หน้าหลัก เครือข่าย
🌐 เครือข่าย

Rocky Linux เครือข่าย

กำหนดค่าบริการเครือข่ายที่พร้อมสำหรับ production บน Rocky Linux 9 — DHCP, DNS, การจัดการ Firewalld zones และการแชร์ไฟล์ NFS ทั้งหมดด้วย SELinux enforcing

Rocky Linux 9.x รองรับ SELinux ครอบคลุม 4 บริการ
DHCP Server configuration on Rocky Linux 9
Networking · DHCP

DHCP Server Setup

The dhcp-server package on Rocky Linux provides ISC DHCP — the most widely-deployed DHCP server in enterprise environments. Configure subnets, dynamic ranges, static reservations, and DNS options in a single dhcpd.conf file.

Install dhcp-server
[root@rocky ~]$ dnf install -y dhcp-server
[root@rocky ~]$ systemctl enable --now dhcpd
/etc/dhcp/dhcpd.conf — basic subnet
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;
  option routers 192.168.1.1;
  option domain-name-servers 8.8.8.8, 8.8.4.4;
  default-lease-time 86400;
}
Static host reservation by MAC
host webserver {
  hardware ethernet aa:bb:cc:dd:ee:ff;
  fixed-address 192.168.1.50;
}
Open firewall for DHCP
[root@rocky ~]$ firewall-cmd --permanent --add-service=dhcp
[root@rocky ~]$ firewall-cmd --reload
success
💡
Tip: Test your config before restarting: dhcpd -t -cf /etc/dhcp/dhcpd.conf. Watch active leases in real time with tail -f /var/lib/dhcpd/dhcpd.leases.
Networking · Firewall

Firewalld — Zone-Based Packet Filtering

Rocky Linux ships with firewalld using an nftables backend. It manages rules through named zones — each network interface is assigned a zone that determines which traffic is allowed. This is far more manageable than raw iptables at scale.

Common firewall-cmd operations
# List active zones
[root@rocky ~]$ firewall-cmd --get-active-zones
public
  interfaces: eth0
 
# Allow specific port
[root@rocky ~]$ firewall-cmd --permanent --add-port=8080/tcp
 
# Allow from specific subnet only
[root@rocky ~]$ firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 service name=mysql accept'
 
[root@rocky ~]$ firewall-cmd --reload
⚠️
Always use --permanent: Rules added without --permanent are lost on reload or reboot. After adding permanent rules, always run firewall-cmd --reload.

Default Zones

drop All incoming dropped silently
block Incoming rejected with ICMP
public Public-facing interface (default)
external Masqueraded external routing
internal Internal LAN — more trusted
trusted All traffic accepted

DNS Query Flow

1
Client
Sends query for rocky-server.local
2
named (BIND9)
Checks local zone file first
3
Forwarder
Passes unknown queries upstream
4
Response
Returns A record to client
Networking · DNS

BIND9 DNS Server

Install bind and bind-utils to run an authoritative and/or caching DNS server on your Rocky Linux host. Suitable for internal name resolution in isolated networks or as a forwarding resolver.

Install and enable BIND9
[root@rocky ~]$ dnf install -y bind bind-utils
[root@rocky ~]$ systemctl enable --now named
/etc/named.conf — key sections
options {
  listen-on { 127.0.0.1; 192.168.1.1; };
  allow-query { localhost; 192.168.1.0/24; };
  forwarders { 8.8.8.8; 8.8.4.4; };
  recursion yes;
};
 
zone "local.example.com" IN {
  type master;
  file "/var/named/local.example.com.zone";
};
Test DNS resolution
[root@rocky ~]$ named-checkconf
[root@rocky ~]$ dig @localhost rocky-server.local.example.com
Networking · NFS

NFS Server — Network File Sharing

NFS (Network File System) lets you share directories from a Rocky Linux server across your network. Clients mount the share as if it were a local disk. Rocky 9 supports NFSv4 with Kerberos authentication for secure deployments.

Install and configure NFS server
[root@rocky ~]$ dnf install -y nfs-utils
[root@rocky ~]$ systemctl enable --now nfs-server rpcbind
 
# Define exports in /etc/exports
[root@rocky ~]$ echo "/data/shared 192.168.1.0/24(rw,sync,no_root_squash)" >> /etc/exports
[root@rocky ~]$ exportfs -arv
exporting 192.168.1.0/24:/data/shared
Client-side mount
[root@client ~]$ mount -t nfs 192.168.1.10:/data/shared /mnt/nfs
# Persist in /etc/fstab:
192.168.1.10:/data/shared /mnt/nfs nfs defaults,_netdev 0 0
💡
SELinux tip: If NFS exports fail with permission errors, check setsebool -P nfs_export_all_rw 1 and verify contexts with ls -Z /data/shared.
NFS Export Options
rw Read-write access for clients
ro Read-only — safer for public shares
sync Write to disk before replying
no_root_squash Root on client = root on server
all_squash Map all users to anonymous
anonuid/gid UID/GID for squashed users

ต้องการความช่วยเหลือในการกำหนดค่าระบบเครือข่าย?

ทีมของเราออกแบบและ deploy สภาพแวดล้อมเครือข่าย Rocky Linux ครบวงจร — DHCP, DNS, นโยบาย firewall และ NFS ทดสอบและพร้อมสำหรับ production

ติดต่อทีมของเรา → คู่มือเริ่มต้นใช้งาน