week05
1、简述DNS服务器原理,并搭建主-辅服务器
(1)DNS原理
- 客户机向本地DNS服务器发起DNS查询(递归查询),请求某域名的IP地址
- 本地DNS服务器向其他DNS服务器发起迭代查询
- 本地DNS向根域名服务器查询,根服务器如果没有则返回一级域名服务器地址
- 本地DNS向一级域名服务器查询,如果没有则返回二级域名地址
- 本地DNS逐级查询,直到找到该请求域名的解析地址
- 将解析到的地址放到缓存
- 从缓存读给客户机
- 有其他用户访问该域名时直接从缓存读取地址
(2)搭建主-辅服务器
环境:
新建3台虚拟机
DNS主服务器:10.0.0.17
DNS从服务器:10.0.0.27
web服务器:ilogin.tech
DNS客户端:10.0.0.37
(1) 在centos7.9上配置自动化安装3个新的主机
# 关闭selinux和防火墙
[root@centos79 ~]#systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos79 ~]#cat /etc/selinux/config
SELINUX=disabled
# 关闭VMware的DHCP,配置服务器ip为静态地址
[root@centos79 ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO="static"
IPADDR=10.0.0.7
NETMASK=255.255.255.0
GATEWAY=10.0.0.2
# 安装epel源并安装cobbler相关包,开启服务
[root@centos79 ~]#yum -y install epel-release
[root@centos79 ~]#yum -y install cobbler dhcp cobbler-web pykickstart
[root@centos7 ~]#systemctl enable --now cobblerd httpd tftp dhcpd
# 开启dhcpd时报错,需修改配置文件(本项也可以在cobbler中修改)
[root@centos79 ~]#cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf
[root@centos79 ~]#cat /etc/dhcp/dhcpd.conf
option domain-name-servers 180.76.76.76, 223.5.5.5; #设置DNS
default-lease-time 86400; #设置租期
max-lease-time 106400; #设置最大租期
subnet 10.0.0.0 netmask 255.255.255.0 { #设置dhcp的子网,需和本服务器同网段
range 10.0.0.160 10.0.0.199; #设置分配地址范围
option routers 10.0.0.2; #设置网关
}
[root@centos79 ~]#systemctl enable --now dhcpd
# 修改tftp开机启动
[root@centos79 ~]#vim /etc/xinetd.d/tftp
disable = no
# 修改cobbler相关的配置/etc/cobbler/settings
[root@centos79 ~]#vim /etc/cobbler/settings
server: 10.0.0.7
next_server: 10.0.0.7
pxe_just_once: 1
# 修改root密码,md5加密
[root@centos79 ~]#openssl passwd -1 zz
$1$0pA.pr6W$nJ/xXFsvMS0J.8hRCIZmM1
[root@centos79 ~]#vim /etc/cobbler/settings
default_password_crypted: "$1$0pA.pr6W$nJ/xXFsvMS0J.8hRCIZmM1"
# 在cobbler中修改dhcp配置
[root@centos79 ~]#vim /etc/cobbler/settings
manage_dhcp: 1
[root@centos79 tftpboot]#vim /etc/cobbler/dhcp.template
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.2;
option domain-name-servers 180.76.76.76, 223.5.5.5;
option subnet-mask 255.255.255.0;
range dynamic-bootp 10.0.0.160 10.0.0.199;
# 自动生成dhcp配置文件并启动
[root@centos7 ~]#cobbler sync
# 开启rsyncd.service
[root@centos79 tftpboot]#systemctl enable --now rsyncd.service
# 下载启动的相关文件
[root@centos79 tftpboot]#tree /var/lib/tftpboot
.
├── boot
├── etc
├── grub
├── images
├── images2
├── ppc
├── pxelinux.cfg
└── s390x
8 directories, 0 files
[root@centos79 ~]#cobbler get-loaders
No such command: get-loaders
#此处报错,只要确保安装了最新的syslinux即可忽略报错
#直接cobbler sync
[root@centos79 ~]# yum -y install syslinux
[root@centos7 ~]#cobbler sync
[root@centos79 tftpboot]#tree /var/lib/tftpboot
.
├── boot
│ └── grub
│ └── menu.lst
├── etc
├── grub
│ ├── efidefault
│ └── images -> ../images
├── images
├── images2
├── memdisk
├── menu.c32
├── ppc
├── pxelinux.0
├── pxelinux.cfg
│ └── default
└── s390x
└── profile_list
10 directories, 7 files
[root@centos79 loaders]#cp /usr/share/syslinux/{pxelinux.0,menu.c32} /var/lib/tftpboot/
cp: ‘/usr/share/syslinux/pxelinux.0’ and ‘/var/lib/tftpboot/pxelinux.0’ are the same file
cp: ‘/usr/share/syslinux/menu.c32’ and ‘/var/lib/tftpboot/menu.c32’ are the same file
[root@centos79 loaders]#tree /var/lib/tftpboot
/var/lib/tftpboot
├── boot
│ └── grub
│ └── menu.lst
├── etc
├── grub
│ ├── efidefault
│ └── images -> ../images
├── images
│ └── centos-7.9-x86_64
│ ├── initrd.img
│ └── vmlinuz
├── images2
├── memdisk
├── menu.c32
├── ppc
├── pxelinux.0
├── pxelinux.cfg
│ └── default
└── s390x
└── profile_list
11 directories, 9 files
[root@centos7 ~]#cobbler sync
# 修改菜单的标题信息
[root@centos79 tftpboot]#vim /etc/cobbler/pxe/pxedefault.template
MENU TITLE Cobbler | http://ilogin.tech/
# 挂载光盘,生成yum源
#将centos7.9安装iso放入光盘
[root@centos79 tftpboot]#lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
...
sr0 11:0 1 4.4G 0 rom
[root@centos79 tftpboot]#mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only
[root@centos79 tftpboot]#ls /mnt
CentOS_BuildTag LiveOS
EFI Packages
EULA repodata
GPL RPM-GPG-KEY-CentOS-7
images RPM-GPG-KEY-CentOS-Testing-7
isolinux TRANS.TBL
[root@centos79 tftpboot]#cobbler import --name=centos-7.9-x86_64 --path=/mnt --arch=x86_64
[root@centos79 tftpboot]#du -sh /var/www/cobbler/ks_mirror/*
4.5G /var/www/cobbler/ks_mirror/centos-7.9-x86_64
0 /var/www/cobbler/ks_mirror/centos-8.1-x86_64
4.0K /var/www/cobbler/ks_mirror/config
[root@centos79 tftpboot]#cobbler distro list
centos-7.9-x86_64
# 编写应答文件
[root@centos79 ~]#cat ks7.9
#platform=x86, AMD64, or Intel EM64T
#version=DEVEL
# Install OS instead of upgrade
install
# Keyboard layouts
keyboard 'us'
# Root password
rootpw --iscrypted $1$DMZM5wWT$x0YNe8LBdTcDo.02zt9nq/
# System language
lang en_US
# System authorization information
auth --useshadow --passalgo=sha512
# Use text mode install
text
firstboot --disable
# SELinux configuration
selinux --disabled
# Firewall configuration
firewall --disabled
# Network information
network --bootproto=dhcp --device=eth0
# Reboot after installation
reboot
# System timezone
timezone Asia/Shanghai
# Use network installation
url --url="http://10.0.0.7/cobbler/ks_mirror/centos-7.9-x86_64"
# System bootloader configuration
bootloader --location=mbr
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part / --fstype="xfs" --size=51200
part /boot --fstype="xfs" --size=1024
part /data --fstype="xfs" --size=20480
part swap --fstype="swap" --size=2048
%post
systemctl enable --now autofs
mkdir /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup
cat > /etc/yum.repos.d/base.repo <<EOF
[base]
name=base
baseurl=file://misc/cd
https://mirrors.cloud.tencent.com/centos/$releasever/os/$basearch/
https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/os/$basearch/
https://mirrors.aliyun.com/centos/$releasever/os/$basearch/
https://mirrors.163.com/centos/$releasever/os/$basearch/
gpgcheck=0
enable=1
[extras]
name=AppStream_net
baseurl=file://misc/cd
https://mirrors.cloud.tencent.com/centos/$releasever/extras/$basearch/
https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/extras/$basearch/
https://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
https://mirrors.163.com/centos/$releasever/extras/$basearch/
gpgcheck=0
enabled=1
[epel]
name=AppStream_net
baseurl=file://misc/cd
https://mirrors.cloud.tencent.com/epel/$releasever/$basearch/
https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/$basearch/
https://mirrors.aliyun.com/epel/$releasever/$basearch/
https://mirrors.163.com/epel/$releasever/$basearch/
gpgcheck=0
enabled=1
EOF
#on server: ssh-keygen,ssh-copy-id 127.0.0.1,cat /root/.ssh/authorized_keys
mkdir /root/.ssh -m 700
cat > /root/.ssh/authorized_keys <<EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjnJXCgEH46YYibLSk8No5hh60o6nNC/UPCfskQ+exbbioo+LcOCrRE8gA7bYsmFibf0TVTcbAEMxRfq5OCDCcW9xM7JWZ0T7OttWdChomZAqzM9CadRVcZgUGXBeZBZmj5tbVesI/hBhxiIpv2Rl290/0N6nm/XqwI91LbI3bJDW+L0TqVYwaUXw9LTpuufvEOvoYaklbRWd9q0+nHCU/JQISC8eNfDJ8VxU1ebGkupMV5A3VxN5gnwiEFyB5plS3fONVePr8AhDUw6usHJ1y7tMETvESsJyji7k1DRdxK5+BnHUE9LuGJfrSZdXVWdgMFxMyLIbiNFWpbiMlJ3wT root@centos79.localdomain
EOF
chmod 600 /root/.ssh/authorized_keys
echo 'alias cdnet="cd /etc/sysconfig/network-scripts"' >> /root/.bashrc
useradd cc
echo cc |passwd --stdin cc
%end
# 检查应答文件/root/ks7.9,将文件放到/var/lib/cebbler/kickstarts目录下
[root@centos79 ~]#ksvalidator ks7.9
[root@centos79 ~]##cp /root/ks7.9 /var/lib/cebbler/kickstarts/centos7.cfg
# 将kickstart文件,关联指定的YUM源和生成菜单列表
[root@centos79 ks_mirror]#cobbler profile add --name=centos-7.9-x86_64 --distro=centos-7.9-x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.ks
exception on server: "it seems unwise to overwrite this object, try 'edit'"
[root@centos79 ks_mirror]#cobbler profile edit --name=centos-7.9-x86_64 --distro=centos-7.9-x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.ks
[root@centos79 ks_mirror]#cobbler profile list
centos-7.9-x86_64
# 在VMware新建4个centos7虚机,不挂载光盘
#开机选择网络启动,自动按照4台虚机
#修改虚机静态IP分别为17,27,37,47,NETMASK,GATEWAY
#修改/etc/resolv.conf文件,增加 servername 8.8.8.8
#重启网络服务
#配置key登录
[root@localhost yum.repos.d]# ssh-keygen
[root@localhost ~]# ssh-copy-id 127.0.0.1
[root@localhost ~]# ll .ssh
total 16
-rw-------. 1 root root 815 May 22 19:22 authorized_keys
-rw------- 1 root root 1679 May 22 19:16 id_rsa
-rw-r--r-- 1 root root 408 May 22 19:16 id_rsa.pub
-rw-r--r-- 1 root root 342 May 22 19:22 known_hosts
[root@localhost ~]# yum install -y rsync
[root@localhost ~]# rsync -av .ssh 10.0.0.27:/root
[root@localhost ~]# rsync -av .ssh 10.0.0.37:/root
[root@localhost ~]# rsync -av .ssh 10.0.0.47:/root
(2)搭建主DNS服务器
# 在10.0.0.17上
[root@localhost yum.repos.d]# yum install bind -y
[root@localhost yum.repos.d]# vim /etc/named.conf
# 注释一下两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#只允许从服务器进行区域传输
allow-transfer { 10.0.0.27; };
[root@localhost yum.repos.d]# vim /etc/named.rfc1912.zones
增加内容:
zone "ilogin.tech" {
type master;
file "ilogin.tech.zone";
};
[root@localhost yum.repos.d]# cp -p /var/named/named.localhost /var/named/ilogin.tech.zone
[root@localhost yum.repos.d]# vim /var/named/ilogin.tech.zone
[root@localhost yum.repos.d]# cat /var/named/ilogin.tech.zone
$TTL 1D
@ IN SOA master admin.ilogin.tech. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 10.0.0.17
slave A 10.0.0.27
#启动dns服务
[root@localhost yum.repos.d]# systemctl start named
(3) 搭建从服务器
# 在10.0.0.27上
[root@localhost ~]# yum install bind -y
[root@localhost ~]# vim /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#不允许其他区域访问
allow-transfer { none; };
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "ilogin.tech" {
type slave;
masters { 10.0.0.17; };
file "slaves/ilogin.tech.slave";
};
#启动服务
[root@localhost ~]# systemctl reload named
[root@localhost ~]# ls /var/named/slaves/
ilogin.tech.slave
(4)客户端测试
# 在10.0.0.37主机
[root@localhost html]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
DNS1=10.0.0.17
DNS2=10.0.0.27
[root@localhost network-scripts]# yum install -y bind-utils
[root@localhost ~]# dig www.ilogin.tech
...
;; SERVER: 10.0.0.17#53(10.0.0.17)
...
#在主服务器上停止named服务systemctl stop named后再测试
[root@localhost ~]# dig www.ilogin.tech
...
;; SERVER: 10.0.0.27#53(10.0.0.27)
...
2、搭建并实现智能DNS
# 环境:
DNS主服务器和web服务器1:10.0.0.8/24,172.16.0.8/16
web服务器2:10.0.0.7/24
web服务器3:172.16.0.7/16
DNS客户端1:10.0.0.6/24
DNS客户端2:172.16.0.6/16
# DNS 服务器的网卡配置
#配置两个IP地址
#eth0:10.0.0.8/24
#eth1: 172.16.0.8/16
# 主DNS服务端配置文件实现 view
[root@localhost ~]#yum install bind -y
[root@localhost ~]#vim /etc/named.conf
#在文件最前面加下面行
acl beijingnet {
10.0.0.0/24;
};
acl shanghainet {
172.16.0.0/16;
};
acl othernet {
any;
};
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 创建view
view beijingview {
match-clients { beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients { othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.root.key";
# 实现区域配置文件
[root@localhost ~]#vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.bj";
};
vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.sh";
};
vim /etc/named.rfc1912.zones.other
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.other";
};
[root@localhost ~]#chgrp named /etc/named.rfc1912.zones.bj
[root@localhost ~]#chgrp named /etc/named.rfc1912.zones.sh
[root@localhost ~]#chgrp named /etc/named.rfc1912.zones.other
# 创建区域数据库文件
[root@localhost ~]#vim /var/named/magedu.org.zone.bj
$TTL 1D
@ IN SOA master admin.magedu.org. (
2019042214 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 10.0.0.7
www CNAME websrv
vim /var/named/magedu.org.zone.sh
$TTL 1D
@ IN SOA master admin.magedu.org. (
2019042214 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 172.16.0.7
www CNAME websrv
[root@localhost ~]#vim /var/named/magedu.org.zone.other
$TTL 1D
@ IN SOA master admin.magedu.org. (
2019042214 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 127.0.0.1
www CNAME websrv
[root@localhost ~]#chgrp named /var/named/magedu.org.zone.bj
[root@localhost ~]#chgrp named /var/named/magedu.org.zone.sh
[root@localhost ~]#chgrp named /var/named/magedu.org.zone.other
[root@localhost ~]#systemctl start named
# 实现位于不同区域的三个WEB服务器
#分别在三台主机上安装http服务
#在web服务器1:10.0.0.8/24实现
[root@localhost ~]#yum install httpd
[root@localhost ~]#echo www.magedu.org in Other > /var/www/html/index.html
[root@localhost ~]#systemctl start httpd
#在web服务器2:10.0.0.7/16
[root@localhost ~]#echo www.magedu.org in Beijing > /var/www/html/index.html
[root@localhost ~]#systemctl start httpd
#在web服务器3:172.16.0.7/16
[root@localhost ~]#yum install httpd
[root@localhost ~]#echo www.magedu.org in Shanghai > /var/www/html/index.html
[root@localhost ~]#systemctl start httpd
# 客户端测试
# 分别在三台主机上访问
#DNS客户端1:10.0.0.6/24 实现,确保DNS指向10.0.0.8
[root@localhost ~]#curl www.magedu.org
[root@localhost ~]#www.magedu.org in Beijing
#DNS客户端2:172.16.0.6/16 实现,确保DNS指向172.16.0.8
[root@localhost ~]#curl www.magedu.org
[root@localhost ~]#www.magedu.org in Shanghai
#DNS客户端3:10.0.0.8 实现,,确保DNS指向127.0.0.1
[root@localhost ~]#curl www.magedu.org
[root@localhost ~]#www.magedu.org in Other
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[root@localhost ~]# systemctl disable --now firewalld.service
[root@localhost ~]# iptables -A INPUT -j REJECT
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --dports 20,21,22,23,80 -j ACCEPT
[root@localhost ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31 4594 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20,21,22,23,80
63 4992 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 31 packets, 5385 bytes)
pkts bytes target prot opt in out source destination
3、NAT原理总结
- NAT的作用
- 将私网IP地址转换为公网IP地址或使一个公网IP代表多个不同的内网IP,节省IP地址资源
- NAT分为静态转换、动态转换、端口转换
- 静态转换:私有地址与公有地址进行一对一的映射
- 动态转换:私有地址与公有地址进行一对多的映射
- 端口转换:一个公有地址可以对应多个私有地址
- 分类:
- SNAT:source NAT ,支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装,请求报文:修改源IP
- DNAT:destination NAT 支持PREROUTING , OUTPUT,把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
- PNAT: port nat,端口和IP都进行修改
4、iptables实现SNAT和DNAT,并对规则持久保存
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! –d 10.0.0.0/24 -j SNAT --to-source 172.18.1.6-172.18.1.9
[root@firewall ~]#iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7:8080