linux exercise 24

              -----------------nfs----------------
1.启用服务
systemctl start firewalld
yum install nfs-utils
systemctl enable nfs-server
systemctl start nfs-server
[root@localhost ~]# firewall-cmd --permanent --add-service=nfs
[root@localhost ~]# firewall-cmd --permanent --add-service=rpc-bind
[root@localhost ~]# firewall-cmd --permanent --add-service=mountd
[root@localhost ~]# firewall-cmd --reload
[root@localhost ~]# firewall-cmd --list-all
（也可直接关闭火墙，安全性降低） 
 
测试：
[root@foundation42 ~]# showmount -e 172.25.254.142
Export list for 172.25.254.142:


2.共享目录
服务端为server 242
vim /etc/exports        ##man 5 exports
要共享的系统目录    共享方式
/public      *(sync)    ###public共享给所有人并且数据同步
/public      172.25.42.0/24(sync)   ###public共享给172.25.42.0/24网段
/public      *.example.com(sync)    ###public共享给example.com域
/public      172.25.42.142(ro,sync)   172.25.42.254(rw,sync) ##public共享给142时只读，254是读写
/public      *(sync,no_root_squash)    ###public共享给所有人，当客户端使用root挂载不转换用户身份
/public      *(sync,anonuid=1001,anongid=1000)   ###public共享给所有人以1001为uid，1000为gid


exportfs -rv


3.利用kerberos保护nfs输出
//两台主机的ip设置
都是172.25.42网段，gateway 172.25.42.254   dns 172.25.254.254


在server上
开启kerberos认证，得到ldap用户

wget http://172.25.42.254/pub/keytabs/server0.keytab -O /etc/krb5.keytab

#########################packags needed###################################
need packages：
system-config-kickstart ##自动应答脚本制作工具
syslinux ##获得pxelinux.0文件安装包
dhcp ##分配ip给客户机的服务
tftp-server ##提供tftp协议的服务
httpd ##安装源共享服务
#########################config file rules#####################################
No.1 FIST CONFIG DHCP ##配置dhcp配置文件
config /etc/dhcpd/dhcpd.conf like this:
===============================================================
option domain-name "example.com"; ##域名
option domain-name-servers 192.168.0.79; ##dns
default-lease-time 600; ##默认租约期
max-lease-time 7200; ##最长租约期
log-facility local7; ##日志级别
subnet 192.168.0.0 netmask 255.255.255.0 { ##网段，子网掩码
  range 192.168.0.102 192.168.0.111; ##地址范围
  option routers 192.168.0.254; ##网关
  filename "pxelinux.0"; ##pxe启动程序
  next-server 192.168.0.79; ##tftp主机地址
}
systemctl restart dhcpd
systemctl stop firewalld


No.2 SED CONFIG TFTP
config /etc/xinetd.d/tftp like this:
service tftp
{
        socket_type        = dgram
        protocol              = udp
        wait                     = yes
        user                    = root
        server                 = /usr/sbin/in.tftpd
        server_args        = -s /var/lib/tftpboot
        disable                = <<<<<<<<<yes--->no>>>>>>
        per_source         = 11
        cps                     = 100 2
        flags                   = IPv4
}
systemctl restart xinetd


No.3 TRD MAKE SOME FILES AND PXEWORKDIRECTORY
1)
cd /var/lib/tftpboot/
mkdir pxelinux.cfg
2)
mount the iso of the rhel7
cp isolinux/* /var/lib/tftpboot
3)
cp /var/lib/tftpboot/isolinux.cfg   /var/lib/tftpboot/pxelinux.cfg/default
cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/
4)
make a userfully install source and kickstart,my of this is in the ftp's pub
ftp://192.168.0.252/pub/rhel6
ftp://192.168.0.252/pub/ks.cfg
5)
config the file of /var/lib/tftpboot/pxelinux.cfg/default like this:
========================================================================================
default vesamenu.c32
timeout 600 ##等待时间


display boot.msg


# Clear the screen when exiting the menu, instead of leaving the menu displayed.
# For vesamenu, this means the graphical background is still displayed without
# the menu itself for as long as the screen remains in graphics mode.
menu clear
menu background splash.png
menu title Red Hat Enterprise Linux 7.0 ##大标题
menu vshift 8
menu rows 18
menu margin 8
#menu hidden
menu helpmsgrow 15
menu tabmsgrow 13


# Border Area
menu color border * #00000000 #00000000 none


# Selected item
menu color sel 0 #ffffffff #00000000 none


# Title bar
menu color title 0 #ff7ba3d0 #00000000 none


# Press [Tab] message
menu color tabmsg 0 #ff3a6496 #00000000 none


# Unselected menu item
menu color unsel 0 #84b8ffff #00000000 none


# Selected hotkey
menu color hotsel 0 #84b8ffff #00000000 none


# Unselected hotkey
menu color hotkey 0 #ffffffff #00000000 none


# Help text
menu color help 0 #ffffffff #00000000 none


# A scrollbar of some type? Not sure.
menu color scrollbar 0 #ffffffff #ff355594 none


# Timeout msg
menu color timeout 0 #ffffffff #00000000 none
menu color timeout_msg 0 #ffffffff #00000000 none


# Command prompt text
menu color cmdmark 0 #84b8ffff #00000000 none
menu color cmdline 0 #ffffffff #00000000 none


# Do not display the actual menu unless the user presses a key. All that is displayed is a timeout message.


menu tabmsg Press Tab for full configuration options on menu items.


menu separator # insert an empty line
menu separator # insert an empty line


label linux
  menu label ^Install Red Hat Enterprise Linux 7.0 ##小标题
   menu default ##默认标题设定
  kernel vmlinuz
  append initrd=initrd.img repo=http://172.25.254.100/soucre ks=http://172.25.254.100/ks.cfg ##安装源和ks


label check
  menu label Test this ^media & install Red Hat Enterprise Linux 7.0
  #menu default
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=RHEL-7.0\x20Server.x86_64 rd.live.check quiet


menu separator # insert an empty line


# utilities submenu
menu begin ^Troubleshooting
  menu title Troubleshooting


label vesa
  menu indent count 5
  menu label Install Red Hat Enterprise Linux 7.0 in ^basic graphics mode
  text help
Try this option out if you're having trouble installing
Red Hat Enterprise Linux 7.0.
  endtext
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=RHEL-7.0\x20Server.x86_64 xdriver=vesa nomodeset quiet


label rescue
  menu indent count 5
  menu label ^Rescue a Red Hat Enterprise Linux system
  text help
If the system will not boot, this lets you access files
and edit config files to try to get it booting again.
  endtext
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=RHEL-7.0\x20Server.x86_64 rescue quiet


label memtest
  menu label Run a ^memory test
  text help
If your system is having issues, a problem with your
system's memory may be the cause. Use this utility to
see if the memory is working correctly.
  endtext
  kernel memtest


menu separator # insert an empty line


label local
  menu label Boot from ^local drive
  localboot 0xffff


menu separator # insert an empty line
menu separator # insert an empty line


label returntomain
  menu label Return to ^main menu
  menu exit


menu end

#########################packags needed###################################
need packages：
system-config-kickstart ##自动应答脚本制作工具
syslinux ##获得pxelinux.0文件安装包
dhcp ##分配ip给客户机的服务
tftp-server ##提供tftp协议的服务
httpd ##安装源共享服务
#########################config file rules#####################################
No.1 FIST CONFIG DHCP ##配置dhcp配置文件
config /etc/dhcpd/dhcpd.conf like this:
===============================================================
option domain-name "example.com"; ##域名
option domain-name-servers 192.168.0.79; ##dns
default-lease-time 600; ##默认租约期
max-lease-time 7200; ##最长租约期
log-facility local7; ##日志级别
subnet 192.168.0.0 netmask 255.255.255.0 { ##网段，子网掩码
  range 192.168.0.102 192.168.0.111; ##地址范围
  option routers 192.168.0.254; ##网关
  filename "pxelinux.0"; ##pxe启动程序
  next-server 192.168.0.79; ##tftp主机地址
}
systemctl restart dhcpd
systemctl stop firewalld


No.2 SED CONFIG TFTP
config /etc/xinetd.d/tftp like this:
service tftp
{
        socket_type        = dgram
        protocol              = udp
        wait                     = yes
        user                    = root
        server                 = /usr/sbin/in.tftpd
        server_args        = -s /var/lib/tftpboot
        disable                = <<<<<<<<<yes--->no>>>>>>
        per_source         = 11
        cps                     = 100 2
        flags                   = IPv4
}
systemctl restart xinetd


No.3 TRD MAKE SOME FILES AND PXEWORKDIRECTORY
1)
cd /var/lib/tftpboot/
mkdir pxelinux.cfg
2)
mount the iso of the rhel7
cp isolinux/* /var/lib/tftpboot
3)
cp /var/lib/tftpboot/isolinux.cfg   /var/lib/tftpboot/pxelinux.cfg/default
cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/
4)
make a userfully install source and kickstart,my of this is in the ftp's pub
ftp://192.168.0.252/pub/rhel6
ftp://192.168.0.252/pub/ks.cfg
5)
config the file of /var/lib/tftpboot/pxelinux.cfg/default like this:
========================================================================================
default vesamenu.c32
timeout 600 ##等待时间


display boot.msg


# Clear the screen when exiting the menu, instead of leaving the menu displayed.
# For vesamenu, this means the graphical background is still displayed without
# the menu itself for as long as the screen remains in graphics mode.
menu clear
menu background splash.png
menu title Red Hat Enterprise Linux 7.0 ##大标题
menu vshift 8
menu rows 18
menu margin 8
#menu hidden
menu helpmsgrow 15
menu tabmsgrow 13


# Border Area
menu color border * #00000000 #00000000 none


# Selected item
menu color sel 0 #ffffffff #00000000 none


# Title bar
menu color title 0 #ff7ba3d0 #00000000 none


# Press [Tab] message
menu color tabmsg 0 #ff3a6496 #00000000 none


# Unselected menu item
menu color unsel 0 #84b8ffff #00000000 none


# Selected hotkey
menu color hotsel 0 #84b8ffff #00000000 none


# Unselected hotkey
menu color hotkey 0 #ffffffff #00000000 none


# Help text
menu color help 0 #ffffffff #00000000 none


# A scrollbar of some type? Not sure.
menu color scrollbar 0 #ffffffff #ff355594 none


# Timeout msg
menu color timeout 0 #ffffffff #00000000 none
menu color timeout_msg 0 #ffffffff #00000000 none


# Command prompt text
menu color cmdmark 0 #84b8ffff #00000000 none
menu color cmdline 0 #ffffffff #00000000 none


# Do not display the actual menu unless the user presses a key. All that is displayed is a timeout message.


menu tabmsg Press Tab for full configuration options on menu items.


menu separator # insert an empty line
menu separator # insert an empty line


label linux
  menu label ^Install Red Hat Enterprise Linux 7.0 ##小标题
   menu default ##默认标题设定
  kernel vmlinuz
  append initrd=initrd.img repo=http://172.25.254.100/soucre ks=http://172.25.254.100/ks.cfg ##安装源和ks


label check
  menu label Test this ^media & install Red Hat Enterprise Linux 7.0
  #menu default
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=RHEL-7.0\x20Server.x86_64 rd.live.check quiet


menu separator # insert an empty line


# utilities submenu
menu begin ^Troubleshooting
  menu title Troubleshooting


label vesa
  menu indent count 5
  menu label Install Red Hat Enterprise Linux 7.0 in ^basic graphics mode
  text help
Try this option out if you're having trouble installing
Red Hat Enterprise Linux 7.0.
  endtext
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=RHEL-7.0\x20Server.x86_64 xdriver=vesa nomodeset quiet


label rescue
  menu indent count 5
  menu label ^Rescue a Red Hat Enterprise Linux system
  text help
If the system will not boot, this lets you access files
and edit config files to try to get it booting again.
  endtext
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=RHEL-7.0\x20Server.x86_64 rescue quiet


label memtest
  menu label Run a ^memory test
  text help
If your system is having issues, a problem with your
system's memory may be the cause. Use this utility to
see if the memory is working correctly.
  endtext
  kernel memtest


menu separator # insert an empty line


label local
  menu label Boot from ^local drive
  localboot 0xffff


menu separator # insert an empty line
menu separator # insert an empty line


label returntomain
  menu label Return to ^main menu
  menu exit


menu end

####################################
########## iptables ################
####################################
iptable 
-t ##指定表名称 
-n ##不作解析
-L ##列出指定表中的策略
-A ##增加策略
-p ##网络协议
--dport ##端口
-s ##数据来源
-j ##动作
ACCEPT ##允许
REJECT  ##拒绝
DROP ##丢弃
-N ##增加链
-E ##修改链名称
-X ##删除链
-D ##删除指定策略
-I ##插入
-R ##修改策略
-P ##修改默认策略
iptables  -t filter -nL #查看filter表中的策略
iptable  -F #刷掉filter表中的所有策略，当没有用-t指定表名称时默认时filter
service iptables save #保存当前策略
iptables -A INPUT -i lo -j ACCEPT #允许lo
iptables -A INPUT -p tcp --dport 22 -j ACCEPT ##允许访问22端口
iptables -A INPUT -s 172.25.254.250 -j ACCEPT ##允许250主机访问本机所有端口
iptables -A INPUT -j REJECT ##拒绝所有主机的数据来源
iptables -N redhat ##增加链redhat
iptables -E redhat westos ##改变链名称
iptables -X westos ##删除westos链
iptable -D INPUT 2 ##删除INPUT链中的第二条策略
iptables -I INPUT  -p tcp --dport 80  -j REJECT ##插入策略到INPUT中的第一条
iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ##修改第一条策略
iptable -P INPUT DROP ##把INPUT表中的默认策略改为drop


iptables -A INPUT -m state --state RELATED,ESTABLISHED  -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j REJECT 




sysctl -a | grep forward
echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING  -i eth1 -j DNAT --to-dest 172.25.0.11
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.100