Telnet tftp cvs 等IP限制在CentOS 7 Systemd的使用

本文主要是介绍Telnet tftp cvs 等IP限制在CentOS 7 Systemd的使用，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

单片机还是需要telnet和tftp的。家里的这台服务器也提供外网接口开放，这两个服务不方便对外开放。以前telnet用xinet绑定指定网卡和限制IP访问。CentOS开始使用systemd作为telnet启动，规矩和以前不一样了。记录一下

原理：

          Service units acquired two new options IPAddressAllow= andIPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,for configuring a simple IP access control list for all sockets ofthe unit. These options are available also on .slice and .socketunits, permitting flexible access list configuration for individualservices as well as groups of services (as defined by a slice unit),including system-wide. Note that IP ACLs configured this way areenforced on every single IPv4 and IPv6 socket created by any processof the service unit, and apply to ingress as well as egress traffic.

添加service unit增加两个选项：IPAddressAllow / IPAddressDeny，和 socket 里增加 BindToDeivce命令。

telnet修改，限制 IP/网卡

[root@sh ~]# cat /usr/lib/systemd/system/telnet@.service
[Unit]
Description=Telnet Server
After=local-fs.target[Service]
#Modified,Modified,Modified
IPAddressAllow=192.168.0.0/24ExecStart=-/usr/sbin/in.telnetd
StandardInput=socket[root@sh ~]# cat /usr/lib/systemd/system/telnet.socket 
[Unit]
Description=Telnet Server Activation Socket
Documentation=man:telnetd(8)[Socket]
#Modified,Modified,Modified
BindToDevice=enp3s0ListenStream=23
Accept=true[Install]
WantedBy=sockets.target
[root@sh ~]# 

tftp  的修改，限制 IP/网卡

[root@sh ~]# cat /usr/lib/systemd/system/tftp.socket 
[Unit]
Description=Tftp Server Activation Socket[Socket]
#Modified,Modified,Modified
BindToDevice=enp3s0
ListenDatagram=69[Install]
WantedBy=sockets.target[root@sh ~]# cat /usr/lib/systemd/system/tftp.service 
[Unit]
Description=Tftp Server
Requires=tftp.socket
Documentation=man:in.tftpd[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
StandardInput=socket#Modified,Modified,Modified
IPAddressAllow=192.168.0.0/24[Install]
Also=tftp.socket
[root@sh ~]# 

分别在Socket文件的 [Socket] 段落增加了
BindToDevice=enp3s0 （内网设备名）
或 #ListenStream=192.168.0.2:2401 

在service文件的 [Service] 段落增加了
IPAddressAllow=192.168.0.0/24

两个限制。

CVS 限制 IP/网卡

[root@localhost ~]# cat /usr/lib/systemd/system/cvs.socket
[Unit]
Description=CVS Server Activation Socket
PartOf=cvs.target[Socket]
#允许外网 
ListenStream=2401#仅允许内网
#ListenStream=192.168.0.2:2401
Accept=true[Install]
WantedBy=sockets.target[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#cat /usr/lib/systemd/system/cvs.target
[Unit]
Description=CVS Servers[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#cat /usr/lib/systemd/system/cvs@.service
[Unit]
Description=CVS Server
After=local-fs.target
PartOf=cvs.target[Service]
Environment=HOME=/var/cvs
ExecStart=-/usr/bin/cvs -f --allow-root=/var/cvs pserver
StandardInput=socket

CVS有时需要在外网使用，如果是内网：

#仅允许内网
#ListenStream=192.168.0.2:2401

 vsftp，standalone 模式运行

listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=NO

listen=YES，开启standalone模式；

listen_ipv6关闭，否则启动不起来。

参考：关于vsftp启动报错的解决办法_唯独你的好的博客-CSDN博客

DHCP，限制IP

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#cat /usr/lib/systemd/system/dhcpd.service
[Unit]
Description=DHCPv4 Server Daemon
Documentation=man:dhcpd(8) man:dhcpd.conf(5)
Wants=network-online.target
After=network-online.target
After=time-sync.target[Service]
Type=notify
#ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pidExecStartPre=/bin/mkdir /run/dhcpd
ExecStartPre=/bin/touch /run/dhcpd/dhcpd.leases
ExecStartPre=/bin/chown -R dhcpd:dhcpd /run/dhcpdExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -lf /run/dhcpd/dhcpd.leases -user dhcpd -group dhcpd --no-pid enp3s0ExecStopPost=/bin/rm -fr /run/dhcpd[Install]
WantedBy=multi-user.target

修改 services文件的启动参数 ExecStart，增加命令行参数，内网接口 enp3s0

ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -lf /run/dhcpd/dhcpd.leases -user dhcpd -group dhcpd --no-pid enp3s0

Samba，限制IP

[root@localhost ~]# cat /etc/samba/smb.conf
[global]workgroup = WORKGROUPnetbios name = Sambaserver string = Samba Server Version %vbind interfaces only = Yesinterfaces = lo enp3s0 192.168.0.2/24hosts allow = 127. 192.168.0.

这个就靠 smb.conf 配置文件本身来限制内网IP
 

参考：systemd 235 released [LWN.net]

Linux systemd资源控制初探 - 舰队 - 博客园

systemd.socket 中文手册 [金步国]

http://www.jinbuguo.com/systemd/systemd.resource-control.html
C

这篇关于Telnet tftp cvs 等IP限制在CentOS 7 Systemd的使用的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---