项目6,项目7

项目6 配置网络和firewall防火墙(含NAT)

任务6-1 使用系统菜单配置网络

按照如图所示的步骤点击图标为Server01配置网络参数

截图.png

截图.png

截图.png

截图.png

输入完以后点击右上角Apply

截图.png

重启一下选项

截图.png

可以看到配置的IP地址和网关已经生效(注意一定勾选“自动连接”选项)

按照同样的方法配置另一台设备Client的网络参数:IP地址为192.168.10.20/24,默认网关为192.168.10.254

在server01上测试Client1的连通性,测试成功。

截图.png

任务6-2 使用图形界面配置网络

在命令行输入nmtui

截图.png

按照如图顺序点击回车进行网络配置

截图.png

截图.png

把网络ipv4的配置方式改成Manual(手动)

截图.png

手动进行网络配置

截图.png

一直向下直到出现ok(确定)进行保存配置

截图.png

回到这个界面在图中选项点击回车启用连接

截图.png

激活ens32的连接

截图.png

使用ifconfig命令进行配置测试

截图.png

可以看到配置已经得到应用了

任务6-3 使用nmcli命令配置网络

1、常用命令

nmcli connection show 显示所有连接

nmcli connection show --active 显示所有活动的连接状态、

nmcli connection show "ens160" 显示网络连接配置

nmcli connection status 显示设备状态

nmcli connection ens160 显示网络接口属性

nmcli connection add help 查看帮助

nmcli connection reload 重新加载配置

nmcli connection down test2 禁用test2配置,注意,一个网卡可以有多个配置(test2连接要提前创建)

nmcli connection up test2 启用test2的配置

nmcli device disconnect ens160 禁用ens160网卡

nmcli device connect ens160 启用ens160网卡

2、创建新的连接

先使用命令查看所有连接

截图.png

创建新的连接default,IP地址通过DHCP自动获取

截图.png

删除连接

截图.png

创建新的连接test2,指定静态IP地址,不自动连接

截图.png

3、查看/etc/sysconfig/network-scripts/目录

截图.png

多出一个文件/etc/sysconfig/network-scripts/ifcfg-test2,说明添加确实生效了

4、启用test2连接配置

截图.png

再进行查看命令,可以看到原来name为ens32的配置变为了name为test2的配置,配置成功

5、查看是否生效

截图.png

基本的IP地址配置已经生效

6、修改连接设置

修改test2为自动启动

[root@localhost ~]# nmcli connection modify test2 connection.autoconnect yes

修改DNS为192.168.10.1

[root@localhost ~]# nmcli connection modify test2 ipv4.dns 192.168.10.1

添加DNS:114.114.114.114

[root@localhost ~]# nmcli connection modify test2 +ipv4.dns 114.114.114.114

7.查看配置是否成功

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-test2

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=no

BOOTPROTO=none

IPADDR=192.168.10.100

PREFIX=24

GATEWAY=192.168.10.1

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_FAILURE_FATAL=no

IPV6_ADDR_GEN_MODE=stable-privacy

NAME=test2

UUID=fa900c7b-b491-446a-b461-f61272ecf9cd

DEVICE=ens33

ONBOOT=yes

DNS1=192.168.10.1

DNS2=114.114.114.114

[root@localhost ~]#

配置均已生效

8.删除DNS

[root@localhost ~]# nmcli connection modify test2 -ipv4.dns 114.114.114.114

9.修改IP地址和默认网关

ot@localhost ~]# nmcli connection modify test2 ipv4.addresses 192.168.10.200/24 gw4 192.168.10.254

10.添加多个IP地址

[root@localhost ~]# nmcli connection modify test2 +ipv4.addresses 192.168.10.250/24

查询“test2”的信息

[root@localhost ~]# nmcli connection show "test2"

connection.id: test2

connection.uuid: fa900c7b-b491-446a-b461-f61272ecf9cd

connection.stable-id: --

connection.type: 802-3-ethernet

connection.interface-name: ens33

connection.autoconnect: 是

connection.autoconnect-priority: 0

connection.autoconnect-retries: -1 (default)

connection.multi-connect: 0(default)

connection.auth-retries: -1

connection.timestamp: 1731905902

connection.read-only: 否

connection.permissions: --

connection.zone: --

connection.master: --

connection.slave-type: --

connection.autoconnect-slaves: -1(default)

connection.secondaries: --

connection.gateway-ping-timeout: 0

connection.metered: 未知

connection.lldp: default

connection.mdns: -1(default)

connection.llmnr: -1(default)

802-3-ethernet.port: --

802-3-ethernet.speed: 0

802-3-ethernet.duplex: --

802-3-ethernet.auto-negotiate: 否

802-3-ethernet.mac-address: --

802-3-ethernet.cloned-mac-address: --

802-3-ethernet.generate-mac-address-mask:--

802-3-ethernet.mac-address-blacklist: --

802-3-ethernet.mtu: 自动

802-3-ethernet.s390-subchannels: --

802-3-ethernet.s390-nettype: --

802-3-ethernet.s390-options: --

802-3-ethernet.wake-on-lan: default

802-3-ethernet.wake-on-lan-password: --

ipv4.method: manual

ipv4.dns: 192.168.10.1

ipv4.dns-search: --

ipv4.dns-options: ""

ipv4.dns-priority: 0

ipv4.addresses: 192.168.10.200/24, 192.168.10.250/24

ipv4.gateway: 192.168.10.254

ipv4.routes: --

ipv4.route-metric: -1

ipv4.route-table: 0 (unspec)

ipv4.routing-rules: --

ipv4.ignore-auto-routes: 否

ipv4.ignore-auto-dns: 否

ipv4.dhcp-client-id: --

ipv4.dhcp-timeout: 0 (default)

ipv4.dhcp-send-hostname: 是

ipv4.dhcp-hostname: --

ipv4.dhcp-fqdn: --

ipv4.never-default: 否

ipv4.may-fail: 是

ipv4.dad-timeout: -1 (default)

ipv6.method: auto

ipv6.dns: --

ipv6.dns-search: --

ipv6.dns-options: ""

ipv6.dns-priority: 0

ipv6.addresses: --

802-3-ethernet.speed: 0

802-3-ethernet.duplex: --

802-3-ethernet.auto-negotiate: 否

802-3-ethernet.mac-address: --

802-3-ethernet.cloned-mac-address: --

802-3-ethernet.generate-mac-address-mask:--

802-3-ethernet.mac-address-blacklist: --

802-3-ethernet.mtu: 自动

802-3-ethernet.s390-subchannels: --

802-3-ethernet.s390-nettype: --

802-3-ethernet.s390-options: --

802-3-ethernet.wake-on-lan: default

802-3-ethernet.wake-on-lan-password: --

ipv4.method: manual

ipv4.dns: 192.168.10.1

ipv4.dns-search: --

ipv4.dns-options: ""

ipv4.dns-priority: 0

ipv4.addresses: 192.168.10.200/24, 192.168.10.250/24

ipv4.gateway: 192.168.10.254

ipv4.routes: --

ipv4.route-metric: -1

ipv4.route-table: 0 (unspec)

ipv4.routing-rules: --

ipv4.ignore-auto-routes: 否

ipv4.ignore-auto-dns: 否

ipv4.dhcp-client-id: --

ipv4.dhcp-timeout: 0 (default)

ipv4.dhcp-send-hostname: 是

ipv4.dhcp-hostname: --

ipv4.dhcp-fqdn: --

ipv4.never-default: 否

ipv4.may-fail: 是

ipv4.dad-timeout: -1 (default)

ipv6.method: auto

ipv6.dns: --

ipv6.dns-search: --

ipv6.dns-options: ""

ipv6.dns-priority: 0

ipv6.addresses: --

可以看到配置均已生效

为了不影响后面实验删除“test2”

截图.png

任务6-4 使用firewalld服务

1.查看firewalld服务当前状态和使用区域

截图.png

2.查询防火墙生效ens33网卡在firewalld服务中的生效区域

[root@localhost ~]# firewall-cmd --get-active-zones #查看当前防火墙中生效的区域

[root@localhost ~]# firewall-cmd --set-default-zone=trusted #设定默认区域

success

3.把firewalld服务中ens33网卡的默认区域修改为external,并在系统重启后生效。分别查看当前生效模式与永久模式下的区域名称

[root@localhost ~]# firewall-cmd --list-all --zone=work #查看防火墙策略

work

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

[root@localhost ~]# firewall-cmd --permanent --zone=external --change-interface=ens33

success

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33

no zone

[root@localhost ~]# firewall-cmd --permanent --get-zone-of-interface=ens33

external

4.把firewalld服务的当前默认区域设置为public

[root@localhost ~]# firewall-cmd --set-default-zone=public

success

[root@localhost ~]# firewall-cmd --get-default-zone

public

5.启动/关闭firewalld服务的应急状况模式,阻断一切网络连接(当远程控制服务器时请慎用)

[root@localhost ~]# firewall-cmd --panic-on #打开

success

[root@localhost ~]# firewall-cmd --panic-off #关闭

success

6.查询public区域是否请求SSH和HTTPS的服务

[root@localhost ~]# firewall-cmd --zone=public --query-service=ssh

yes

[root@localhost ~]# firewall-cmd --zone=public --query-service=https

no

7.把firewalld服务中请求HTTPS的流量设置为永久允许,并立即生效

[root@localhost ~]# firewall-cmd --get-services #查看所有可以设定的服务

RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

[root@localhost ~]# firewall-cmd --zone=public --add-service=https

success

[root@localhost ~]# firewall-cmd --permanent --zone=public --add-service=https

success

[root@localhost ~]# firewall-cmd --reload

success

[root@localhost ~]# firewall-cmd --list-all #查看防火请策略

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'external' (see --get-active-zones)

You most likely need to use --zone=external option.

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client https ssh

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

8.把firewalld服务中请求HTTPS的流量设置为永久拒绝,并立即生效

[root@localhost ~]# firewall-cmd --permanent --zone=public --remove-service=https

success

[root@localhost ~]# firewall-cmd --reload

success

[root@localhost ~]# firewall-cmd --list-all #查看防火墙策略

You're performing an operation over default zone ('public'),

but your connections/interfaces are in zone 'external' (see --get-active-zones)

You most likely need to use --zone=external option.

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

9.把在firewalld服务中访问8088和8089端口的流量策略设置为允许,但仅限当前生效

[root@localhost ~]# firewall-cmd --zone=public --add-port=8088-8089/tcp

success

[root@localhost ~]# firewall-cmd --zone=public --list-ports

8088-8089/tcp

项目7 shell基础

posted @ 2024-11-18 20:14  花柒玖  阅读(67)  评论(0)    收藏  举报