猝然临之而不惊,无故加之而不怒。
分类: LINUX
2012-05-17 15:17:57
环境 CentOS 5.6 32bit
1,配置NFS Server
[root@mes-bk etc]# rpm -qa | grep nfs
nfs-utils-lib-1.0.8-7.6.el5
nfs-utils-1.0.9-50.el5
[root@mes-bk etc]# rpm -qa | grep portmap
portmap-4.0-65.2.2.1
[root@mes-bk etc]# chkconfig --list |grep nfs
nfs 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
nfslock 0:关闭 1:关闭 2:关闭 3:开启 4:开启 5:开启 6:关闭
[root@mes-bk etc]# chkconfig --level 2345 nfs on
[root@mes-bk etc]# chkconfig --list |grep nfs
nfs 0:关闭 1:关闭 2:开启 3:开启 4:开启 5:开启 6:关闭
nfslock 0:关闭 1:关闭 2:关闭 3:开启 4:开启 5:开启 6:关闭
[root@mes-bk backup]# vi /etc/exports //NFS主要配置文件
/backup 172.16.86.35(rw,no_root_squash,anonuid=510,anongid=501,sync) 172.16.86.36(rw,no_root_squash,anongid=520,anonuid=501,sync)
/* 由于一开始在root账户下测试,没有配置no_root_squash这个选项,结果在mount后,写入数值时,提示“Permission denied”,加上后重启NFS,问题解决 */
以下说明参考自:
|
参数值 |
内容说明 |
|
rw |
该目录分享的权限是可擦写 (read-write) 或只读 (read-only),但最终能不能读写,还是与文件系统的 rwx 及身份有关。 |
|
sync |
sync 代表数据会同步写入到内存与硬盘中,async 则代表数据会先暂存于内存当中,而非直接写入硬盘! |
|
no_root_squash |
客户端使用 NFS 文件系统的账号若为 root 时,系统该如何判断这个账号的身份?预设的情况下,客户端 root 的身份会由 root_squash 的设定压缩成 nfsnobody, 如此对服务器的系统会较有保障。但如果你想要开放客户端使用 root 身份来操作服务器的文件系统,那么这里就得要开 no_root_squash 才行! |
|
all_squash |
不论登入 NFS 的使用者身份为何, 他的身份都会被压缩成为匿名用户,通常也就是 nobody(nfsnobody) 啦! |
|
anonuid |
anon 意指 anonymous (匿名者) 前面关于 *_squash 提到的匿名用户的 UID 设定值,通常为 nobody(nfsnobody),但是你可以自行设定这个 UID 的值!当然,这个 UID 必需要存在于你的 /etc/passwd 当中! anonuid 指的是 UID 而 anongid 则是群组的 GID 啰。 |
[root@mes-bk etc]# service portmap start
[root@mes-bk etc]# service nfs start
正在启动 NFS 服务: [ 确定 ]
正在激活 NFS quotas: [ 确定 ]
正在启动 NFS 系统程序: [ 确定 ]
正在激活 NFS mountd: [ 确定 ]
[root@mes-bk backup]# showmount -e localhost
Export list for localhost:
/backup 172.16.86.36,172.16.86.35
2,配置针对NFS Server的防火 墙
[root@mes-bk backup]# vi /etc/sysconfig/nfs
# Port rquotad should listen on.
RQUOTAD_PORT=875
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=32769
# Port rpc.mountd should listen on.
MOUNTD_PORT=892
其中 portmapper nfs 服务端口是固定的分别是 111 2049
另外 rquotad nlockmgr mountd 服务端口是随机的。由于端口是随机的,这导致防火墙无法设置。
这时需要配置/etc/sysconfig/nfs 使 rquotad nlockmgr mountd 的端口固定。
找到以下几项,将前面的#号去掉。
[root@mes-bk backup]# rpcinfo -p localhost
程序采用的协议连接阜
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 907 status
100024 1 tcp 910 status
100011 1 udp 897 rquotad
100011 2 udp 897 rquotad
100011 1 tcp 900 rquotad
100011 2 tcp 900 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 47851 nlockmgr
100021 3 udp 47851 nlockmgr
100021 4 udp 47851 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 56501 nlockmgr
100021 3 tcp 56501 nlockmgr
100021 4 tcp 56501 nlockmgr
100005 1 udp 911 mountd
100005 1 tcp 914 mountd
100005 2 udp 911 mountd
100005 2 tcp 914 mountd
100005 3 udp 911 mountd
100005 3 tcp 914 mountd
[root@mes-bk backup]# service nfs restart
正在关闭 NFS mountd: [ 确定 ]
正在停止 NFS 系统程序: [ 确定 ]
正在关闭 NFS 磁盘配额: [ 确定 ]
正在关闭 NFS 服务: [ 确定 ]
正在启动 NFS 服务: [ 确定 ]
正在激活 NFS quotas: [ 确定 ]
正在启动 NFS 系统程序: [ 确定 ]
正在激活 NFS mountd: [ 确定 ]
[root@mes-bk backup]# rpcinfo -p localhost
程序采用的协议连接阜
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 907 status
100024 1 tcp 910 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
[root@mes-bk backup]#
[root@mes-bk backup]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
[root@mes-bk backup]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
/* 因为原来已经将tcp 111,2049和udp 111加入防火墙,这里就不添加了 */
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p tcp --dport 875 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p udp --dport 875 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p tcp --dport 892 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p udp --dport 892 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p tcp --dport 32769 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p udp --dport 32769 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p tcp --dport 32803 -j ACCEPT
[root@mes-bk backup]# iptables -I INPUT -s 172.16.86.0/24 -p udp --dport 32803 -j ACCEPT
[root@mes-bk backup]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 172.16.86.0/24 anywhere udp dpt:32803
ACCEPT tcp -- 172.16.86.0/24 anywhere tcp dpt:32803
ACCEPT udp -- 172.16.86.0/24 anywhere udp dpt:filenet-rpc
ACCEPT tcp -- 172.16.86.0/24 anywhere tcp dpt:filenet-rpc
ACCEPT udp -- 172.16.86.0/24 anywhere udp dpt:892
ACCEPT tcp -- 172.16.86.0/24 anywhere tcp dpt:892
ACCEPT udp -- 172.16.86.0/24 anywhere udp dpt:875
ACCEPT tcp -- 172.16.86.0/24 anywhere tcp dpt:875
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@mes-bk backup]# iptables-save > /etc/sysconfig/iptables
客户端:
[root@szdmdb /]#mkdir -p /backup
[root@szdmdb /]# mount -t nfs 172.16.86.61:/backup /backup
[root@szdmdb /]# vi /etc/fstab
172.16.86.61:/backup /backup ext3 defaults 0 0
