공부공부 공부공부내용
vol1_4) 리눅스 4번째 소프트웨어 패키지 본문
vol1_4) 리눅스 4번째 소프트웨어 패키지
wkdth04 2020. 6. 7. 19:58chapter 10
소프트웨어 패키지
RPM 패키지 관리도구
- 종속성 문제가 발생함
YUM/DNF
- RPM의 종속성 문제를 해결함
- 패키지를 설치할때 종속성 문제를 해결해 의존성 패키지들을 함께 설치해 준다.
- Ubuntu 의 apt or apt-get 과 사용법은 비슷하다.
yum 저장소(repository)
- 패키지들을 저장해놓은 하나의 서버(웹서버)
- 패키지를 다운받을수 있고, 패키지에 대한 정보도 다운받을수 있다.
- YUM 저장소는 웹서버, repofile
(curl 은 웹상에 있는 페이지 내용 불러오는 명령어, 커맨드창에 출력해주는!)
예제
-mc 패키지 설치
sudo yum install mc
sudo yum install -y mc (y 는 yes작업 미리, )
-yum info installed -> 설치된 리스트 정보들 보는 명령어
-sudo yum -y remove mc ->패키지 지우는것
-sudo yum search bash -> bash라는 이름이 들어간 패키지 찾아보기_ 검색가능
[root@jsy ~]# ^Vecho '[base]
> name=CentOS-$releasever - Base
> baseurl=http://ftp.daumkakao.com/centos/$releasever/os/$basearch/
> gpgcheck=0
> [updates]
> name=CentOS-$releasever - Updateyums
> baseurl=http://ftp.daumkakao.com/centos/$releasever/updates/$basearch/
> gpgcheck=0
> [extras]
> name=CentOS-$releasever - Extras
> baseurl=http://ftp.daumkakao.com/centos/$releasever/extras/$basearch/
> gpgcheck=0' > /etc/yum.repos.d/Daum.repo
-bash: $'\026echo': command not found
[root@jsy ~]# echo '[base]
> name=CentOS-$releasever - Base
> baseurl=http://ftp.daumkakao.com/centos/$releasever/os/$basearch/
> gpgcheck=0
> [updates]
> name=CentOS-$releasever - Updates
> baseurl=http://ftp.daumkakao.com/centos/$releasever/updates/$basearch/
> gpgcheck=0
> [extras]
> name=CentOS-$releasever - Extras
> baseurl=http://ftp.daumkakao.com/centos/$releasever/extras/$basearch/
> gpgcheck=0' > /etc/yum.repos.d/Daum.repo
[root@jsy ~]#
[root@jsy ~]# cd /etc/yum.repos.d/
[root@jsy yum.repos.d]# ls
Daum.repo
[root@jsy yum.repos.d]# yum repolist
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
repo id repo name status
base/7/x86_64 CentOS-7 - Base 10,070
extras/7/x86_64 CentOS-7 - Extras 397
updates/7/x86_64 CentOS-7 - Updates 671
repolist: 11,138
[root@jsy yum.repos.d]# cat Daum.repo
[base]
name=CentOS-$releasever - Base
baseurl=http://ftp.daumkakao.com/centos/$releasever/os/$basearch/
gpgcheck=0
[updates]
name=CentOS-$releasever - Updates
baseurl=http://ftp.daumkakao.com/centos/$releasever/updates/$basearch/
gpgcheck=0
[extras]
name=CentOS-$releasever - Extras
baseurl=http://ftp.daumkakao.com/centos/$releasever/extras/$basearch/
gpgcheck=0
[root@jsy yum.repos.d]# yum update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
No packages marked for update
[root@jsy yum.repos.d]# yum repolist
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
repo id repo name status
base/7/x86_64 CentOS-7 - Base 10,070
extras/7/x86_64 CentOS-7 - Extras 397
updates/7/x86_64 CentOS-7 - Updates 671
repolist: 11,138
-----------------------------------(vim입력)-------------------------------------------------------------
[base]
name=Centos7-Kaist
baseurl=http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
gpgcheck=0
~
repo 추가
echo '[base]
name=CentOS-$releasever - Base
baseurl=http://ftp.daumkakao.com/centos/$releasever/os/$basearch/
gpgcheck=0
[updates]
name=CentOS-$releasever - Updates
baseurl=http://ftp.daumkakao.com/centos/$releasever/updates/$basearch/
gpgcheck=0
[extras]
name=CentOS-$releasever - Extras
baseurl=http://ftp.daumkakao.com/centos/$releasever/extras/$basearch/
gpgcheck=0' > /etc/yum.repos.d/Daum.repo
130 cd /etc/yum.repos.d/
131 ls
133 yum repolist
134 cat Daum.repo
135 yum update
http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
vim /etc/yum.repos.d/kaist.repo
[ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_]
name=added from: http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
baseurl=http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
enabled=1
gpgcheck=0
158 rm -rf *.repo (패키지 전부삭제)
160 yum clean all
161 yum update
162 yum repolist all
164 yum-config-manager--add-repo="http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/"
yum-config-manager
yum info yum-config-manager --add-repo=”주소 입력” ->자동으로 만들어줌
yum clean all
yum update
rm -rf *.repo (패키지 전ㅂㅜ삭제)
ls
yum clean all
yum update 하면 아무거ㅅ도 안됨
yum repolist all 로 확인해보면 아무것도 없다.
레파지토리 압축해서 추가하는거 시험에 냄******
https://wnw1005.tistory.com/289
[root@jsy ~]# yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.navercorp.com
* extras: mirror.kakao.com
* updates: mirror.kakao.com
repo id repo name status
!base/7/x86_64 CentOS-7 - Base 10,070
!extras/7/x86_64 CentOS-7 - Extras 397
!updates/7/x86_64 . CentOS-7 - Updates 671
repolist: 11,138
[root@jsy ~]#
[root@jsy ~]#
[root@jsy ~]# ㅣㄴ
-bash: ㅣㄴ: command not found
[root@jsy ~]# pwd
/root
[root@jsy ~]# cd /etc/yum.repos.d
[root@jsy yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo CentOS-x86_64-kernel.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[root@jsy yum.repos.d]# tar -cvf repo.back ./*
./CentOS-Base.repo
./CentOS-CR.repo
./CentOS-Debuginfo.repo
./CentOS-fasttrack.repo
./CentOS-Media.repo
./CentOS-Sources.repo
./CentOS-Vault.repo
./CentOS-x86_64-kernel.repo
[root@jsy yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo CentOS-x86_64-kernel.repo
CentOS-Debuginfo.repo CentOS-Sources.repo repo.back
[root@jsy yum.repos.d]#
[root@jsy yum.repos.d]#
[root@jsy yum.repos.d]# rm -rf *.repo
[root@jsy yum.repos.d]# ls
repo.back
[root@jsy yum.repos.d]#
[root@jsy yum.repos.d]# yum-config-manager --add-repo="http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/"
Loaded plugins: fastestmirror, langpacks
adding repo from: http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
[ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_]
name=added from: http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
baseurl=http://ftp.kaist.ac.kr/CentOS/7.8.2003/os/x86_64/
enabled=1
[root@jsy yum.repos.d]# ls
ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_.repo
[root@jsy yum.repos.d]# yum update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_ | 3.6 kB 00:00
No packages marked for update
[root@jsy yum.repos.d]# yum clean all
Loaded plugins: fastestmirror, langpacks
Cleaning repos: ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_
Cleaning up list of fastest mirrors
Other repos take up 45 M of disk space (use --verbose for details)
[root@jsy yum.repos.d]# yum update
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_ | 3.6 kB 00:00
(1/2): ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_/group_gz | 153 kB 00:00
(2/2): ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_/primary_ | 6.1 MB 00:00
No packages marked for update
[root@jsy yum.repos.d]# yum repolist all
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
repo id repo name status
ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_ added from: http://ft enabled: 10,070
repolist: 10,070
[root@jsy yum.repos.d]#
[root@jsy yum.repos.d]# [root@jsy yum.repos.d]# ls
-bash: [root@jsy: command not found
[root@jsy yum.repos.d]# ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_.repo
-bash: ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_.repo: command not found
[root@jsy yum.repos.d]# [root@jsy yum.repos.d]# yum update
-bash: [root@jsy: command not found
[root@jsy yum.repos.d]# Loaded plugins: fastestmirror, langpacks
-bash: Loaded: command not found
[root@jsy yum.repos.d]# Loading mirror speeds from cached hostfile
-bash: Loading: command not found
[root@jsy yum.repos.d]# ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_ | 3.6 kB 00:00
-bash: 3.6: command not found
-bash: ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_: command not found
[root@jsy yum.repos.d]# No packages marked for update
-bash: No: command not found
[root@jsy yum.repos.d]# [root@jsy yum.repos.d]# yum clean all
-bash: [root@jsy: command not found
[root@jsy yum.repos.d]# Loaded plugins: fastestmirror, langpacks
-bash: Loaded: command not found
[root@jsy yum.repos.d]# Cleaning repos: ftp.kaist.ac.kr_CentOS_7.8.2003_os_x86_64_
-bash: Cleaning: command not found
[root@jsy yum.repos.d]# Cleaning up list of fastest mirrors
-bash: Cleaning: command not found
[root@jsy yum.repos.d]#
----------------------------------------------------------------------------------------------
https://zetawiki.com/wiki/Yum_Daum_%EC%A0%80%EC%9E%A5%EC%86%8C_%EC%84%A4%EC%A0%95
https://sugerent.tistory.com/325
chapter 12 ssh
Telnet -> SSH
암호화 알고리즘
대칭키 기반
같은 키를 사용해서 데이터를 암호화 한다.
키(암호화 알고리즘) : a -> 1
apple -> key1 : 암호화(a -> 1) -> 1pple -> key1 : 복호화(a->1) -> apple
비대칭키 기반
key1 과 key2가 동시에 생성된다.
개인키와 공개키 라고 한다.
공개키 : 외부에 공개된키로 누구나 공개키를 가지고 있어도 된다.
개인키 : 키를 만든 생성자만 갖고 있는키다.
공개키는 데이터를 암호화 해서 전달. -> 개인키를 이용해서 복호화 한다.
사람1: apple -> key1 (공개키): 암호화 (a -> 1) -> 1pple -> key2(개인키) : 복호화(a->1) -> apple : 사람2
SSH 구성1
client -> server 접속요청
server -> 공개키를 전달 -> client
client -> client 의 공개키를 server의 공개키로 암호화 -> server의 개인키로 복호화 -> client의 공개키 -> Server
SSH 구성
client -> server 접속요청
server -> 공개키를 전달 -> client
client -> 대칭키를 만든다(비밀키) -> server 의 공개키로 암호화 -> server의 개인키로 복호화 -> client가 만든 비밀키 -> server
client <-비밀키-> server
------------------------------------------------------
sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils
sudo adduser $USER kvm
sudo apt-get install -y virt-manager
sudo virt-manager
새로운 가상머신
네트워크구성 *********
|
client ip 192.168.122.100 /24 gateway 192.168.122.1 dns 8.8.8.8 hostname client.cccr.co.kr
server ip 192.168.122.200 /24 gateway 192.168.122.1 hostname server.cccr.co.kr server.cccr.co.kr |
yum install -y bash-completion net-tools
nmcli connection add con-name eth0-client type ethernet ifname eth0
nmcli connection modify eth0-client ipv4.addresses 192.168.122.100/24
nmcli connection modify eth0-client ipv4.gateway 192.168.122.1
nmcli connection modify eth0-client ipv4.dns 8.8.8.8
nmcli connection modify eth0-client ipv4.method manual
nmcli connection modify eth0-client autoconnect yes
hostnamectl set-hostname client.cccr.co.kr
nmcli connection up eth0-client
yum install -y bash-completion net-tools
nmcli connection add con-name eth0-server type ethernet ifname eth0
nmcli connection modify eth0-server ipv4.addresses 192.168.122.200/24
nmcli connection modify eth0-server ipv4.gateway 192.168.122.1
nmcli connection modify eth0-server ipv4.dns 8.8.8.8
nmcli connection modify eth0-server ipv4.method manual
nmcli connection modify eth0-server autoconnect yes
hostnamectl set-hostname server.cccr.co.kr
nmcli connection up eth0-server
client : AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdtLqgM7RfNOiT8ZqC72qrDf7vTopXPuog/QcwMt1FzoAQZ38VRJ1PbWEFZmxozfeOPGD4hwn+EviacKU863PQ=
server : AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdtLqgM7RfNOiT8ZqC72qrDf7vTopXPuog/QcwMt1FzoAQZ38VRJ1PbWEFZmxozfeOPGD4hwn+EviacKU863PQ=
--------------------------------------------
open ssh 설치(서버설치)
yum install openssh-server
서버&클라이언트 설치
yum install ssh
서버의 key가 저장되어 있는 위치는
/etc/ssh/~~~.pub
클라이언트의 key 저장되어 있는 위치는
/home/user/.ssh/know_hosts
--------------------------------------------
x-11 포워딩
ssh -X student@192.168.0.175
gedit aaaa.txt
firefox www.google.com
인증관련
- 특정사용자만 로그인
vi /etc/ssh/sshd_config
AllowUsers userssh
- root 로그인 되지 않게
vi /etc/ssh/sshd_config
PermitRootLogin no
-키기반 인증
vi /etc/ssh/sshd_config
PasswordAuthentication no
28 ssh-keygen -t ecdsa
29 ssh-copy-id user@192.168.122.200
30 ssh user@192.168.122.200
---------------------------------------------------------------------------------------
chapter 14 방화벽관리
-
UDP
-
TCP
TCP/UDP통신
UDP : Port번호를 통해서 디멀티 플렉싱이 이루어진다.
디멀티 플렉싱 (소켓를 찾아가는 행위)
TCP :src IP / src Port, Dest IP/dest Port 디멀티 플렉싱이 이루어진다.
방화벽은 무엇을 차단하는것일까?
-
기본적으로 차단이 기본
-
정책을 통해 허용해준다.
IP : 256*256*256*256*~
Port : 65546 대충 요정도
규칙
-
인바운드규칙
방화벽의 기본설정이 : 모두차단
내부로 들어오는 데이터(dest ip가 자신)
서버 내부로 들어오는 것(클라이언트가 -> 서버로 접속하는것)
-
아웃바운드의 규칙
방화벽의 기본설정 :모든 접속은 허용
외부로 나가는 데이터 (src IP 가 자신인거)패킷의 dest ip가 나면 인바운드 규칙 적용, src ip가 나면 아웃바운드 규칙이 적용
서버바깥으로 나가는 것 (서버->클라이언트로)
-Centos 방화벽
firewalld 를 사용
-우분투는 UFW 방화벽 사용
iptables 와 firewalld 차이점은 Runtime 설정이 가능하다.
iptables -> kernel
firewalld 사용법
18 systemctl status firewalld.service
19 firewall-cmd --list-all
20 firewall-cmd --add-service=http
21 firewall-cmd --list-all
22 firewall-cmd --add-port=400
23 firewall-cmd --add-port=400/tcp
24 firewall-cmd --add-port=400/udp
25 firewall-cmd --list-
26 firewall-cmd --list-all
27 firewall-cmd --add-source=192.168.100.0/24
28 firewall-cmd --list-all
29 firewall-cmd --get-default-zone
30 firewall-cmd --get-zones
[root@server user]# cd /
[root@server /]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-05-28 15:34:59 KST; 2h 34min ago
Docs: man:firewalld(1)
Main PID: 666 (firewalld)
CGroup: /system.slice/firewalld.service
└─666 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
May 28 15:34:58 server.cccr.co.kr systemd[1]: Starting firewalld - dynamic f....
May 28 15:34:59 server.cccr.co.kr systemd[1]: Started firewalld - dynamic fi....
Hint: Some lines were ellipsized, use -l to show in full.
[root@server /]# 서비스 잘돌아가는지 확인 한거
bash: 서비스: command not found
[root@server /]#
[root@server /]#
[root@server /]# firewall-cmd --get-
--get-active-zones --get-icmptypes --get-short
--get-default-zone --get-ipset-types --get-zone-of-interface=
--get-description --get-log-denied --get-zones
--get-helpers --get-services
[root@server /]# firewall-cmd --
--add-forward-port= --list-services
--add-icmp-block= --list-source-ports
--add-icmp-block-inversion --list-sources
--add-interface= --lockdown-off
--add-lockdown-whitelist-command= --lockdown-on
--add-lockdown-whitelist-context= --panic-off
--add-lockdown-whitelist-uid= --panic-on
--add-lockdown-whitelist-user= --permanent
--add-masquerade --query-forward-port=
--add-port= --query-icmp-block=
--add-protocol= --query-icmp-block-inversion
--add-rich-rule= --query-interface=
--add-service= --query-lockdown
--add-source= --query-lockdown-whitelist-command=
--add-source-port= --query-lockdown-whitelist-context=
--change-interface= --query-lockdown-whitelist-uid=
--change-source= --query-lockdown-whitelist-user=
--change-zone= --query-masquerade
--complete-reload --query-panic
--direct --query-port=
--get-active-zones --query-protocol=
--get-default-zone --query-rich-rule=
--get-description --query-service=
--get-helpers --query-source=
--get-icmptypes --query-source-port=
--get-ipset-types --reload
--get-log-denied --remove-forward-port=
--get-services --remove-icmp-block=
--get-short --remove-icmp-block-inversion
--get-zone-of-interface= --remove-interface=
--get-zones --remove-lockdown-whitelist-command=
--help --remove-lockdown-whitelist-context=
--info-helper= --remove-lockdown-whitelist-uid=
--info-icmptype= --remove-lockdown-whitelist-user=
--info-ipset= --remove-masquerade
--info-service= --remove-port=
--info-zone= --remove-protocol=
--list-all --remove-rich-rule=
--list-all-zones --remove-service=
--list-forward-ports --remove-source=
--list-icmp-blocks --remove-source-port=
--list-interfaces --set-default-zone=
--list-lockdown-whitelist-commands --set-description=
[root@server /]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server /]# firewall-cmd --add-service=http
success
[root@server /]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server /]# firewall-cmd --add-port=400
Error: INVALID_PORT: bad port (most likely missing protocol), correct syntax is portid[-portid]/protocol
[root@server /]# firewall-cmd --add-port=400/tcp
success
[root@server /]# firewall-cmd --add-port=400/udp
success
[root@server /]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports: 400/tcp 400/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server /]# firewall-cmd --add-source=192.168.100.0/24
success
[root@server /]# firewall-cmd --get-default-zone
public
[root@server /]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 192.168.100.0/24
services: dhcpv6-client http ssh
ports: 400/tcp 400/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@server /]# firewall-cmd --get-default-zones
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --get-default-zones
[root@server /]#
방화벽 예제
Server
1.server 에 firewalld가 활성화 되고 실행 되고 있는지 확인한다.
systemctl status firewalld.service
2. httpd 패키지를 설치한다.
yum install httpd
3. httpd.service 활성화 및 시작
[root@server user]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:httpd(8)
man:apachectl(8)
4. /var/www/html/index.html 에 hello world! 입력
vi편집기
[root@server html]# vi /inex.html
5. webservice라는 zone을 만들고 활성시킨다.hosto
1. ssh로 외부에서 접근 가능해야 한다.
2. 웹서버에 클라이언트가 접근가능해야 한다.
[root@server user]# firewall-cmd --permanent --zone=fwtest --add-service=ssh
[root@server user]# firewall-cmd --reload
[root@server user]# firewall-cmd --set-default-zone=fwtest
[root@server user]# firewall-cmd --list-all-zones
client
> curl 192.168.122.200
hello world!가 나와야 한다.
[root@server user]# sudo firewall-cmd --permanent --new-zone=fwtest
5/29 방화벽, NTP서버
https://www.lesstif.com/system-admin/rhel-centos-7-firewalld-22053128.html
RHEL/CentOS 7 에서 방화벽(firewalld) 설정하기
포트 추가/변경, IP 추가/변경는 --reload 옵션을 실행해야 반영됨.
www.lesstif.com
rich rule 4주차 시험
http://hwangji.kr/sub/dev_leader/link/os/default.aspx?NHBBSID=NHBoardWebTip&NHBBSIDX=77
포트포워딩
- NAT네트워크 : 내부 -> 외부 , 외부 -> 내부
사설ip:100 -> 공인ip:random1 -> 서버에 도착
사설ip:포트번호 -> 공인ip:random2
사설ip:포트번호 -> 공인ip:random3
사설ip:포트번호 -> 공인ip:random4
프로세스 동작 사설ip:포트번호 - 공인ip:포트 <- client
vm1 - ubuntu1
192.168.130.100:22 <- 192.168.0.157:2000
<- ubuntu2 -vm2
192.168.0.50 192.168.122.100
-외부에서 내부로 접속가능하게 연결해준다.
firewalld-cmd
ssh user@192.168.0.157:1999
firewall-cmd --add-forward-port=port=2000:proto=tcp:toport=22:toaddr=192.168.130.100
|
rich-rule - 세부적인 규칙 추가가 가능해 진다. - fwtest영역에서 출발지 주소(src ip)가 192.168.0.0/24 인시스템에서 http서비스 접근 요청을 허용한다. - man firewalld.richlanguage 에서 규칙을 확인할수 있다. |
firewall-cmd --add-rich-rule='rule <RULE>' --zone=<zone name>
firewall-cmd --remove-rich-rule='rule <RULE>' --zone=<zone name>
예제1) firetest zone 영역의 IP 주소 192.168.0.11에서 들어오는 모든트래픽을 거부
예제2) 192.168.1.0/24인 서브네트워크에 대하여 Public 영역에서 7900dptj 7910까지의 모드TCP패킷을 수락한다.
1)
[root@client ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address=192.168.0.11/32 reject'
2)
[root@client ~]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="7900-7910" protocol="tcp" accept'
success
'IT 기초, 네트워크, 리눅스 > 2. 리눅스 기초 vol1 (리눅스 운영체제 운영virtualBox 활용' 카테고리의 다른 글
| vol1_2) 정리가 잘 안된 리눅스 두번째 기록 >디스크파티션 (0) | 2020.06.07 |
|---|---|
| vol1_1) 정리가 잘 안된 리눅스 첫번째 기록 (0) | 2020.06.07 |