目录
一、firewall-config工具
firewall-config默认未安装,需先安装。配置软件仓库,然后使用yum或者dnf安装。
[root@linuxprobe ~]# mkdir -p /media/cdrom [root@linuxprobe ~]# mount /dev/cdrom /media/cdrom mount: /media/cdrom: WARNING: device write-protected, mounted read-only.
[root@linuxprobe ~]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Tue Jul 21 05:03:40 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rhel-root / xfs defaults 0 0
UUID=2db66eb4-d9c1-4522-8fab-ac074cd3ea0b /boot xfs defaults 0 0
/dev/mapper/rhel-swap swap swap defaults 0 0
/dev/cdrom /media/cdrom iso9660 defaults 0 0
[root@linuxprobe ~]# vim /etc/yum.repos.d/rhel8.repo [BaseOS] name=BaseOS baseurl=file:///media/cdrom/BaseOS enabled=1 gpgcheck=0 [AppStream] name=AppStream baseurl=file:///media/cdrom/AppStream enabled=1 gpgcheck=0
[root@linuxprobe ~]# dnf install firewall-config
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
AppStream 3.1 MB/s | 3.2 kB 00:00
BaseOS 2.7 MB/s | 2.7 kB 00:00
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
firewall-config noarch 0.6.3-7.el8 AppStream 157 k
Transaction Summary
================================================================================
Install 1 Package
Total size: 157 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : firewall-config-0.6.3-7.el8.noarch 1/1
Running scriptlet: firewall-config-0.6.3-7.el8.noarch 1/1
Verifying : firewall-config-0.6.3-7.el8.noarch 1/1
Installed products updated.
Installed:
firewall-config-0.6.3-7.el8.noarch
Complete!
firewall-config工具界面介绍
1:选择运行时(Runtime)或永久(Permanent)模式的配置。
2:可选的策略集合区域列表。
3:常用的系统服务列表。
4:主机地址的黑白名单。
5:当前正在使用的区域。
6:管理当前被选中区域中的服务。
7:管理当前被选中区域中的端口。
8:设置允许被访问的协议。
9:设置允许被访问的端口。
10:开启或关闭SNAT(源网络地址转换)技术。
11:设置端口转发策略。
12:控制请求icmp服务的流量。
13:管理防火墙的富规则。
14:被选中区域的服务,若勾选了相应服务前面的复选框,则表示允许与之相关的流量。
15:firewall-config工具的运行状态。
二、cockpit驾驶舱管理工具
cockpit默认已经安装在系统内,无需再安装。但服务未运行,需启动服务并加入开机启动项中。
[root@linuxprobe ~]# systemctl start cockpit [root@linuxprobe ~]# systemctl enable cockpit.socket Created symlink /etc/systemd/system/sockets.target.wants/cockpit.socket → /usr/lib/systemd/system/cockpit.socket.
在Cockpit服务启动后,打开系统自带的浏览器,在地址栏中输入“本机地址:9090”即可访问。由于访问Cockpit的流量会使用HTTPS进行加密,而证书又是在本地签发的,因此还需要进行添加并信任本地证书的操作,如图所示。进入Cockpit的登录界面后,输入root管理员的账号与系统密码,单击Log In按钮后即可进入
三、SSH
1、配置网卡信息
(1)修改配置文件
[root@linuxprobe ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 [root@linuxprobe ~]# nmcli connection reload ens160 [root@linuxprobe ~]# nmcli connection up ens160
(2)nmtui命令运行网路配置工具
(3)nm-connection-editor 图形化界面配置
2、创建网络会话(nmcli工具)
[root@linuxprobe ~]# nmcli connection show【可简写成nm c s] NAME UUID TYPE DEVICE ens160 97486c86-6d1e-4e99-9aa2-68d3172098b2 ethernet ens160 virbr0 e5fca1ee-7020-4c21-a65b-259d0f993b44 bridge virbr0 [root@linuxprobe ~]# nmcli connection show ens160 connection.id: ens160 connection.uuid: 97486c86-6d1e-4e99-9aa2-68d3172098b2 connection.stable-id: -- connection.type: 802-3-ethernet connection.interface-name: ens160 connection.autoconnect: yes
[root@linuxprobe ~]# nmcli connection add con-name company ifname ens160 autoconnect no type ethernet ip4 192.168.10.10/24 gw4 192.168.10.1 Connection 'company' (6ac8f3ad-0846-42f4-819a-e1ae84f4da86) successfully added.
[root@linuxprobe ~]# nmcli connection add con-name house type ethernet ifname ens160 Connection 'house' (d848242a-4bdf-4446-9079-6e12ab5d1f15) successfully added.
[root@linuxprobe ~]# nmcli connection show NAME UUID TYPE DEVICE ens160 97486c86-6d1e-4e99-9aa2-68d3172098b2 ethernet ens160 virbr0 e5fca1ee-7020-4c21-a65b-259d0f993b44 bridge virbr0 company 6ac8f3ad-0846-42f4-819a-e1ae84f4da86 ethernet -- house d848242a-4bdf-4446-9079-6e12ab5d1f15 ethernet --
[root@linuxprobe ~]# nmcli connection up company Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6) [root@linuxprobe ~]# ifconfig ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.88 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::320e:a005:dfa1:431c prefixlen 64 scopeid 0x20 ether 00:0c:29:7d:27:bf txqueuelen 1000 (Ethernet) RX packets 66 bytes 5469 (5.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 99 bytes 11255 (10.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@linuxprobe ~]# nmcli connection up house Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4) [root@linuxprobe ~]# ifconfig ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.107 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::f209:dc47:4004:3868 prefixlen 64 scopeid 0x20 ether 00:0c:29:7d:27:bf txqueuelen 1000 (Ethernet) RX packets 22 bytes 6924 (6.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 82 bytes 10582 (10.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@linuxprobe ~]# nmcli connection delete house Connection 'house' (d848242a-4bdf-4446-9079-6e12ab5d1f15) successfully deleted. [root@linuxprobe ~]# nmcli connection delete company Connection 'company' (6ac8f3ad-0846-42f4-819a-e1ae84f4da86) successfully deleted.
3、绑定两块网卡
生产环境必须提供7×24小时的网络传输服务。借助于网卡绑定技术,不仅能够提高网络传输速度,更重要的是,还可以确保在其中一块网卡出现故障时,依然可以正常提供网络服务。
(1)添加两块网卡
(2)创建一个bond网卡
[root@linuxprobe ~]# nmcli connection add type bond con-name bond0 ifname bond0 bond.options "mode=balance-rr" Connection 'bond0' (b37b720d-c5fa-43f8-8578-820d19811f32) successfully added.
注:
balance-rr网卡绑定模式,其中rr是round-robin的缩写,全称为轮循模式。round-robin的特点是会根据设备顺序依次传输数据包,提供负载均衡的效果,让带宽的性能更好一些;而且一旦某个网卡发生故障,会马上切换到另外一台网卡设备上,保证网络传输不被中断。active-backup是另外一种比较常用的网卡绑定模式,它的特点是平时只有一块网卡正常工作,另一个网卡随时待命,一旦工作中的网卡发生损坏,待命的网卡会自动顶替上去。可见,这种网卡绑定模式的冗余能力比较强,因此也称为主备模式。
(3)向bond0添加从属网卡
[root@linuxprobe ~]# nmcli connection add type ethernet slave-type bond con-name bond0-port1 ifname ens160 master bond0 Connection 'bond0-port1' (8a2f77ee-cc92-4c11-9292-d577ccf8753d) successfully added. [root@linuxprobe ~]# nmcli connection add type ethernet slave-type bond con-name bond0-port2 ifname ens192 master bond0 Connection 'bond0-port2' (b1ca9c47-3051-480a-9623-fbe4bf731a89) successfully added.
(4)配置bond0设备的网卡信息
[root@linuxprobe ~]# nmcli connection modify bond0 ipv4.addresses 192.168.10.10/24 [root@linuxprobe ~]# nmcli connection modify bond0 ipv4.gateway 192.168.10.1 [root@linuxprobe ~]# nmcli connection modify bond0 ipv4.dns 192.168.10.1 [root@linuxprobe ~]# nmcli connection modify bond0 ipv4.dns-search linuxprobe.com [root@linuxprobe ~]# nmcli connection modify bond0 ipv4.method manual
(5)启动
[root@linuxprobe ~]# nmcli connection up bond0 Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/22) [root@linuxprobe ~]# nmcli device status DEVICE TYPE STATE CONNECTION bond0 bond connected bond0 ens160 ethernet connected ens160 virbr0 bridge connected virbr0 ens192 ethernet connected bond0-port2 lo loopback unmanaged -- virbr0-nic tun unmanaged --
(6)测试
移除一块网卡,查看网络通讯状态。
4、配置sshd服务
基于密码的验证—用账户和密码来验证登录;
基于密钥的验证—需要在本地生成密钥对,然后把密钥对中的公钥上传至服务器,并与服务器中的公钥进行比较;该方式相较来说更安全。
(1)sshd服务配置文件包含参数
5、scp命令
scp(secure copy)是一个基于SSH协议在网络之间进行安全传输的命令,其格式为“scp [参数]本地文件 远程账户@远程IP地址:远程目录”。
上传:
[root@Client ~]# echo "Welcome to LinuxProbe.Com" > readme.txt [root@Client ~]# scp /root/readme.txt 192.168.10.10:/home readme.txt 100% 26 13.6KB/s 00:00
下载:
[root@Client ~]# scp 192.168.10.10:/etc/redhat-release /root [root@Client ~]# scp 192.168.10.10:/etc/redhat-release /root redhat-release 100% 45 23.6KB/s 00:00 [root@Client ~]# cat redhat-release Red Hat Enterprise Linux release 8.0 (Ootpa)