目录
安装虚拟机2个 minimal模式 英文 主机名自己定义 第一个以下简称node1 第二个以下简称node2
- 新建两台虚拟机分别命名为node1和node2
- 并为两台虚拟机各自添加一张网卡, 网络模式改为桥接模式
1.配置好本地yum源
- 在VMware中将CD/DVD的ISO镜像切换为CentOS7-Everything
- 将源备份
bash[root@node1 ~]# cd /etc/yum.repos.d/
[root@node1 yum.repos.d]# ls
CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-fasttrack.repo CentOS-Sources.repo
[root@node1 yum.repos.d]# mkdir bak
[root@node1 yum.repos.d]# mv C* bak
[root@node1 yum.repos.d]# ls
bak
- 挂载本地源
bash[root@node1 yum.repos.d]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
├─sda1 8:1 0 800M 0 part /boot
└─sda2 8:2 0 9.2G 0 part
├─centos-root 253:0 0 7.2G 0 lvm /
└─centos-swap 253:1 0 2G 0 lvm [SWAP]
sr0 11:0 1 9.5G 0 rom
[root@node1 yum.repos.d]# mount /dev/sr0 /media/
mount: /dev/sr0 is write-protected, mounting read-only
[root@node1 yum.repos.d]# vi /etc/fstab
#
# /etc/fstab
# Created by anaconda on Mon May 20 21:20:45 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=9729a71f-8bde-4713-b9bb-b7112d70cff9 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
/dev/sr0 /media iso9660 defaults 0 0
[root@node1 yum.repos.d]# mount -a
[root@node1 yum.repos.d]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 7.3G 1003M 6.3G 14% /
devtmpfs 475M 0 475M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 797M 133M 665M 17% /boot
tmpfs 98M 0 98M 0% /run/user/0
/dev/sr0 9.5G 9.5G 0 100% /media
- 创建本地源local.repo
bash[root@node1 yum.repos.d]# ls
bak
[root@node1 yum.repos.d]# vi local.repo
# This is Local yum repo
[c7-media]
name=Local repo
baseurl=file:///media
gpgcheck=0
enabled=1
- 清除并更新 YUM 缓存
bash[root@node1 yum.repos.d]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: c7-media
[root@node1 yum.repos.d]# yum makecache
Loaded plugins: fastestmirror
Determining fastest mirrors
c7-media | 3.6 kB 00:00:00
(1/4): c7-media/group_gz | 153 kB 00:00:00
(2/4): c7-media/primary_db | 6.1 MB 00:00:00
(3/4): c7-media/filelists_db | 7.2 MB 00:00:00
(4/4): c7-media/other_db | 2.6 MB 00:00:00
Metadata Cache Created
2.配置网络源(阿里 腾讯等选一)
- 安装wget
bash[root@node1 yum.repos.d]# yum install wget
- 下载阿里云CentOS7源并更新yum缓存
bash[root@node1 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
--2024-05-20 22:25:56-- https://mirrors.aliyun.com/repo/Centos-7.repo
Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 198.18.0.101
Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|198.18.0.101|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2523 (2.5K) [application/octet-stream]
Saving to: ‘/etc/yum.repos.d/CentOS-Base.repo’
100%[==============================================================================================>] 2,523 --.-K/s in 0s
2024-05-20 22:25:56 (1.25 GB/s) - ‘/etc/yum.repos.d/CentOS-Base.repo’ saved [2523/2523]
[root@node1 yum.repos.d]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base c7-media extras updates
Cleaning up list of fastest mirrors
[root@node1 yum.repos.d]# yum makecache
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.cloud.aliyuncs.com
* extras: mirrors.cloud.aliyuncs.com
* updates: mirrors.cloud.aliyuncs.com
http://mirrors.cloud.aliyuncs.com/centos/7/os/x86_64/repodata/repomd.xml: [Errno 14] curl#52 - "Empty reply from server"
Trying other mirror.
http://mirrors.aliyuncs.com/centos/7/os/x86_64/repodata/repomd.xml: [Errno 12] Timeout on http://mirrors.aliyuncs.com/centos/7/os/x86_64/repodata/repomd.xml: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')
Trying other mirror.
base | 3.6 kB 00:00:00
c7-media | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/14): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/14): base/7/x86_64/primary_db | 6.1 MB 00:00:11
(3/14): c7-media/group_gz | 153 kB 00:00:00
(4/14): c7-media/primary_db | 6.1 MB 00:00:00
(5/14): c7-media/other_db | 2.6 MB 00:00:00
(6/14): c7-media/filelists_db | 7.2 MB 00:00:00
(7/14): extras/7/x86_64/primary_db | 253 kB 00:00:00
(8/14): extras/7/x86_64/filelists_db | 305 kB 00:00:00
(9/14): extras/7/x86_64/other_db | 154 kB 00:00:00
(10/14): base/7/x86_64/filelists_db | 7.2 MB 00:00:12
(11/14): base/7/x86_64/other_db | 2.6 MB 00:00:03
(12/14): updates/7/x86_64/filelists_db | 14 MB 00:00:10
(13/14): updates/7/x86_64/other_db | 1.6 MB 00:00:00
(14/14): updates/7/x86_64/primary_db | 27 MB 00:00:10
Metadata Cache Created
3.添加普通用户nebula tom jerry
bash[root@node1 yum.repos.d]# useradd nebula
[root@node1 yum.repos.d]# useradd tom
[root@node1 yum.repos.d]# useradd jerry
4.再每个虚拟机上再添加一块网卡 网络模式选择桥接
bash[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3a:5f:ac brd ff:ff:ff:ff:ff:ff
inet 172.16.247.133/24 brd 172.16.247.255 scope global noprefixroute dynamic ens33
valid_lft 1769sec preferred_lft 1769sec
inet6 fe80::4d07:3673:c8a8:53e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3a:5f:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.8/24 brd 192.168.1.255 scope global noprefixroute dynamic ens34
valid_lft 84735sec preferred_lft 84735sec
inet6 fe80::7190:49c2:91d4:1125/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@node2 yum.repos.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ff:a4:76 brd ff:ff:ff:ff:ff:ff
inet 172.16.247.132/24 brd 172.16.247.255 scope global noprefixroute dynamic ens33
valid_lft 1705sec preferred_lft 1705sec
inet6 fe80::8c11:7a11:38da:d65f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ff:a4:80 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.7/24 brd 192.168.1.255 scope global noprefixroute dynamic ens34
valid_lft 84718sec preferred_lft 84718sec
inet6 fe80::15c0:1b39:d242:b00/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5.配置两台虚拟机的IP地址为静态IP (提示:第二张网卡配置时复制第一张网卡配置文件)
- 修改ens33网卡IP
bash[root@node1 ~]# cd /etc/sysconfig/network-scripts/
[root@node1 network-scripts]# vi ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="c0a2c975-5f62-4e32-b7cd-55edf0d41b5b"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="172.16.247.133"
NETMASK="255.255.255.0"
GATEWAY="172.16.247.2"
DNS1="114.114.114.114"
- 修改ens34网卡IP
bash[root@node1 network-scripts]# vi ifcfg-ens34
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens34
UUID=1003a284-f34c-4491-abd5-ba9ce2646d98
DEVICE=ens34
ONBOOT=yes
IPADDR=192.168.1.8
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=114.114.114.114
- 重启网络服务使配置生效
bash[root@node1 network-scripts]# systemctl restart network
[root@node1 network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3a:5f:ac brd ff:ff:ff:ff:ff:ff
inet 172.16.247.133/24 brd 172.16.247.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::4d07:3673:c8a8:53e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3a:5f:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.8/24 brd 192.168.1.255 scope global noprefixroute ens34
valid_lft forever preferred_lft forever
inet6 fe80::7190:49c2:91d4:1125/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6.配置nginx网络源
bash[root@node1 network-scripts]# cd /etc/yum.repos.d/
[root@node1 yum.repos.d]# ls
bak CentOS-Base.repo local.repo
[root@node1 yum.repos.d]# vi nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
7.yum 安装nginx并启动服务 nginx主页内容为主机名+自己的名字
- 安装并启动nginx服务
bash[root@node1 yum.repos.d]# yum install nginx
[root@node1 yum.repos.d]# systemctl start nginx
[root@node1 yum.repos.d]#
[root@node1 yum.repos.d]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2024-05-20 22:56:48 CST; 5s ago
Docs: http://nginx.org/en/docs/
Process: 20096 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 20097 (nginx)
CGroup: /system.slice/nginx.service
├─20097 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─20098 nginx: worker process
May 20 22:56:48 node1 systemd[1]: Starting nginx - high performance web server...
May 20 22:56:48 node1 systemd[1]: PID file /var/run/nginx.pid not readable (yet?) after start.
May 20 22:56:48 node1 systemd[1]: Started nginx - high performance web server.
- 更改nginx主页
bash[root@node1 yum.repos.d]# cd /usr/share/nginx/html/
[root@node1 html]# s
-bash: s: command not found
[root@node1 html]# ls
50x.html index.html
[root@node1 html]# mv index.html index.html.bak
[root@node1 html]# ls
50x.html index.html.bak
[root@node1 html]# cp index.html.bak index.html
[root@node1 html]# vi index.html
<h1>node1</h1>
<hr>
<h1>GYC</h1>
8.node1上关闭firewalld服务 安装并启用iptables服务
- 关闭firewalld服务
bash[root@node1 ~]# systemctl stop firewalld
[root@node1 ~]# systemctl disenable firewalld
Unknown operation 'disenable'.
[root@node1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@node1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
May 21 22:09:42 node1 systemd[1]: Starting firewalld - dynamic firewall daemon...
May 21 22:09:43 node1 systemd[1]: Started firewalld - dynamic firewall daemon.
May 21 22:11:45 node1 systemd[1]: Stopping firewalld - dynamic firewall daemon...
May 21 22:11:45 node1 systemd[1]: Stopped firewalld - dynamic firewall daemon.
- 安装并启用iptables服务
bash[root@node1 ~]# yum install iptables-services
[root@node1 ~]# systemctl start iptables
[root@node1 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@node1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2024-05-21 22:14:27 CST; 18s ago
Main PID: 9060 (code=exited, status=0/SUCCESS)
May 21 22:14:27 node1 systemd[1]: Starting IPv4 firewall with iptables...
May 21 22:14:27 node1 iptables.init[9060]: iptables: Applying firewall rules: [ OK ]
May 21 22:14:27 node1 systemd[1]: Started IPv4 firewall with iptables.
9.node1上配置防火墙策略 (白名单机制)(1>静止除了 node1上ens33网卡网段以外的ip地址访问nginx服务 2>允许来自192.168.0.207访问本机的ssh服务)
- 静止除了 node1上ens33网卡网段以外的ip地址访问nginx服务
bash# 允许 ens33 网卡网段访问 nginx 服务
[root@node1 ~]# iptables -I INPUT -i ens33 -p tcp --dport 80 -s 172.16.247.0/24 -j ACCEPT
# 查看查看默认策略
[root@node1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1270 60192 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
9 1235 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
0 0 ACCEPT tcp -- ens33 any 172.16.247.0/24 anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 1153 packets, 116K bytes)
pkts bytes target prot opt in out source destination
# 拒绝其他所有访问 nginx 服务的请求
[root@node1 ~]# iptables -I INPUT 2 -p tcp --dport 80 -j DROP
# 查看当前规则
[root@node1 ~]# iptables -nL --line-num
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 172.16.247.0/24 0.0.0.0/0 tcp dpt:80
2 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
- 允许来自192.168.0.207访问本机的ssh服务
bash[root@node1 ~]# iptables -I INPUT -p tcp --dport 22 -s 192.168.0.207 -j ACCEPT
[root@node1 ~]# iptables -nL --line-num
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.207 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp -- 172.16.247.0/24 0.0.0.0/0 tcp dpt:80
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
10.node2上配置富规则 (1>ens33网卡工作于trusted 2>ens37网卡工作于public并允许访问本机的nginx服务
- ens33网卡工作于trusted
bash[root@node2 ~]# firewall-cmd --zone=trusted --add-interface=ens33 --permanent
The interface is under control of NetworkManager, setting zone to 'trusted'.
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --list-all --zone=trusted
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: ens33
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
- ens37网卡工作于public并允许访问本机的nginx服务
bash[root@node2 ~]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="80" accept' --permanent
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens34
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept
11.允许nebula用户使用passwd命令修改普通用户密码
bash[root@node2 ~]# which passwd
/usr/bin/passwd
[root@node2 ~]# sudo visudo
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
nebula ALL=(ALL) /usr/bin/passwd
[root@node2 ~]# passwd nebula
Changing password for user nebula.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
- 测试
bash[root@node2 ~]# su - nebula
[nebula@node2 ~]$ pa
packer pam_tally2 parted partx paste
pam_console_apply pam_timestamp_check partprobe passwd pathchk
[nebula@node2 ~]$ passwd jerry
passwd: Only root can specify a user name.
[nebula@node2 ~]$ sudo passwd jerry
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for nebula:
Changing password for user jerry.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
12.允许tom用户安装软件
bash[root@node2 ~]# which yum
/bin/yum
[root@node2 ~]# visudo
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
nebula ALL=(ALL) /usr/bin/passwd
tom ALL=(ALL) /bin/yum
[root@node2 ~]# passwd tom
Changing password for user tom.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
- 测试
bash[root@node2 ~]# su - tom
[tom@node2 ~]$ sudo yum install zsh
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for tom:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.cloud.aliyuncs.com
* extras: mirrors.cloud.aliyuncs.com
* updates: mirrors.cloud.aliyuncs.com
base | 3.6 kB 00:00:00
c7-media | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
nginx-stable | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package zsh.x86_64 0:5.0.2-34.el7_8.2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================
Installing:
zsh x86_64 5.0.2-34.el7_8.2 base 2.4 M
Transaction Summary
========================================================================================================================================
Install 1 Package
Total download size: 2.4 M
Installed size: 5.6 M
Is this ok [y/d/N]: y
Downloading packages:
zsh-5.0.2-34.el7_8.2.x86_64.rpm | 2.4 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : zsh-5.0.2-34.el7_8.2.x86_64 1/1
Verifying : zsh-5.0.2-34.el7_8.2.x86_64 1/1
Installed:
zsh.x86_64 0:5.0.2-34.el7_8.2
Complete!
13.配置端口转发(将访问node1上的ens37上ip的80端口的服务转发到node2上的ens37网卡的80端口)
- 开启MASQ功能
bash[root@node2 ~]# firewall-cmd --zone=public --add-masquerade --permanent
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens34
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept
- 添加转发规则
bash[root@node2 ~]# firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.8:toport=80 --permanent
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --add-port=80/tcp --permanent
success
[root@node2 ~]# firewall-cmd --reload
success
[root@node2 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens34
sources:
services: ssh dhcpv6-client
ports: 80/tcp
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.1.8
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept
- 在node1上开启node2上访问node1 80 端口
bash[root@node1 ~]# iptables -I INPUT -p tcp --dport 80 -s 192.168.1.7/24 -j ACCEPT
[root@node1 ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:80
2 ACCEPT tcp -- 192.168.0.207 0.0.0.0/0 tcp dpt:22
3 ACCEPT tcp -- 172.16.247.0/24 0.0.0.0/0 tcp dpt:80
4 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
- 测试
- 分别查看node1和node2网卡IP地址和nginx服务状态
bash[root@node1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3a:5f:ac brd ff:ff:ff:ff:ff:ff
inet 172.16.247.133/24 brd 172.16.247.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::4d07:3673:c8a8:53e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3a:5f:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.8/24 brd 192.168.1.255 scope global noprefixroute ens34
valid_lft forever preferred_lft forever
inet6 fe80::7190:49c2:91d4:1125/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@node1 ~]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2024-05-21 22:11:12 CST; 1h 18min ago
Docs: http://nginx.org/en/docs/
Main PID: 7791 (nginx)
CGroup: /system.slice/nginx.service
├─7791 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─7792 nginx: worker process
May 21 22:11:12 node1 systemd[1]: Starting nginx - high performance web server...
May 21 22:11:12 node1 systemd[1]: PID file /var/run/nginx.pid not readable (yet?) after start.
May 21 22:11:12 node1 systemd[1]: Started nginx - high performance web server.
[root@node2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ff:a4:76 brd ff:ff:ff:ff:ff:ff
inet 172.16.247.132/24 brd 172.16.247.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::8c11:7a11:38da:d65f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ff:a4:80 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.7/24 brd 192.168.1.255 scope global noprefixroute ens34
valid_lft forever preferred_lft forever
inet6 fe80::15c0:1b39:d242:b00/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@node2 ~]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2024-05-21 23:07:05 CST; 23min ago
Docs: http://nginx.org/en/docs/
Process: 19419 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 19420 (nginx)
CGroup: /system.slice/nginx.service
├─19420 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─19421 nginx: worker process
May 21 23:07:05 node2 systemd[1]: Starting nginx - high performance web server...
May 21 23:07:05 node2 systemd[1]: PID file /var/run/nginx.pid not readable (yet?) after start.
May 21 23:07:05 node2 systemd[1]: Started nginx - high performance web server.
- 使用本机浏览器访问node2 ens34网卡IP地址
- 使用本地终端curl node1IP地址
powershellPS C:\Users\30372> curl http://192.168.1.7 StatusCode : 200 StatusDescription : OK Content : <h1>node1</h1> <hr> <h1>GYC</h1> RawContent : HTTP/1.1 200 OK Connection: keep-alive Accept-Ranges: bytes Content-Length: 34 Content-Type: text/html Date: Tue, 21 May 2024 15:42:47 GMT ETag: "664b65d6-22" Last-Modified: Mon, 20 May 2024 15... Forms : {} Headers : {[Connection, keep-alive], [Accept-Ranges, bytes], [Content-Length, 34], [Content-Type, text/html]. ..} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 34
如果对你有用的话,可以打赏哦
打赏
本文作者:GYC
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
目录