AlmaLinuxのネットワーク設定

ホスト名の変更
固定IP設定
SSH鍵認証の設定
Firewallの設定
SELinuxの無効化

ホスト名の変更

nmcli general hostname ホスト名

固定IP設定

ネットワークデバイス名の確認

# nmcli device
DEVICE  TYPE      STATE      CONNECTION 
enp2s0  ethernet  connected  enp2s0     
lo      loopback  unmanaged  --

現在のネットワーク設定確認

ipv4.methodがautoなら自動取得、manualなら固定IP

# nmcli -f ipv4 con show enp2s0
ipv4.method:                            auto
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv4.required-timeout:                  -1 (default)
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.link-local:                        0 (default)
ipv4.dhcp-reject-servers:               --

固定IP設定

nmcli con mod enp2s0 ipv4.addresses 192.168.103.102/24
nmcli con mod enp2s0 ipv4.gateway 192.168.103.1
nmcli con mod enp2s0 ipv4.dns 192.168.103.1
nmcli con mod enp2s0 ipv4.dns "1.1.1.1 8.8.8.8"
nmcli con mod enp2s0 ipv4.method manual
nmcli con down enp2s0 ; nmcli con up enp2s0

SSH鍵認証の設定

鍵の作成

# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hoge/.ssh/id_rsa): 
Created directory '/home/hoge/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/hoge/.ssh/id_rsa
Your public key has been saved in /home/hoge/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:k/ZLABW3Dm1F7MBDXww71B3T34nGAUx3uig4ofWkIgI hoge@localhost.localdomain
The key's randomart image is:
+---[RSA 4096]----+
|        o+==*=.=o|
|       . o+*o+= +|
|E     .o..++=.o +|
|.     o.*=  o=..o|
| . . o +So....   |
|  . . ...+.      |
|          o      |
|         . .     |
|          .      |
+----[SHA256]-----+

鍵のリネームと、パーミッション設定

mv .ssh/id_rsa.pub .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

秘密鍵(id_rsa)は何らかの手段でをホスト側に転送したら削除します

rm .ssh/id_rsa

公開鍵認証の有効化

公開鍵認証を許可し、パスワード認証を禁止

# 公開鍵認証の許可
PubkeyAuthentication yes
# パスワード認証の禁止
PasswordAuthentication no

設定を反映するため、sshdを再起動

systemctl restart sshd.service

Firewallの設定

現在のFirewall設定確認

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

不要なサービスの削除

firewall-cmd --remove-service=cockpit --permanent
firewall-cmd --remove-service=dhcpv6-client --permanent

FirewallにHTTP(80/tcp)とHTTPS(443/tcp)の追加

firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent

Firewall設定の再読み込み

firewall-cmd --reload

SELinuxの無効化

SELINUXの設定を「enforcing」から「disabled」に変更

#SELINUX=enforcing
SELINUX=disabled

再起動

shutdown -r now