Telnet tftp cvs 等IP限制在CentOS 7 Systemd的使用

已于 2022-08-21 14:24:24 修改
阅读量813 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: IT 运维 iptables 文章标签: centos telnet tftp systemd IPAddressAllow
于 2020-03-01 09:27:29 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/stevenkoh/article/details/104586741

单片机还是需要telnet和tftp的。家里的这台服务器也提供外网接口开放,这两个服务不方便对外开放。以前telnet用xinet绑定指定网卡和限制IP访问。CentOS开始使用systemd作为telnet启动,规矩和以前不一样了。记录一下

原理:

          Service units acquired two new options IPAddressAllow= and
          IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
          for configuring a simple IP access control list for all sockets of
          the unit. These options are available also on .slice and .socket
          units, permitting flexible access list configuration for individual
          services as well as groups of services (as defined by a slice unit),
          including system-wide. Note that IP ACLs configured this way are
          enforced on every single IPv4 and IPv6 socket created by any process
          of the service unit, and apply to ingress as well as egress traffic.

添加service unit增加两个选项:IPAddressAllow / IPAddressDeny,和 socket 里增加 BindToDeivce命令。

telnet修改,限制 IP/网卡

[root@sh ~]# cat /usr/lib/systemd/system/telnet@.service
[Unit]
Description=Telnet Server
After=local-fs.target

[Service]
#Modified,Modified,Modified
IPAddressAllow=192.168.0.0/24

ExecStart=-/usr/sbin/in.telnetd
StandardInput=socket

[root@sh ~]# cat /usr/lib/systemd/system/telnet.socket 
[Unit]
Description=Telnet Server Activation Socket
Documentation=man:telnetd(8)

[Socket]
#Modified,Modified,Modified
BindToDevice=enp3s0

ListenStream=23
Accept=true

[Install]
WantedBy=sockets.target
[root@sh ~]#

tftp  的修改,限制 IP/网卡

[root@sh ~]# cat /usr/lib/systemd/system/tftp.socket 
[Unit]
Description=Tftp Server Activation Socket

[Socket]
#Modified,Modified,Modified
BindToDevice=enp3s0
ListenDatagram=69

[Install]
WantedBy=sockets.target

[root@sh ~]# cat /usr/lib/systemd/system/tftp.service 
[Unit]
Description=Tftp Server
Requires=tftp.socket
Documentation=man:in.tftpd

[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
StandardInput=socket

#Modified,Modified,Modified
IPAddressAllow=192.168.0.0/24

[Install]
Also=tftp.socket
[root@sh ~]#

分别在Socket文件的 [Socket] 段落增加了
BindToDevice=enp3s0 (内网设备名)
或 #ListenStream=192.168.0.2:2401 

在service文件的 [Service] 段落增加了
IPAddressAllow=192.168.0.0/24

两个限制。

CVS 限制 IP/网卡

[root@localhost ~]# cat /usr/lib/systemd/system/cvs.socket
[Unit]
Description=CVS Server Activation Socket
PartOf=cvs.target

[Socket]
#允许外网 
ListenStream=2401

#仅允许内网
#ListenStream=192.168.0.2:2401
Accept=true

[Install]
WantedBy=sockets.target

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#cat /usr/lib/systemd/system/cvs.target
[Unit]
Description=CVS Servers

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#cat /usr/lib/systemd/system/cvs@.service
[Unit]
Description=CVS Server
After=local-fs.target
PartOf=cvs.target

[Service]
Environment=HOME=/var/cvs
ExecStart=-/usr/bin/cvs -f --allow-root=/var/cvs pserver
StandardInput=socket

CVS有时需要在外网使用,如果是内网:

#仅允许内网
#ListenStream=192.168.0.2:2401

 vsftp,standalone 模式运行

listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=NO

listen=YES,开启standalone模式;

listen_ipv6关闭,否则启动不起来。

参考:关于vsftp启动报错的解决办法_唯独你的好的博客-优快云博客

DHCP,限制IP

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#cat /usr/lib/systemd/system/dhcpd.service
[Unit]
Description=DHCPv4 Server Daemon
Documentation=man:dhcpd(8) man:dhcpd.conf(5)
Wants=network-online.target
After=network-online.target
After=time-sync.target

[Service]
Type=notify
#ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

ExecStartPre=/bin/mkdir /run/dhcpd
ExecStartPre=/bin/touch /run/dhcpd/dhcpd.leases
ExecStartPre=/bin/chown -R dhcpd:dhcpd /run/dhcpd

ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -lf /run/dhcpd/dhcpd.leases -user dhcpd -group dhcpd --no-pid enp3s0

ExecStopPost=/bin/rm -fr /run/dhcpd


[Install]
WantedBy=multi-user.target

修改 services文件的启动参数 ExecStart,增加命令行参数,内网接口 enp3s0

ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -lf /run/dhcpd/dhcpd.leases -user dhcpd -group dhcpd --no-pid enp3s0

Samba,限制IP

[root@localhost ~]# cat /etc/samba/smb.conf
[global]
        workgroup = WORKGROUP

        netbios name = Samba
        server string = Samba Server Version %v

        bind interfaces only = Yes
        interfaces = lo enp3s0 192.168.0.2/24

        hosts allow = 127. 192.168.0.

这个就靠 smb.conf 配置文件本身来限制内网IP
 

参考:systemd 235 released [LWN.net]

Linux systemd资源控制初探 - 舰队 - 博客园

systemd.socket 中文手册 [金步国]

http://www.jinbuguo.com/systemd/systemd.resource-control.html
C

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值