Rocky Linux-0090-教程-DNS-私有域名解析Bind-06

时间：2023-02-20 09:24:01 | 来源：建站知识

时间：2023-02-20 09:24:01 来源：建站知识

Rocky Linux-0090-教程-DNS-私有域名解析Bind-06：

0、背景

CentOS 8 已停止维护，Rocky Linux 是未来~

从本篇起翻译一下 Rocky Linux 域名解析~

（1）本系列文章

格瑞图：Rocky Linux-0001~0011-教程-自定义内核

格瑞图：Rocky Linux-0012~0024-教程-共同构建文档

格瑞图：Rocky Linux-0025~0034-教程-自动化

格瑞图：Rocky Linux-0034~0043-教程-文件同步

格瑞图：Rocky Linux-0044~0051-教程-内容管理

格瑞图：Rocky Linux-0053~0053-教程-通信服务

格瑞图：Rocky Linux-0054~0082-教程-容器技术

格瑞图：Rocky Linux-0083-0084-教程-数据库

格瑞图：Rocky Linux-0085-教程-DNS-私有域名解析Bind-01

格瑞图：Rocky Linux-0086-教程-DNS-私有域名解析Bind-02

格瑞图：Rocky Linux-0087-教程-DNS-私有域名解析Bind-03

格瑞图：Rocky Linux-0088-教程-DNS-私有域名解析Bind-04

格瑞图：Rocky Linux-0089-教程-DNS-私有域名解析Bind-05

A、八点六防火墙规则 - 8.6 Firewall Rules¶

First, create a file in /etc called "firewall.conf" that will contain the following rules. This is a bare minimum rule set, and you may need to tweak this for your environment:

首先在 /e 目录创建一个叫做 fw.c 的文件并包含下面的规则。这是一个最小化规则集，对于自己的环境按需调整：

#!/bin/sh##IPTABLES=/usr/sbin/iptables# Unless specified, the defaults for OUTPUT is ACCEPT# The default for FORWARD and INPUT is DROP#echo " clearing any existing rules and setting default policy.."iptables -F INPUTiptables -P INPUT DROPiptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT# dns rulesiptables -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 53 -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable/usr/sbin/service iptables save

Let's evaluate the rules above:

这就解释一下上面的规则：

The first "iptables" line flushes the rules that are currently loaded (-F).

首行将刷新当前加载的（-F）服务器规则。

Next, we are setting a default policy for the INPUT chain of DROP. This means, if the traffic is not explicitly allowed here, it is dropped.

接着设置了一个输入链默认策略丢弃。意思是如果流量没有显式的在这里允许，将丢弃他。

Next, we have an SSH rule for our local network, so that we can get into the DNS server remotely.

然后为本地网络设置爱死爱死爱去规则，这样就可以远程登录迪恩爱思服务器。

Then we have our DNS allow rule, only for our local network. Note that DNS uses the UDP protocol (User Datagram Protocol).

然后设置迪恩爱思允许规则，仅对本地网络有效。注意迪恩爱思使用用户报文协议（UDP）。

Next we allow INPUT from the local interface.

接着允许本地接口入站流量。

Then if you have established a connection for something else, we are allowing related packets in as well.

然后如果已经建立了连接，将允许与之相关的流量包。

And finally we reject everything else.

最后将拒绝其他所有流量。

The last line tells iptables to save the rules so that when the machine restarts, the rules will load as well.

最后一行告诉 it 保存这些规则，可以在机器重启时，再次加载这些规则。

Once our firewall.conf file is created, we need to make it executable:

一旦创建了 fw.c，需要其可执行：

chmod +x /etc/firewall.conf

Then run it:

然后运行他：

/etc/firewall.conf

And this is what you should get in return. If you get something else, take a look at your script for errors:

下面就是运行的输出。如果不是这个，检查脚本相关的错误信息：

clearing any existing rules and setting default policy..iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

（2）基于 fw 添加防火墙规则 - Adding The Firewall Rules - firewalld¶

With firewalld, we are duplicating the rules highlighted in iptables above. We aren't making any other assumptions about the network or services that might be needed. We are turning on SSH access and DNS access for our LAN network only. For this, we will use the firewalld built-in zone, "trusted". We will also have to make some service changes to the "public" zone in order to limit SSH access to the LAN.

对于 fw 将复制上面 it 规则中高亮的部分。这里不对可能需要的网络或服务做假设。仅为本地网络开启爱死爱死爱去和迪恩爱思访问。这里使用 fw 内置的受信区。同样需要对公共区做些修改来限制爱死爱死爱去访问局域网。

The first step is to add our LAN network to the "trusted" zone:

第一步是添加局域网至受信区：

firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent

Next, we need to add our two services to the "trusted" zone:

接着添加两个服务到受信区：

firewall-cmd --zone=trusted --add-service=ssh --permanentfirewall-cmd --zone=trusted --add-service=dns --permanent

Finally, we need to remove the SSH service from our "public" zone, which is on by default:

最后从公共区删除爱死爱死爱去服务，这个默认是开启的：

firewall-cmd --zone=public --remove-service=ssh --permanent

Next, reload the firewall and then list out the zones that we've made changes to:

接着重载防火墙并列出这个变更配置的受信区：

firewall-cmd --reloadfirewall-cmd --zone=trusted --list-all

Which should show that you have correctly added the services and the source network:

将会展示正确添加的服务和源网络：

trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: sources: 192.168.1.0/24 services: dns ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

Listing out the "public" zone should show that SSH access is no-longer allowed:

列出公共区将展示爱死爱死爱去访问将不再允许：

firewall-cmd --zone=public --list-allpublic target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

These rules should get you DNS resolution on your private DNS server from hosts on the 192.168.1.0/24 network. In addition, you should be able to SSH from any of those hosts into your private DNS server.

这些规则将允许来自 1.1.1.0/2 网络的主机访问私有迪恩爱思服务器进行域名解析。另外，将可以从这些主机爱死爱死爱去到私有迪恩爱思服务器。

B、结论 - Conclusions¶

While using /etc/hosts on an individual workstation will get you access to a machine on your internal network, you can only use it on that one machine. By adding a private DNS server using bind, you can add hosts to the DNS and as long as the workstations have access to that private DNS server, they will be able to get to these local servers.

在个人工作站使用 /e/h 文件可以访问内部网络机器，仅可以在单台机器上使用。通过使用颁得添加一个私有迪恩爱思服务器，可以将主机添加到迪恩爱思，并且只要工作站可以访问私有迪恩爱思服务器，就可以访问本地服务器。

If you don't need machines to resolve on the Internet, but do need local access from several machines to local servers, then consider using a private DNS server instead.

如果不希望机器解析到互联网，但是需要从本地一些机器访问一些本地服务器，请考虑使用私有跌纳斯服务器。

Last update: October 11, 2022
Author: Steven Spencer
Contributors: Ezequiel Bruni

最后更新：2022-10-11

作者：S²

贡献者：EB

N、后记

Munnar, India

印度芒纳

~