需求:
1.使用m01做跳板机,ssh也要优化
2.web两台机器关闭外网,做共享上网
3.m01开启防火墙,只允许本机连接2222端口
1.环境准备
主机 |
外网ip |
内网ip |
m01 |
10.0.0.61 |
172.16.1.61 |
web01 |
|
172.16.1.7 |
web03 |
|
172.16.1.9 |
2.m01做跳板机
#生成密钥对,发送公钥
[root@m01 ~]# ssh-keygen
[root@m01 ~]# ssh-copy-id -i .ssh/id_rsa.pub root@172.16.1.7
[root@m01 ~]# ssh-copy-id -i .ssh/id_rsa.pub root@172.16.1.9
#创建用户
[root@m01 ~]# useradd zzc
[root@m01 ~]# echo "123" | passwd --stdin zzc
3.开启firewalld,添加富规则
[root@m01 ~]# systemctl start firewalld
#只允许本机10.0.0.1连接2222端口
[root@m01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1 port port=2222 protocol=tcp accept' --permanent
[root@m01 ~]# firewall-cmd --reload
#优化sshd服务
[root@m01 ~]# vim /etc/ssh/sshd_config
Port 2222 #修改ssh端口
PermitRootLogin no #禁止使用root登录服务器
PasswordAuthentication no #禁止使用密码登录服务器
UseDNS no #禁止ssh进行dns反向解析,影响ssh连接效率参数
GSSAPIAuthentication no #禁止GSS认证,减少连接时产生的延迟
[root@m01 ~]# systemctl restart sshd
4.开启masquerade伪装IP
[root@m01 ~]# firewall-cmd --add-masquerade
5.连接web01并测试ping通外网
[C:\~]$ ssh zzc@10.0.0.61 2222
[zzc@m01 ~]$ su -
Password:
[root@m01 ~]# ssh 172.16.1.7
#在网卡信息写入网关和DNS并重启
[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.61
DNS1=223.5.5.5
[root@web01 ~]# ifdown eth1 && ifup eth1
#测试是否ping通外网
[root@web01 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=31.0 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=127 time=31.3 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=127 time=32.1 ms
--- baidu.com ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 11127ms
rtt min/avg/max/mdev = 30.779/31.479/32.135/0.472 ms
6.连接web03并测试ping通外网
[C:\~]$ ssh zzc@10.0.0.61 2222
[zzc@m01 ~]$ su -
Password:
[root@m01 ~]# ssh 172.16.1.7
#在网卡信息写入网关和DNS并重启
[root@web03 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.61
DNS1=223.5.5.5
[root@web03 ~]# ifdown eth1 && ifup eth1
#测试是否ping通外网
[root@web03 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=31.0 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=127 time=31.3 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=127 time=32.1 ms
--- baidu.com ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 11127ms
rtt min/avg/max/mdev = 30.779/31.479/32.135/0.472 ms