双网卡配置

# 配置外网网卡
vi /etc/sysconfig/network-scripts/ifcfg-enp5s0
####################################################################################
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp5s0
UUID=fd411c07-066e-372a-91fc-d85a42bd767c
DEVICE=enp5s0
ONBOOT=yes

# 内网网卡，配置wpa supplicant使用802.1x认证
vi /etc/wpa_supplicant/wpa_supplicant.conf
####################################################################################
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
    key_mgmt=IEEE8021X
    eap=PEAP
    identity="zhangsan"
    password="12345"
    phase2="autheap=GTC"
}

# 创建/etc/init.d/wpa_network，启动内网网卡
vi /etc/init.d/wpa_network
####################################################################################
#!/bin/bash
# chkconfig: 2345 10 90
# description: Wired 802.1X network access
DEV_IN="enp0s20u10"
DEV_OUT="enp5s0"
rm /var/run/wpa_supplicant/$DEV_IN || true
wpa_supplicant -B -i $DEV_IN -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired
 
sleep 10
route add -net 10.0.0.0/8 gw 10.18.86.1 metric 100 dev $DEV_IN
route add -net 172.16.0.0/12 gw 10.18.86.1 metric 100 dev $DEV_IN
route add -host 10.18.105.19/32 gw 192.168.137.1 metric 100 dev $DEV_OUT

########################################################################
# 关闭network开机执行，开启wpa_network开机执行
chkconfig --del network
chmod 755 /etc/init.d/wpa_network
chkconfig --add wpa_network

# 关闭dns更新，使用手动设置的本地DNS服务
# 修改网卡的网关优先级，外网网卡优先级高于内网
vi /etc/NetworkManager/NetworkManager.conf
####################################################################################
[main]
dns=none
 
[connection-enp-outside]
match-device=mac:00:23:24:92:53:86
ipv4.route-metric=50
 
[connection-enp-local]
match-device=mac:00:0e:c6:c0:a9:7e
ipv4.route-metric=51

# 安装named，修改named配置文件
vi /etc/named.conf
####################################################################################
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;
        forward first;
        forwarders {
            8.8.8.8;
        };
        dnssec-enable yes;
        dnssec-validation yes;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.conf.domain";


 修改自定义解析配置文件
vi /etc/named.conf.domain
####################################################################################
zone "test.com" {
        type forward;
        forward only;
        forwarders {10.19.3.200;};
};
####################################################################################
 
# 修改dns文件，使用本地named服务
vi /etc/resolv.conf
####################################################################################
nameserver 127.0.0.1