:

  • 共享存储服务器:图片服务器、视频服务器
  • 家目录漫游:域用户家目录服务器
  • 文件服务器:文件存储服务器

5.2 NFS实现共享

  1. 安装NFS
1
2
3
yum -y install nfs-utils
systemctl start rpcbind
systemctl start nfs
  1. /etc/exports共享文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 共享格式
# 共享目录绝对路径 IP地址或网段地址(权限1,权限2)
/test 192.168.88.132(rw,sync)
# 权限说明
ro 只读访问
rw 读写访问
sync 所有数据在请求时写入共享
async NFS在写入数据前可以相应请求
secure NFS通过1024以下的安全TCP/IP端口发送
insecure NFS通过1024以上的端口发送
wdelay 如果多个用户要写入NFS目录,则归组写入(默认)
no_wdelay 如果多个用户要写入NFS目录,则立即写入,当使用async时,无需此设置。
hide 在NFS共享目录中不共享其子目录
no_hide 共享NFS目录的子目录
subtree_check 如果共享/usr/bin之类的子目录时,强制NFS检查父目录的权限(默认)
no_subtree_check 和上面相对,不检查父目录权限
all_squash 共享文件的UID和GID映射匿名用户anonymous,适合公用目录。
no_all_squash 保留共享文件的UID和GID(默认)
root_squash root用户的所有请求映射成如anonymous用户一样的权限(默认)
no_root_squash root用户具有根目录的完全管理访问权限
anonuid=xxx 指定NFS服务器/etc/passwd文件中匿名用户的UID
anongid=xxx 指定NFS服务器/etc/passwd文件中匿名用户的GID
  1. exportfs共享管理命令
1
2
3
4
5
6
7
8
9
10
exportfs命令:
-a 打开或取消所有目录共享。
-o options,... 指定一列共享选项,与 exports(5) 中讲到的类似。
-i 忽略 /etc/exports 文件,从而只使用默认的和命令行指定的选项。
-r 重新共享所有目录。它使/var/lib/nfs/xtab和/etc/exports同步。它将/etc/exports中已删除的条目从 /var/lib/nfs/xtab中删除,将内核共享表中任何不再有效的条目移除。
-u 取消一个或多个目录的共享。
-f 在“新”模式下,刷新内核共享表之外的任何东西。
任何活动的客户程序将在它们的下次请求中得到mountd 添加的新的共享条目。
-v 输出详细信息。当共享或者取消共享时,显示在做什么。
显示当前共享列表的时候,同时显示共享的选项。
  1. 设置共享
1
2
3
4
5
6
7
8
9
10
# 创建被共享目录
mkdir /test
# 设置exports
vim /etc/exports
/test 192.168.88.0/24(rw,sync)
# 共享
exportfs -r
# 查看是否共享
exportfs -v
showmount -e 192.168.88.132
  1. 客户端挂载

客户端挂载是使用nfsnobody用户进行的,如果是root创建的共享目录,且客户端挂载后要进行读写的话,得给目录757的权限。

1
mount -t nfs 192.168.88.132:/test /test

六、iSCSI服务

6.1 iSCSI介绍

iSCSI即网络小型计算机系统接口,又被称为IPSAN。实际就是通过网络来共享设备。

数据存储技术:

  • DSA(Direct Attached Storage 直接附加存储):IDE SATA SAS SCSI(本地磁盘)
  • NSA(Network Attached Storage 网络附加存储):Samba NFS(共享文件夹)
  • SAN(Storage Attached Network 网络附加存储):iSCSI(共享设备)

6.2 iSCSI服务部署

  1. 准备好要被挂载的磁盘,这里共享sdb1

iSCSI一

  1. 安装iSCSI
1
2
yum -y install targetcli
sysetmctl start target
  1. 通过targetcli命令添加设备共享
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 进入命令行
targetcli
ls
...
# backstores 代表后端存储,iscsi通过使用文件、逻辑卷或任何类型的磁盘作为底层存储来仿真呈现为目标的scsi设备
# block 后端存储是个块设备
# fileio 后端存储是一个文件
# pscsi 物理scsi设备
# ramdisk 后端存储是内存上的空间,在内存上创建一个指定大小的ramdisk设备可以通过help命令来打印可用命令

# 将要共享的设备添加到backstores存储库中
cd backstores/
block/ creat block /dev/sdb1

# 设置IQN标识
# 格式:iqn.年-月.二级域名倒写:共享名
cd ..
iscsi/ create iqn.2021-04.com.cqm:storage

# 设置TPG组中对应的三个问题 谁 从哪里 访问什么设备
cd iscsi/iqn.2021-04.com.cqm:storage/tpg1/
acls/ create iqn.2021-04.com.cqm:client
luns/ create /backstores/block/block
exit

6.3 iSCSI客户端挂载

  1. 安装iSCSI客户端
1
yum -y install iscsi-initiator-utils
  1. 设置客户端名称
1
2
3
vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2021-04.com.cqm:client
systemctl start iscsi
  1. 发现共享设备
1
iscsiadm --mode discoverydb --type sendtargets --portal 192.168.88.132:3260 --discover
  1. 连接远程设备
1
2
3
4
iscsiadm --mode node --targetname iqn.2021-04.com.cqm:storage --portal 192.168.88.132:3260 --login
lsblk
...
sdb
  1. 分区格式化
1
2
3
4
fdisk /dev/sdb
...
mkfs.ext4 /dev/sdb1
...
  1. 挂载共享磁盘
1
2
3
4
mkdir /root/sdb1
vim /etc/fstab
/dev/sdb1 /root/sdb1 ext4 _netdev 0 0
mount -a

6.4 iSCSI取消挂载

  1. 客户端
1
2
3
iscsiadm --mode node --targetname iqn.2021-04.com.cqm:storage --portal 192.168.88.132:3260 --logout
rm -rf /var/lib/iscsi/nodes/iqn.2021-04.com.cqm\:storage/
rm -rf /var/lib/iscsi/send_targets/192.168.88.132,3260/
  1. 服务端
1
2
3
4
5
6
7
# 倒着删
targetcli
iscsi/iqn.2021-04.com.cqm:storage/tpg1/portals/ delete 0.0.0.0 3260
iscsi/iqn.2021-04.com.cqm:storage/tpg1/luns/ delete lun=0
iscsi/iqn.2021-04.com.cqm:storage/tpg1/acls/ delete iqn.2021-04.com.cqm:client
iscsi/ delete iqn.2021-04.com.cqm:storage
backstores/block/ delete block

七、IPSAN多链路部署

在上边的环境中的共享设备是通过单链路共享的,如果这条链路出现了故障,那么就会出现连接不上共享设备的问题,所以在生产环境中都会配置多链路进行部署。

iSCSI服务端和客户端分别拥有两张不同网段的网卡,就可以配置多链路部署。

7.1 部署多链路

  1. 在服务端上设置共享设备,并用两个IP进行共享

iSCSI五

  1. 在客户端发现共享设备
1
2
3
4
5
6
7
8
9
vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2021-04.com.cqm:client

systemctl start iscsi

iscsiadm --mode discoverydb --type sendtargets --portal 192.168.88.132:3260 --discover 192.168.88.132:3260,1 iqn.2021-04.com.cqm:storage 192.168.99.130:3260,1 iqn.2021-04.com.cqm:storage

iscsiadm --mode node --targetname iqn.2021-04.com.cqm:storage --portal 192.168.88.132:3260 --login
iscsiadm --mode node --targetname iqn.2021-04.com.cqm:storage --portal 192.168.99.130:3260 --login

这时候通过lsblk命令可以看到多了两块设备,但其实是同一个设备不同名

iSCSI三

  1. 安装多路径软件
1
2
3
yum -y install device-mapper-multipath
cp /usr/share/doc/device-mapper-multipath-0.4.9/multipath.conf /etc/
systemctl start multipathd

再用lsblk命令查看可发现

iSCSI四

  1. 配置多路径运行模式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
multipath -ll
# wwid:36001405ac25fe1abdfd4eecb1d0624b2
mpatha (36001405ac25fe1abdfd4eecb1d0624b2) dm-2 LIO-ORG ,block
...

vim /etc/multipath.conf
multipaths {
multipath {
wwid 36001405ac25fe1abdfd4eecb1d0624b2 # wwid
alias cqm # 起名
path_grouping_policy multibus # 多路径组策略
path_selector "round-robin 0" # 负载均衡模式
failback manual
rr_weight priorities # 按优先级轮询
no_path_retry 5 # 重试时间5s
}
multipath {
wwid 1DEC_____321816758474
alias red
}
}
systemctl restart multipathd
systemctl restart iscsi

multipath -ll
cqm (36001405ac25fe1abdfd4eecb1d0624b2) dm-2 LIO-ORG ,block
size=1023M features='1 queue_if_no_path' hwhandler='0' wp=rw
`-+- policy='round-robin 0' prio=1 status=active
|- 5:0:0:0 sdb 8:16 active ready running
`- 6:0:0:0 sdc 8:32 active ready running
  1. 挂载
1
2
mkdir /root/test
mount /dev/mapper/cqm1 /root/test

7.2 测试

将一块网卡断掉,看是否还能使用iSCSI设备

  1. 断开网卡ens33
1
ifdown ens33

iSCSI六

  1. 依旧可以在iSCSI设备上写入数据

iSCSI七