马哥博客作业第十七周
1、利用SAMBA实现指定目录共享
服务端
[root@localhost ~]# yum -y install samba
[root@localhost ~]# systemctl enable --now smb.service
[root@localhost ~]# firewall-cmd --permanent --add-service=samba
[root@localhost ~]# firewall-cmd --reload
创建samba账号
[root@localhost ~]# useradd -s /sbin/nologin smbuser
#注:不加 -a为修改samba用户密码
[root@localhost ~]# smbpasswd -a smbuser
[root@localhost ~]# pdbedit -L
创建共享目录
[root@localhost ~]# mkdir -p /data/smbshares
#创建一个测试文件
[root@localhost ~]# touch /data/smbshares/test.txt
[root@localhost ~]# setfacl -R -m u:smbuser:rwx /data/smbshares/
编辑samba配置文件
[root@localhost ~]# vim /etc/samba/smb.conf
在文件结尾添加以下内容
[smbshare]
path=/data/smbshares
guest ok=no
read only=No
[root@localhost ~]# systemctl restart smb.service
客户端
[root@localhost ~]# yum -y install samba-client cifs-utils
查看有哪些共享目录
[root@localhost ~]# smbclient -L 10.0.0.12 -U smbuser
进入共享目录
[root@localhost ~]# smbclient //10.0.0.12/smbshares -U smbuser
samba目录挂载到本地
[root@localhost ~]# vim /etc/fstab
增加以下内容
//10.0.0.12/smbshares /mnt/ cifs username=smbuser,password=123456 0 0
[root@localhost ~]# mount -a
进入/mnt目录能正常读写服务端的文件
2、实现不同samba用户访问相同的samba共享,实现不同的配置
服务端
[root@localhost ~]# yum -y install samba
[root@localhost ~]# systemctl enable --now smb.service
[root@localhost ~]# firewall-cmd --permanent --add-service=samba
[root@localhost ~]# firewall-cmd --reload
创建samba账号
[root@localhost ~]# useradd -s /sbin/nologin smbuser1
[root@localhost ~]# smbpasswd -a smbuser1
[root@localhost ~]# useradd -s /sbin/nologin smbuser2
[root@localhost ~]# smbpasswd -a smbuser2
[root@localhost ~]# pdbedit -L
创建共享目录
[root@localhost ~]# mkdir -p /data/smbshare
#创建一个测试文件
[root@localhost ~]# touch /data/smbshare/test.txt
[root@localhost ~]# setfacl -R -m u:smbuser1:rwx /data/smbshare/
[root@localhost ~]# setfacl -R -m u:smbuser2:rwx /data/smbshare/
编辑samba配置文件
[root@localhost ~]# vim /etc/samba/smb.conf
在文件结尾添加以下内容
[smbshare]
path=/data/smbshare
guest ok=no
write list=smbuser
[root@localhost ~]# systemctl restart smb.service
客户端1
[root@localhost ~]# yum -y install samba-client cifs-utils
查看有哪些共享目录
[root@localhost ~]# smbclient -L 10.0.0.12 -U smbuser
samba目录挂载到本地
[root@localhost ~]# vim /etc/fstab
增加以下内容
//10.0.0.12/smbshare /mnt/ cifs username=smbuser1,password=123456 0 0
[root@localhost ~]# mount -a
进入/mnt目录能正常读写服务端的文件
客户端2
[root@localhost ~]# yum -y install samba-client cifs-utils
查看有哪些共享目录
[root@localhost ~]# smbclient -L 10.0.0.12 -U smbuser
samba目录挂载到本地
[root@localhost ~]# vim /etc/fstab
增加以下内容
//10.0.0.12/smbshare /mnt/ cifs username=smbuser2,password=123456 0 0
[root@localhost ~]# mount -a
进入/mnt目录没有写权限
3、远程主机通过链接openvpn修复内网里 httpd 服务主机,假如现在 httpd 宕机了,我们需要链接进去让 httpd 启动
远程主机提前安装openvpn,安装过程如下:
服务端
安装openvpn相关软件
[root@localhost ~]# yum -y install openvpn easy-rsa
开启路由转发
[root@localhost ~]# vim /etc/sysctl.conf
添加以下内容
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
准备服务器证书
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/
[root@localhost ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3.0.8/vars
[root@localhost ~]# cd /etc/openvpn/easy-rsa/3.0.8/
[root@localhost ~]# vim vars
#set_var EASYRSA_CERT_EXPIRE 825
改为set_var EASYRSA_CERT_EXPIRE 3650
[root@localhost ~]# ./easyrsa init-pki
[root@localhost ~]# ./easyrsa build-ca nopass
出现以下确认信息
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:输入通用名称或直接回车
[root@localhost ~]# ./easyrsa gen-req server nopass
出现以下确认信息
Common Name (eg: your user, host, or server name) [server]:输入通用名称或直接回车
#注sign server表示类型为服务器,最后的server对应/etc/openvpn/easy-rsa/3.0.8/pki/reqs/server.req
出现以下确认信息
[root@localhost ~]# ./easyrsa sign server server
Confirm request details:输入yes并回车
[root@localhost ~]# ./easyrsa gen-dh
准备客户端证书
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
[root@localhost ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3.0.8/vars
[root@localhost ~]# cd /etc/openvpn/easy-rsa-client/3.0.8/
[root@localhost ~]# ./easyrsa init-pki
[root@localhost ~]# ./easyrsa gen-req llongxuan nopass
出现以下确认信息
Common Name (eg: your user, host, or server name) [llongxuan]:直接回车
签发客户端证书
[root@localhost ~]# cd /etc/openvpn/easy-rsa/3.0.8/
[root@localhost ~]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3.0.8/pki/reqs/llongxuan.req llongxuan
设置客户端证书有效期
[root@localhost ~]# vim vars
set_var EASYRSA_CERT_EXPIRE 3650 #3650改为180
[root@localhost ~]# ./easyrsa sign client llongxuan
#注sign client表示类型为客户端,llongxuan对应/etc/openvpn/easy-rsa/3.0.8/pki/reqs/llongxuan.req
出现以下确认信息
Confirm request details: 输入yes并回车
服务器相关证书文件集中存放
[root@localhost ~]# cp /etc/openvpn/easy-rsa/3.0.8/pki/ca.crt /etc/openvpn/server/
[root@localhost ~]# cp /etc/openvpn/easy-rsa/3.0.8/pki/dh.pem /etc/openvpn/server/
[root@localhost ~]# cp /etc/openvpn/easy-rsa/3.0.8/pki/issued/server.crt /etc/openvpn/server/
[root@localhost ~]# cp /etc/openvpn/easy-rsa/3.0.8/pki/private/server.key /etc/openvpn/server/
[root@localhost ~]# openvpn --genkey --secret /etc/openvpn/server/ta.key
客户端相关证书文件集中存放
[root@localhost ~]# mkdir /etc/openvpn/client/llongxuan
[root@localhost ~]# cp /etc/openvpn/easy-rsa/3.0.8/pki/ca.crt /etc/openvpn/client/llongxuan/
[root@localhost ~]# cp /etc/openvpn/easy-rsa/3.0.8/pki/issued/llongxuan.crt /etc/openvpn/client/llongxuan/
[root@localhost ~]# cp /etc/openvpn/easy-rsa-client/3.0.8/pki/private/llongxuan.key /etc/openvpn/client/llongxuan/
[root@localhost ~]# cp /etc/openvpn/server/ta.key /etc/openvpn/client/llongxuan/
[root@localhost ~]# vim /etc/openvpn/client/llongxuan/llongxuan.ovpn
内容如下:
client
dev tun
proto tcp
remote 47.233.86.113 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert llongxuan.crt
key llongxuan.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
auth-nocache
修改openvpn配置文件
[root@localhost ~]# vim /etc/openvpn/server.conf
内容如下:
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.17.0.0 255.255.240.0"
push "dhcp-option DNS 183.60.82.98"
;push "dhcp-option WINS 172.17.0.7"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 1000
user openvpn
group openvpn
status openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 200
启动openvpn服务
[root@localhost ~]# systemctl enable --now openvpn@server
设置防火墙规则
firewalld:
[root@localhost ~]# firewall-cmd --permanent --add-port=1194/tcp
[root@localhost ~]# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=10.8.0.0/24 masquerade"
[root@localhost ~]# firewall-cmd --reload
iptables:
[root@localhost ~]# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
[root@localhost ~]# service iptables save
客户端连接
windows客户端:
安装OpenVPN GUI软件,将服务端/etc/openvpn/client/llongxuan目录下的ca.crt、llongxuan.crt、llongxuan.key、llongxuan.ovpn、ta.key复制到C:\Program Files\OpenVPN\config目录,双击桌面上的OpenVPN GUI,到桌面右下角找到OpenVPN GUI图标按右键,选择连接即可连上服务端。
linux客户端:
[root@localhost ~]# yum -y install openvpn
将服务端/etc/openvpn/client/llongxuan目录下的ca.crt、llongxuan.crt、llongxuan.key、llongxuan.ovpn、ta.key复制到/etc/openvpn/client目录
[root@localhost ~]# openvpn --daemon --cd /etc/openvpn/client --config llongxuan.ovpn --log-append /var/log/openvpn.log
输入kill `pidof openvpn`断开连接
吊销用户证书
#查看当前证书,V表示有效R为过期
[root@localhost ~]# cat /etc/openvpn/easy-rsa/3.0.8/pki/index.txt
[root@localhost ~]# cd /etc/openvpn/easy-rsa/3.0.8/
[root@localhost ~]# ./easyrsa revoke liyusheng
出现以下确认信息
Continue with revocation: 输入yes并回车
[root@localhost ~]# ./easyrsa gen-crl
[root@localhost ~]# vim /etc/openvpn/server.conf
最后一行增加以下内容
[root@localhost ~]# crl-verify /etc/openvpn/easy-rsa/3.0.8/pki/crl.pem
[root@localhost ~]# systemctl restart openvpn@server
