$TTL 86400
@       IN        SOA       ns.ilinux.org.      admin.iliux.org. (
                                                  2011083001
                                                  1H
                                                  10M
                                                  7D
                                                  1D )
        IN         NS       ns.ilinux.org.
22.1    IN         PTR      ns.ilinux.org.
22.1    IN         PTR      mail.ilinux.org.
22.1    IN         PTR      www1.ilinux.org.
22.1    IN         PTR      www2.ilinux.org.
22.1    IN         PTR      proxy.ilinux.org.

转发域是不需要数据文件的，到此为止DNS服务部分配置完成！

# named-checkconf ;检查配置文件语法

# named-checkzone "ilinux.zone" ilinux.org.zone ;检查数据文件语法（不一一列举了）

# chmod 644 /etc/named.conf

# chown :named /etc/named.conf

# chmod --reference=/etc/named.conf 172.16.zone ilinux.zone named.local localhost.zone
# chgrp --reference=/etc/named.conf 172.16.zone ilinux.zone named.local localhost.zone

# service named start

# vim /etc/resolv.conf

nameserver 172.16.22.1

# dig -t A www1.ilinux.org.zone

简单做下测试，为保证正确性大家尽可能做完整的测试。
iptables访问控制
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p udp --dport 53 -j REJECT

iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 53 -j REJECT
注：在RHCE考试中要这样做，默认规则是ACCEPT，而非DROP，并且-j 后面的动作要明确指定REJECT

不要用DROP！！

2、sshd服务访问控制，sshd的配置文件 /etc/ssh/sshd_config 里面的选项自己熟悉下默认就是只提供v2版本。

访问控制的方法：iptables tcp wrapper 这里给出两种办法，看自己的喜好！

iptables:

iptables -A INPUT -s 172.16.0.0/16 -d 172.16.22.1 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT  -d 172.16.22.1 -p tcp --dport 22 -j REJECT

tcp wrapper:

# vim /etc/hosts.allow

sshd: 172.16.0.0/255.255.0.0

# vim /etc/hosts.deny

sshd: ALL

# service sshd restart

3、samba服务前面的博文中也有简单的介绍了不再赘述看看题怎么做！

# yum install samba

# cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

# mkdir /data

# vim /etc/samba/smb.conf

workgroup = ilinux

[shared]

comment = My Share

path = /data

write list = +develop

browseable = yes

public = yes

hosts allow = 172.16. 127.

# testparm

# groupadd develop

# useradd -G develop gentoo

# echo "gentoo" | passwd --stdin gentoo

# smbpasswd -a gentoo

注：可以通过以上的方法依次添加就不一一写了

# chcon -t samba_share_t /data
# set facl -m g:develop:rwx /data

# service smb start

# chkconfig smb on

# smbclient -L 172.16.22.1 -U gentoo

# smbclient //172.16.22.1/shared -U gentoo

4、nfs文件共享

# vim /etc/exports
/data 172.16.0.0/16(ro)
固定端口设置：
# vim /etc/sysconfig/nfs ;将里面有关端口设置为固定端口 一般大于8000即可 /etc/services文件中可以查看那些端口被其他常用服务占用
# service nfs start

# rpcinfo -p localhost ;查看服务是否启动和占用的端口

# chkconfig nfs on

5、

# yum install httpd

# vim /etc/httpd/conf/httpd.conf

注释掉 DocumentRoot
启用 VirtualHost 172.16.22.1:80

 ServerName www1.ilinux.org
 DocumentRoot "/var/www/html/www1"
 Errorlog "/var/log/httpd/www1.err"
 Customlog "/var/log/httpd/www1.access" combined
 

  Options None
  AllowOverride None
  Order Allow,Deny
  Allow from 172.16.0.0/16
 


 ServerName www1.ilinux.org
 DocumentRoot "/var/www/html/www2"
 Errorlog "/var/log/httpd/www2.err"
 Customlog "/var/log/httpd/www2.access" combined
 
  Options None
  AllowOverride None
  Order Allow,Deny
  Allow from aLL
 

# mkdir -pv /var/www/html/www{1,2}

# ehco www1.ilinux.org > /var/www/html/www1/index.html
# ehco www2.ilinux.org > /var/www/html/www2/index.html
# service httpd start

# chkconfig httpd on

6、这里我们使用postfix

# yum install postfix

# service sendmail stop

# chkconfig sendmail off

# rpm -e sendmail --nodeps

# vim /etc/postfix/main.cf

myhostname = mail.ilinux.org

mydomain = ilinux.org

myorigin = $mydomain

inet_inerfaces = all

mydestination = $myhostname,localhost,$mydomain,localhost,$mydomain,mail.$mydomain

mynetworks = 172.16.0.0/16,127.0.0.0/8

smtpd_client_restrictions = hash:/etc/postfix/client

smtpd_sender_restrictions = hash:/etc/postfix/sender

#########添加以下内容打开基于cyrus-sasl的认证功能#############
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!

# vim /etc/usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

# service saslauthd start

# chkconfig saslauthd on

# vim /etc/sysconfig/saslauthd

MECH=shadow

# vim /etc/postfix/client

172.16.22.10   REJECT

# postmap /etc/postfix/client

# vim /etc/postfix/sender

ubuntu@ REJECT

# postmap /etc/postfix/sender

# vim /etc/aliases

ubuntu:      gentoo

customers:   gentoo,  centos

# newaliases

# service postfix start

# hostname mail.ilinux.org

iptables -A  INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 25 -j REJECT

;注：这种做法可以实现，也可以写在/etc/postfix/client文件中

# telnet mail.ilinux.org 25 ；简单测试下 具体测试大家自己做吧！不再详细写了！

 mail from:ubuntu@ilinux.org

 RCPT TO:gentoo@ilinux.org

出现如下行说明限制ubuntu用户发送邮件配置成功

554 5.7.1 : Sender address rejected: Access denied

其他的测试自己做吧，一个一个敲的好慢.....

7、

# yum install dovecot

# vim /etc/dovecot.conf

protocols = pop3

# service dovecot start

# chkconfig dovecot start

iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 110 -j REJECT 

# telnet pop3.ilinux.org 110

 

8、

# vim /etc/vsftpd/vsftpd.conf
接受tcp wrapper的控制

# vim /etc/hosts.allow
vsftpd: 172.16.0.0/255.255.0.0
# vim /etc/hosts.deny
vsftpd: ALL

# getseboll -a | grep ftp

# setsebool -P ftp_home_dir=1

# service vsftpd start

# chkconfig vsftpd on

 

9、这里证书的生成的方法不能用在生产环境中纯属娱乐用！RHCE考试也可以用这种方法节省时间也不容易出错！

# cd /etc/pki/tls/cert
# make dovecot.pem
# vim /etc/dovecot.conf
ssl_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_key_file = /etc/pki/tls/certs/dovecot.pem
 protocols = pop3 imaps

# service dovecot restart
# mutt -f imaps://imaps.ilinux.org ;测试
# iptables -A INPUT -s 172.16.0.0/16 -d 172.16.22.1 -p tcp --dport 993 -j ACCEPT 

# iptables -A INPUT  -d 172.16.22.1 -p tcp --dport 993 -j REJECT 

 

10 、

# yum install mod_ssl
# cd /etc/pki/tls/certs
# make httpd.pem
# vim /etc/httpd/conf.d/ssl.conf

DocumentRoot "/var/www/html/www2"

ServerName www2.ilinux.org

SSLCertificateFile /etc/pki/tls/certs/httpd.pem

SSLCertificateKeyFile /etc/pki/tls/certs/httpd.pem

# service httpd restart

# chkconfig httpd on
# iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 443 -j REJECT

 

11、

# yum install php php-mbstring php-mysql mysql-server

# vim /var/www/html/www1/index.html
    phpinfo();
?>

# mv !$ /var/www/html/www1/index.php
# mysqladmin -uroot password '123456' ;两种方法下面介绍第2种方法

# service mysqld start

# chkconfig mysqld on

# mysql

mysql>set password for root@localhost=PASSWORD('123456');

mysql>set password for root@"127.0.0.1'=PASSWORD('123456');

mysql>\q

# tar zxvf phpMyAdmin-2.11.10-all-languages.tar.gz -C /var/www/html

# cd !$

# mv phpMyAdmin-1.11.10-all-languages phpmyadmin

# cp config.sample.inc.php config.inc.php

# vim !$

$cfg['blowfish_secret'] = ' 添加任意随机数';

# rpm -ivh libmcrypt-2.5.7-5.el5.i386.rpm

# vim /etc/httpd/conf/httpd.conf

在虚拟主机中定义

Alias /phpmyadmin “/var/www/html/phpmyadmin” ；额外操作其实可以直接放在/var/www/html/www1/phpmyadmin下最简单了

# service httpd restart

 

 

12、

# vim /etc/httpd/conf/httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex (添加)indwx.php
用户认证，需要在文件中添加如下内容

# vim /etc/httpd/conf/.webgrps
mygrp： user1 user2 user3 user4
# groupadd mygrp
     
       AllowOverride Authconfig
       AuthName "Auth web"                     //提示信息
       AuthType basic                          //加密方式
       AuthUserFile /etc/httpd/conf/.webuser   //认证用户文件
       AuthGroupFile /etc/httpd/conf/.webgrps
       Require group mygrp                      //允许认证的用户组
    

详细的过程自己写吧！我用别人的无线网他这会儿在调试路由器...保存下睡觉了！下面的两个设计题我还没做，等做出来了再给补上！以上的答案都是手敲的基本上没在虚拟机里测试！如果有错误还请指正！