实验:针对不同的用户设置不同的共享目录和权限
vim /etc/samba/smb.conf
[global]
workgroup = WANGGROUP
security = user
netbios name = smbsrv7
passdb backend = tdbsam
log file = /var/log/samba/log.%I
log level = 2
config file = /etc/samba/conf.d/%U
[share]
comment=samba share dir
path=/data/tools
read only = yes
[root@centos7 conf.d]#cat /etc/samba/conf.d/smb2
[share]
path=/data/smb2
writeable=yes
[root@centos7 conf.d]#cat /etc/samba/conf.d/smb3
[share]
path=/data/smb3
实验:多用户挂载
client
useradd smb1
useradd smb2
useradd smb3
vim /etc/fstab
//192.168.30.7/share /mnt cifs username=smbshare,password=centos,multiuser 0 0
mount -a
su – smb1
cifscreds add sambaserverip
proxy
isa
GPL
http://www.magedu.com/news
http://www.magedu.com/study/
tcp 80
QQ IP
udp 8000
tcp 443 https://www.baidu.com/
数据www.tencent.com
msn :www
isa server
http://ip/a.vbs
1M
mtu 1500
ethernet(ip(tcp(app(data))))
http tcp80 10
https tcp443 10
web 10
jump
实验:自定义链
使用自定义链
iptables -N WEB
iptables -A WEB -p tcp -m multiport –dports 80,443 -j ACCEPT
iptables -I INPUT -s 192.168.30.0/24 -j WEB
iptables -vnL
修改
iptables -R WEB 1 -p tcp -m multiport –dports 80,443,8080 -j ACCEPT
删除自定义链
iptables -D INPUT 1
iptables -D WEB 1
iptables -X WEB
fileshare:samba,ftp,
web:http https
manage:ssh telnet
lamp
client — > apache+php fpm A –> mysql B
manager C
B:
iptables -F
iptables -A INPUT -s AIP -p tcp –dport 3306 -j ACCEPT
iptables -A INPUT -s CIP -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -j REJECT
A:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -s CIP -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -j REJECT
ssh any reject
http source 192.168.30.0/24 accept
-m multport –dports 80,443
iptables -A FORWARD -m time –timestart 1:00 –timestop 10:00 –weekdays 1,3,5 -j REJECT
实验:实现内网的安全
ptables -A FORWARD -j REJECT
iptables -I FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -s 192.168.30.0/24 -d 10.0.0.0/8 -m state –state NEW -j ACCEPT
A:10.0.0.0/8
B:172.16.0.0/16 – 172.31.0.0/16 172.16.0.0/12
C:192.168.0.0/24 – 192.168.255.0/24 192.168.0.0/16
实验:实现SNAT
lan:192.168.30.0/24
nat server:
lan interface:192.168.30.17
wan interface: 10.0.0.254
wan: 10.0.0.0/8
wanserver 10.0.0.10
静态IP
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT –to-source 10.0.0.254
动态IP
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j MASQUERADE
实验:实现DNAT
iptables -t nat -A PREROUTING -d 10.0.0.254 -p tcp –dport 80 -j DNAT –to-destination 192.168.30.7:8080
实验:端口转发
iptables -t nat -A PREROUTING -d 192.168.30.7 -p tcp –dport 80 -j REDIRECT –to-ports 8080
本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/102079
