Samba File Server
(a) Introduction
Intranet File Server
(ii) port
SMBD: Increase resource access for clinet TCP 139 445
NMBD: Provide NetBIOS host name resolution UDP 137 138
(iii) installation of relevant procedures
Samba main Package Server package needs to be installed
Samba-common Common tools and library files
Samba-client Client Tools
(iv) Related documents
/etc/samba/smb.conf config file # and; note
(v) Server segment configuration
Vi/etc/samba/smb.conf
[Global]
Workgroup = Workgroup
Server String = description
Log file = Journal Location
Max log size = Log maximum sizes KB
Security = user Safety level
User logs on using Samba users. Note: Samba users are turned over by the system user. To make a user a samba user, this user must already be a system user
Share no password
Server Authentication using Authentication server
Share Definitions sharing settings
[Shared directory name]
Comment = Directory Description
Browseable = yes whether the directory is visible to the user
writeable = yes writable (to be associated with system directory permissions)
Valid users = user name user limit (directory is the user owned)
Path =/www Specifies the shared directory location
1Lab 1: Sharing/movie security Level share21) Modify the configuration file3 #vim/etc/samba/smb.conf4101 Security =Share5 6263[movie]7Comment =dianying8265 Path =/movie9266 browseable =YesTen267 Guest OK =Yes One268 writable =Yes A -2) system sharing/Movie Directory Settings - #Mkdir/movie the #chmod 777/movie - #Cd/movie - #Touch Tianqi.avi Moshou.avi - + shutting down the firewall - #Setup + Turn off SELinux A #Vim/etc/selinux/config atselinux=Disabled - #reboot - - Start the service - #Service SMB Start - #Service NMB Start in #Netstat-tlun - toTest: \\192.168.149.251 + - theLab 2: Sharing/pub/Soft Directory Security level user *1) Modify the configuration file $ #vim/etc/samba/smb.confPanax Notoginseng101 Security =User - the263[Pub] +Comment = Public A265 Path =/Pub the266 browseable =Yes +267 writable =Yes -268 $269[Soft] $Comment =Software -271 Path =/Soft -272 browseable =Yes the273 writable =Yes - Wuyi2) system shared directory settings the #mkdir/pub - #Mkdir/soft Wu #chmod 777/pub - #chmod 700/soft About #useradd AA $ #passwd AA - #chown Aa/soft - -3) Add Samba users A #smbpasswd-a AA + #smbpasswd-a Tianqi the #pdbedit-l - $ Restart Service the #Service SMB Restart the #Service NMB Restart the the Test: -Windows window \\192.168.149.251 inNet Use* /del the theLinux#smbclient//192.168.149.254/soft-u AA
(vi) Declaring system users as Samba users
Smbpasswd-a System User Name
Smbpasswd-a AA
Smbpasswd-x User name Delete samba user
Pdbedit-l Viewing Samba users
(vii) Restart service
Service SMB Restart
Service NMB Restart
Note: Samba permissions and System permissions take the most restrictive permissions
Samba user must be a system user
The service name that is started is SMB
(eight) client use
Windows: Shared directory
NET use */del Delete cache
Linux client:
Smbclient//192.168.140.253/soft-u AA
Firewall configuration
A Brief introduction
1 Features:
Split the intranet and the external network
Dividing the servers to be protected
2 classification
1) Packet filtering
Analyze IP and port, whether Mac conforms to rules, if compliant, accept
By source port, source IP, source Mac, package specific tag and directory port, Ip,mac to determine whether the packet can pass through the firewall
2) Proxy Server
3 Firewall Restrictions
1) firewall does not effectively prevent viruses and trojans
2) Firewalls do not normally set internal access rules, so they are not valid for internal attacks
4 Firewall configuration Principles
Deny all, allow individually
Allow all, reject individually
5linux Common Firewalls
2.4----iptables
2.2ipchains
Two iptables firewalls
1 structure
Table-------Chain--------Rules
2 Table
Filter table Data filtering table
NAT Table Network Address translation
Mangle Special Packet Tagging
3 Chain
Filter table: INPUT OUTPUT FORWARD
Three iptables Basic grammar
1 Viewing and clarity of the rules
iptables [-t table name] [option]-N
Options:
-L View
-F Clears all rules
-X clears the custom chain
-Z Clears all chain statistics
-N Display as port and IP
Iptables-t nat-l
Viewing rules in a NAT table
Iptables-l
View the rules in the filter table
2 Defining the default policy
IPTABLES-T table name-P link name accept| DROP
-P (Large) define default policy
Iptables-t filter-p INPUT DROP
Note: Do not kick yourself out of the server and should be last set.
3ip and Nic interface settings
iptables [-ai chain] [-io NIC interface] [-P protocol] [-s source IP] [-d Destination IP]-j action
-A append chain rule is added to this rule at the end of the chain rule
-I input 2 inserts this rule into the INPUT chain and becomes the second rule
-D chain number Delete the specified number of bars for the specified chain firewall
iptables-d Input 2 Delete the input chain second rule
-I eth0 specify the entry interface to be defined on the input chain
-o eth0 Specifies the outgoing interface to be defined on the output chain
-P protocol TCP UDP ICMP all
-j Action Acceptdrop
Iptables-a input-i lo-j ACCEPT
Allows the native loopback network card to communicate in the input chain
Iptables-a input-i eth0-s 192.168.140.254-j ACCEPT
Allow 254 to enter eth0
Iptables-a input-i eth0-s 192.168.140.0/24-j DROP
Deny 140 Network segment access
4 Setting Port Access
Iptables-a input-i eth0-p all-s Source IP--sport Source Port-D destination IP--dport destination port-j action
Iptables-a input-i eth0-p tcp-s 192.168.140.0/24--dport 22-j DROP
Iptables-a input-i eth0-p tcp-s 192.168.140.0/24--dport 137:139-j ACCEPT
When specifying a port, the protocol cannot use all, to specify the exact protocol
5 Module invocation
1)
-m Module name module option load iptables function module
-M State--state established,related
Iptables-a input-i eth0-m State--state established,related-j ACCEPT
State Status Module Common status established online success status related return package status
2)
-m Mac--mac-source restricted access by MAC address
Iptables-a Input-m mac--mac-source aa:bb:cc:dd:ee:ff-j DROP
Deny a Mac access
3)
-M string--string "want to match the string in the packet"
Iptables-a forward-p UDP--dport 53-m string--string "Tencent"--algo kmp-j DROP
Deny QQ login via DNS
--algo Select pattern matching strategy, support KMP and BM Two kinds of string search algorithm, arbitrarily specify one can
6 Simple Firewall
Iptables-f
Iptables-a input-i lo-j ACCEPT
Iptables-a input-m State--state related,established-j ACCEPT
Iptables-a input-p TCP--dport 80-j ACCEPT
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a input-p TCP--dport 873-j ACCEPT
Iptables-a input-p TCP--dport 139-j ACCEPT
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-p INPUT DROP
7 Firewall service boot from boot
Chkconfig iptables on
8 firewall rules on self-booting
1) Service Iptables Save
Will save the rules to the/etc/sysconfig/iptables file, and the reboot will automatically read
2) manually write firewall scripts
such as Vi/root/iptables.rule
Iptables-f
Iptables-a input-i lo-j ACCEPT
Iptables-a input-m State--state related,established-j ACCEPT
Iptables-a input-p TCP--dport 80-j ACCEPT
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a input-p TCP--dport 873-j ACCEPT
Iptables-a input-p TCP--dport 139-j ACCEPT
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-p INPUT DROP
Give Execute permission chmod 755/root/iptables.rule
Boot Run vi/etc/rc.local
Write/root/iptables.rule
Linux (vi) Samba servers and firewalls