1、利用SAMBA实现指定目录共享

服务端

yum -y install samba

systemctl start smb.service

systemctl enable smb.service

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

创建samba账号

useradd -s /sbin/nologin smbuser

smbpasswd -a smbuser #注:不加-a为修改samba用户密码

pdbedit -L

创建共享目录

mkdir -p /data/smbshare

touch /data/smbshare/test.txt #创建一个测试文件

setfacl -R -m u:smbuser:rwx /data/smbshare/

编辑samba配置文件

vim /etc/samba/smb.conf

在文件结尾添加以下内容

[smbshare]

        path=/data/smbshare

        guest ok=no

        read only=No #或writable=Yes

systemctl restart smb.service


客户端

yum -y install samba-client cifs-utils

查看有哪些共享目录

smbclient -L 192.168.1.13 -U smbuser

进入共享目录

smbclient //192.168.1.13/smbshare -U smbuser

samba目录挂载到本地

vim /etc/fstab

增加以下内容

//192.168.1.13/smbshare  /mnt/                  cifs  username=smbuser,password=123456  0 0

mount -a

进入/mnt目录能正常读写服务端的文件

注:为防止其它用户看到用户名密码,可以把用户信息存放到文件,将username=smbuser,password=123456改为credentials=/etc/smbpass.txt,smbpass.txt需先写好用户名密码,文件格式:

username=smbuser

password=123456

为防止所有用户都能看到用户密码,需要设置权限:chmod 600 /etc/smbpass.txt


2、实现不同samba用户访问相同的samba共享,实现不同的配置

服务端

yum -y install samba

systemctl start smb.service

systemctl enable smb.service

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

创建samba账号

useradd -s /sbin/nologin smbuser

smbpasswd -a smbuser

useradd -s /sbin/nologin smbuser2

smbpasswd -a smbuser2

pdbedit -L

创建共享目录

mkdir -p /data/smbshare

touch /data/smbshare/test.txt #创建一个测试文件

setfacl -R -m u:smbuser:rwx /data/smbshare/

setfacl -R -m u:smbuser2:rwx /data/smbshare/

编辑samba配置文件

vim /etc/samba/smb.conf

在文件结尾添加以下内容

[smbshare]

        path=/data/smbshare

        guest ok=no

        write list=smbuser

systemctl restart smb.service


客户端1

yum -y install samba-client cifs-utils

查看有哪些共享目录

smbclient -L 192.168.1.13 -U smbuser

samba目录挂载到本地

vim /etc/fstab

增加以下内容

//192.168.1.13/smbshare  /mnt/                  cifs  username=smbuser,password=123456  0 0

mount -a

进入/mnt目录能正常读写服务端的文件


客户端2

yum -y install samba-client cifs-utils

查看有哪些共享目录

smbclient -L 192.168.1.13 -U smbuser

samba目录挂载到本地

vim /etc/fstab

增加以下内容

//192.168.1.13/smbshare  /mnt/                  cifs  username=smbuser2,password=123456  0 0

mount -a

进入/mnt目录没有写权限


3、远程主机通过连接openvpn修复内网里httpd服务主机,假如现在 httpd 宕机了,我们需要连接进去让httpd启动

远程主机提前安装openvpn,安装过程如下:

服务端

安装openvpn相关软件

yum -y install openvpn easy-rsa

开启路由转发

vim /etc/sysctl.conf

添加以下内容

net.ipv4.ip_forward = 1

sysctl -p

准备服务器证书

cp -r /usr/share/easy-rsa/ /etc/openvpn/

cp /usr/share/doc/easy-rsa-3.0.7/vars.example /etc/openvpn/easy-rsa/3.0.7/vars

cd /etc/openvpn/easy-rsa/3.0.7/

vim vars

#set_var EASYRSA_CERT_EXPIRE    825改为set_var EASYRSA_CERT_EXPIRE    3650

./easyrsa init-pki

./easyrsa build-ca nopass

出现以下确认信息

Common Name (eg: your user, host, or server name) [Easy-RSA CA]:输入通用名称或直接回车

./easyrsa gen-req server nopass

出现以下确认信息

Common Name (eg: your user, host, or server name) [server]:输入通用名称或直接回车

./easyrsa sign server server  #注sign server表示类型为服务器,最后的server对应/etc/openvpn/easy-rsa/3.0.7/pki/reqs/server.req

出现以下确认信息

Confirm request details:输入yes并回车

./easyrsa gen-dh


准备客户端证书

cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client

cp /usr/share/doc/easy-rsa-3.0.7/vars.example /etc/openvpn/easy-rsa-client/3.0.7/vars

cd /etc/openvpn/easy-rsa-client/3.0.7/

./easyrsa init-pki

./easyrsa gen-req liyusheng nopass

出现以下确认信息

Common Name (eg: your user, host, or server name) [liyusheng]:直接回车


签发客户端证书

cd /etc/openvpn/easy-rsa/3.0.7/

./easyrsa import-req /etc/openvpn/easy-rsa-client/3.0.7/pki/reqs/liyusheng.req liyusheng

设置客户端证书有效期

vim vars

set_var EASYRSA_CERT_EXPIRE     3650  #3650改为180

./easyrsa sign client liyusheng  #注sign client表示类型为客户端,liyusheng对应/etc/openvpn/easy-rsa/3.0.7/pki/reqs/liyusheng.req

出现以下确认信息

Confirm request details: 输入yes并回车


服务器相关证书文件集中存放

cp /etc/openvpn/easy-rsa/3.0.7/pki/ca.crt /etc/openvpn/server/

cp /etc/openvpn/easy-rsa/3.0.7/pki/dh.pem /etc/openvpn/server/

cp /etc/openvpn/easy-rsa/3.0.7/pki/issued/server.crt /etc/openvpn/server/

cp /etc/openvpn/easy-rsa/3.0.7/pki/private/server.key /etc/openvpn/server/

openvpn --genkey --secret /etc/openvpn/server/ta.key


客户端相关证书文件集中存放

mkdir /etc/openvpn/client/liyusheng

cp /etc/openvpn/easy-rsa/3.0.7/pki/ca.crt /etc/openvpn/client/liyusheng/

cp /etc/openvpn/easy-rsa/3.0.7/pki/issued/liyusheng.crt /etc/openvpn/client/liyusheng/

cp /etc/openvpn/easy-rsa-client/3.0.7/pki/private/liyusheng.key /etc/openvpn/client/liyusheng/

cp /etc/openvpn/server/ta.key /etc/openvpn/client/liyusheng/

vim /etc/openvpn/client/liyusheng/liyusheng.ovpn

内容如下:

client

dev tun

proto tcp

remote 49.234.85.113 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert liyusheng.crt

key liyusheng.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC

verb 3

compress lz4-v2

auth-nocache


修改openvpn配置文件

vim /etc/openvpn/server.conf

内容如下:

port 1194

proto tcp

dev tun

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/server.crt

key /etc/openvpn/server/server.key

dh /etc/openvpn/server/dh.pem

tls-auth /etc/openvpn/server/ta.key 0

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 172.17.0.0 255.255.240.0"

push "dhcp-option DNS 183.60.82.98"

;push "dhcp-option WINS 172.17.0.7"

keepalive 10 120

cipher AES-256-CBC

compress lz4-v2

push "compress lz4-v2"

max-clients 1000

user openvpn

group openvpn

status openvpn-status.log

log /var/log/openvpn/openvpn.log

log-append /var/log/openvpn/openvpn.log

verb 3

mute 200


启动openvpn服务

systemctl start openvpn@server

systemctl enable openvpn@server


设置防火墙规则

firewalld:

firewall-cmd --permanent --add-port=1194/tcp

firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=10.8.0.0/24 masquerade"

firewall-cmd --reload

iptables:

iptables -A INPUT -p tcp --dport 1194 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

service iptables save


客户端连接

windows客户端:

安装OpenVPN GUI软件,将服务端/etc/openvpn/client/liyusheng目录下的ca.crt、liyusheng.crt、liyusheng.key、liyusheng.ovpn、ta.key复制到C:\Program Files\OpenVPN\config目录,双击桌面上的OpenVPN GUI,到桌面右下角找到OpenVPN GUI图标按右键,选择连接即可连上服务端。


linux客户端:

yum -y install openvpn

将服务端/etc/openvpn/client/liyusheng目录下的ca.crt、liyusheng.crt、liyusheng.key、liyusheng.ovpn、ta.key复制到/etc/openvpn/client目录

openvpn --daemon --cd /etc/openvpn/client --config liyusheng.ovpn --log-append /var/log/openvpn.log

输入kill `pidof openvpn`断开连接


吊销用户证书

cat /etc/openvpn/easy-rsa/3.0.7/pki/index.txt  #查看当前证书,V表示有效R为过期

cd /etc/openvpn/easy-rsa/3.0.7/

./easyrsa revoke liyusheng

出现以下确认信息

Continue with revocation: 输入yes并回车

./easyrsa gen-crl

vim /etc/openvpn/server.conf

最后一行增加以下内容

crl-verify /etc/openvpn/easy-rsa/3.0.7/pki/crl.pem

systemctl restart openvpn@server

内网安装openvpn全部过程到此完成。