安装NTP时钟服务器及防火墙的配置

安装NTP

 

# rpm -Uvh ntp-4.2.6p5-18.el7.centos.x86_64.rpmntpdate-4.2.6p5-18.el7.centos.x86_64.rpm autogen-libopts-5.18-5.el7.x86_64.rpm

warning:ntp-4.2.6p5-18.el7.centos.x86_64.rpm: Header V3 RSA/SHA256 Signature, key IDf4a80eb5: NOKEY

Preparing...                          #################################[100%]

       package ntpdate-4.2.6p5-18.el7.centos.x86_64 is already installed

 

# mkdir /mnt/cdrom/

# mount /dev/cdrom /mnt/cdrom/

mount: /dev/sr0 is write-protected,mounting read-only

# cd /mnt/cdrom/Packages/

[root@ZZSRV1 Packages]# ls ntp*

ntp-4.2.6p5-18.el7.centos.x86_64.rpm  ntpdate-4.2.6p5-18.el7.centos.x86_64.rpm

 

# rpm -qc ntp

/etc/ntp.conf

/etc/ntp/crypto/pw

/etc/sysconfig/ntpd

 

# cd /etc/

# cp ntp.conf ntp.conf.origin

 

# vi ntp.conf

删除所有内容，仅保留上游服务器

server 0.centos.pool.ntp.org

server 1.centos.pool.ntp.org

server 2.centos.pool.ntp.org

server 3.centos.pool.ntp.org

 

# service ntpd start

Redirecting to /bin/systemctl start  ntpd.service

 

查看日志

systemd: Starting Network Time Service...

ntpd[2622]: ntpd 4.2.6p5@1.2349-o Wed Jun18 21:20:36 UTC 2014 (1)

ntpd[2623]: proto: precision = 0.203 usec

ntpd[2623]: 0.0.0.0 c01d 0d kern kerneltime sync enabled

ntpd[2623]: Listen and drop on 0 v4wildcard0.0.0.0 UDP 123

ntpd[2623]: Listen and drop on 1 v6wildcard:: UDP 123

ntpd[2623]: Listen normally on 2 lo127.0.0.1 UDP 123

ntpd[2623]: Listen normally on 3eno16777728 192.168.188.11 UDP 123

ntpd[2623]: Listen normally on 4 lo ::1 UDP123

ntpd[2623]: Listen normally on 5eno16777728 fe80::20c:29ff:fea4:2e39 UDP 123

ntpd[2623]: Listening on routing socket onfd #22 for interface updates

systemd: Started Network Time Service.

ntpd[2623]: 0.0.0.0 c016 06 restart

ntpd[2623]: 0.0.0.0 c012 02 freq_set kernel0.000 PPM

ntpd[2623]: 0.0.0.0 c011 01 freq_not_set

ntpd[2623]: 0.0.0.0 c614 04 freq_mode

 

# systemctl enable ntpd

ln -s'/usr/lib/systemd/system/ntpd.service''/etc/systemd/system/multi-user.target.wants/ntpd.service'

 

# netstat -an | grep 123

udp  0 0 192.168.188.11:123     0.0.0.0:*

udp  0 0 127.0.0.1:123          0.0.0.0:*

udp  0 0 0.0.0.0:123            0.0.0.0:*

udp6 0 0 fe80::20c:29ff:fea4:123 :::*

udp6 0 0 ::1:123                 :::*

udp6 0 0 :::123                  :::*

unix 3 [ ]         STREAM     CONNECTED     12323

unix 3 [ ]         STREAM     CONNECTED     16123

unix 3 [ ]         STREAM     CONNECTED     12324   /run/systemd/journal/stdout

 

1.1.  测试

在另外一台Linux上进行校时

# ntpdate 192.168.188.11

11 Aug 20:18:15 ntpdate[12840]: adjust timeserver 192.168.188.11 offset 0.004473 sec

 

在Windows上进行校时，成功

 

设置自动校时

# rpm -qc crontabs

/etc/crontab

/etc/sysconfig/run-parts

 

撰写每天进行校时脚本

# cd /etc/cron.daily/

# ll

total 16

-rwxr-xr-x. 1 root root 332 Jun 27 19:070yum-daily.cron

-rwx------. 1 root root 180 Jul 31  2013 logrotate

-rwxr-xr-x. 1 root root 618 Mar 18 00:19man-db.cron

-rwxr-x---. 1 root root 192 Jan 27  2014 mlocate

 

 

# vi checktime.sh

ntpdate 192.168.188.11

hwclock --systohc

 

# chmod +x checktime.sh

 

测评一下脚本

# ./checktime.sh

11 Aug 20:25:49 ntpdate[12897]: adjust timeserver 192.168.188.11 offset 0.003041 sec

 

# ll

total 20

-rwxr-xr-x. 1 root root 332 Jun 27 19:070yum-daily.cron

-rwxr-xr-x 1 root root  41 Aug 11 20:25checktime.sh

-rwx------. 1 root root 180 Jul 31  2013 logrotate

-rwxr-xr-x. 1 root root 618 Mar 18 00:19man-db.cron

-rwxr-x---. 1 root root 192 Jan 27  2014 mlocate

 

防火墙配置

 

首先，需要对角色进行分析。它是主DNS、网站、DHCP服务器、时钟服务器。

我们决定不做出站限制，仅做入站限制，类似XP

 

查看当前配置

# iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source              destination

 

Chain FORWARD (policy ACCEPT)

target    prot opt source              destination

 

Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

 

 

将以下配置写入一个脚本文件，执行

# vi /root/myfw.sh

# Clear All

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

 

iptables -A INPUT -m state --stateESTABLISHED,RELATED -j ACCEPT

 

# 配置开放SSH的端口。

iptables -A INPUT -p tcp --dport 22 -jACCEPT

 

# Allow ping

 

iptables -A INPUT -p icmp --icmp-type 8 -mstate --state NEW,ESTABLISHED,RELATED -j ACCEPT

 

# 允许外部主机访问服务器上的web服务

iptables -A INPUT -p tcp --dport 80 -jACCEPT

 

# 允许外部对本机访问服务器上DNS服务

iptables -A INPUT -p udp --dport 53 -jACCEPT

iptables -A INPUT -p tcp --dport 53 -jACCEPT

 

# 允许外部对本机访问服务器上NTP服务

iptables -A INPUT -p udp --dport 123 -jACCEPT

 

# 允许外部对本机访问服务器上fTP服务 (activeand passive)

iptables -A INPUT -p tcp --dport 21 -jACCEPT

iptables -A INPUT -p tcp --dport 20 -mstate --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --sport 1024:--dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

 

# DHCP服务器

iptables -A INPUT  -p udp --sport 67:68 --dport 67:68 -j ACCEPT

 

# 默认规则

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

 

 

# chmod +x /root/myfw.sh

# /root/myfw.sh

# iptables -L -n

Chain INPUT (policy DROP)

target prot opt source     destination

ACCEPT all  --  0.0.0.0/0 0.0.0.0/0  stateRELATED,ESTABLISHED

ACCEPT tcp  --  0.0.0.0/0 0.0.0.0/0  tcp dpt:22

ACCEPT tcp  --  0.0.0.0/0 0.0.0.0/0  tcp dpt:80

ACCEPT udp  --  0.0.0.0/0 0.0.0.0/0  udp dpt:53

ACCEPT tcp  --  0.0.0.0/0  0.0.0.0/0 tcp dpt:53

ACCEPT udp  --  0.0.0.0/0 0.0.0.0/0  udp dpt:123

ACCEPT tcp  --  0.0.0.0/0 0.0.0.0/0  tcp dpt:21

ACCEPT tcp  --  0.0.0.0/0 0.0.0.0/0  tcp dpt:20 stateESTABLISHED

ACCEPT tcp  --  0.0.0.0/0 0.0.0.0/0  tcp spts:1024:65535dpts:1024:65535 state RELATED,ESTABLISHED

ACCEPT udp  --  0.0.0.0/0 0.0.0.0/0  udp spts:67:68dpts:67:68

 

Chain FORWARD (policy DROP)

target    prot opt source     destination

 

Chain OUTPUT (policy ACCEPT)

target    prot opt source     destination

 

扫描TCP端口

C:\>nmap -sS -T 5 192.168.188.11

 

Starting Nmap 6.46 ( http://nmap.org ) at2014-08-12 20:20 中国标准时间

Nmap scan report for www.bigcloud.local(192.168.188.11)

Host is up (0.00069s latency).

Not shown: 996 filtered ports

PORT  STATE SERVICE

21/tcp open ftp

22/tcp open ssh

53/tcp open domain

80/tcp open http

MAC Address: 00:0C:29:A4:2E:39 (VMware)

 

Nmap done: 1 IP address (1 host up) scannedin 7.06 seconds

 

扫描UDP端口

C:\>nmap -sU -T 5 192.168.188.11

 

Starting Nmap 6.46 ( http://nmap.org ) at2014-08-12 20:21 中国标准时间

Nmap scan report for www.bigcloud.local(192.168.188.11)

Host is up (0.0010s latency).

Not shown: 998 open|filtered ports

PORT   STATE SERVICE

53/udp open  domain

123/udp open  ntp

MAC Address: 00:0C:29:A4:2E:39 (VMware)

 

Nmap done: 1 IP address (1 host up) scannedin 6.82 seconds

 

 

Tip: 做实验的时候，可以使用以下命令来清除所有配置，从头来做

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

 

 

 

RHEL 7(CetOS 7) 使用新的Firewalld来代替iptables。在本次实验中，采用的在启动时执行脚本来解决

# vi /etc/rc.local

在最后添加如下内容：

/root/myfw.sh

转载于:https://blog.51cto.com/superman0/1550758