[root@kvm8 ~]# vim /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT ###################################################### -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT ###################################################### -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
[root@kvm8 ~]# vim /etc/sysconfig/iptables ###################################################### -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 192.168.122.0/24 -j ACCEPT ######################################################
[root@kvm8 ~]# /etc/init.d/iptables restart
[root@kvm8 ~]# chkconfig iptables on
[root@kvm8 ~]# echo 'kvm8.deyu.wang test' > /var/www/html/index.html ## selinux 管制 ## 1. 直接產生檔案於 /var/www/html 目錄下,其 selinux type 自動為 #### httpd_sys_content_t,可以不用變更 type,就可存取。 ## 2. 若從某一目錄,例如 /root,複製檔案到 /var/www/html 下, #### selinux type 為原先設定,必須變更 type,才能存取。 [root@kvm8 ~]# chcon -R -t httpd_sys_content_t /var/www/html/ ## 從 deyu.wang 測試網頁 [root@dyH ~]# wget http://kvm8.deyu.wang 100%[======================================>] 20 --.-K/s in 0s 2013-08-01 18:50:59 (2.39 MB/s) - “index.html” saved [20/20] [root@dyH ~]# cat index.html kvm8.deyu.wang test
[root@kvm8 ~]# echo 'www.deyu.wang test' > /var/www/virtual/index.html ## 從 deyu.wang 測試網頁, www.deyu.wang 只有kvm8.deyu.wang 能存取 [root@dyH ~]# wget http://www.deyu.wang --2013-08-01 18:53:26-- http://www.deyu.wang/ Resolving www.deyu.wang... 192.168.122.8 Connecting to www.deyu.wang|192.168.122.8|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2013-08-01 18:53:26 ERROR 403: Forbidden. ## 從 kvm8.deyu.wang 測試網頁 [root@kvm8 ~]# wget http://www.deyu.wang 100%[======================================>] 19 --.-K/s in 0s [root@kvm8 ~]# cat index.html www.deyu.wang test
[root@kvm8 ~]# mkdir /home/deyu1/public_html [root@kvm8 ~]# echo 'userdir test' > /home/deyu1/public_html/index.html [root@kvm8 ~]# chown deyu1.deyu1 -R /home/deyu1/public_html ## 目錄權限放寬 [root@kvm8 ~]# ll -d /home/deyu1 drwx------. 5 deyu1 deyu1 1024 Aug 1 19:49 /home/deyu1 [root@kvm8 ~]# chmod a+r /home/deyu1 [root@kvm8 ~]# ll -d /home/deyu1 drwxr-xr-x. 5 deyu1 deyu1 1024 Aug 1 19:49 /home/deyu1 ## selinux type [root@kvm8 ~]# getenforce Enforcing [root@kvm8 ~]# ll -Z /home/deyu1/public_html/ -rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 index.html ## selinux 管控,無法存取 [root@kvm8 ~]# wget http://www.deyu.wang/~deyu1 --2013-08-01 19:51:57-- http://www.deyu.wang/~deyu1 Resolving www.deyu.wang... 192.168.122.8 Connecting to www.deyu.wang|192.168.122.8|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2013-08-01 19:51:57 ERROR 403: Forbidden. ## 變更 selinux type [root@kvm8 ~]# chcon -R -t httpd_sys_content_t /home/deyu1/public_html [root@kvm8 ~]# ll -Z /home/deyu1/public_html/ -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html ## 從 kvm8.deyu.wang 測試網頁, [root@kvm8 ~]# wget http://www.deyu.wang/~deyu1 100%[======================================>] 13 --.-K/s in 0s [root@kvm8 ~]# cat index.html userdir test
[root@kvm8 ~]# getsebool -a | grep http allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_read_user_content --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off