Detailed description of ACL extended access Control list 02/24 Update SLTechnology News&Howtos

Detailed description of ACL extended access Control list

2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

Lab in this chapter: web services that allow win10-1 access to linux prohibit win10-1 access to other services of linux allow win10 access to win10-2 host ACL extended access control list details

1. Configure GNS3

Three hosts, one router

Win10-1: bind VMnet1 network card

Win10-2: bind VMnet2 network card

Linux: bind the VMnet8 network card as a test

F0/0:192.168.1.1/24

F1/0:192.168.2.1/24

F10/1:192.168.100.1/24

two。 Configure the linux server Install two services VSFTPD,HTTPD [root@localhost ~] # yum install vsftpd-y loaded plug-in: fastestmirror LangpacksLoading mirror speeds from cached hostfile * base: mirrors.163.com * extras: mirrors.cn99.com * updates: mirrors.cn99.com is resolving dependencies-- > checking transactions-- > package vsftpd.x86_64.0.3.0.2-25.el7 will be installed-- > resolving dependencies completed [root@localhost] # yum install httpd-y loaded plug-ins: fastestmirror LangpacksLoading mirror speeds from cached hostfile * base: mirrors.163.com * extras: mirrors.cn99.com * updates: mirrors.cn99.com is resolving dependencies-- > checking transaction 3. Bind linux server to VMnet8 network card

4. Set the linux server to a static IP address [root@localhost] # vim / etc/sysconfig/network-scripts/ifcfg-ens33TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=849aa04e-1874-490f-8cb0-b2fde4b9a6f8DEVICE=ens33ONBOOT=yesIPADDR=192.168.100.100NETMASK=255.255.255.0GATEWAY=192.168.100.1 [root@localhost ~] # systemctl restart network restart linux server 5. Bind network cards to win10-1 and win10-2

6.win10-2 sets a fixed IP address

7.win10-1 sets a fixed IP address

8. Go back to GNS3 and configure the address R1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.1.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f1/0R1 (config-if) # ip add 192.168.2.1 255.255 .255.0R1 (config-if) # no shutR1 (config-if) # exR1 (config) # do show ip routeCodes: C-connected S-static, R-RIP, M-mobile, B-BGP D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-IS-IS inter area, *-candidate default U-per-user static route o-ODR, P-periodic downloaded static routeGateway of last resort is not setC 192.168.1.0, FastEthernet0/0C 192.168.2.0, FastEthernet1/0C 192.168.1.0, 24 is directly connected, FastEthernet0/19. Turn off the win10-1 and win10-2 firewalls.

10. Use win10-2 to pingwin 10-1 See if C:\ Users\ CHEN > ping 192.168.1.2 has 32 bytes of data in Ping 192.168.1.2: reply from 192.168.1.2: byte = 32 time = 19ms TTL=127 reply from 192.168.1.2: byte = 32 time = 18ms TTL=127 reply from 192.168.1.2: byte = 32 time = 14ms TTL=127 reply from 192.168.1.2: byte = 32 time = 15ms TTL=12711.linux starts two services And write the contents of two files root@localhost chen] # systemctl stop firewalld.serviceroot@localhost chen] # setenforce 0 [root@localhost chen] # cd / var/www/html [root@localhost html] # vim index.html this is test web [root@localhost html] # lsindex.html [root@localhost html] # systemctl start httpd [root@localhost html] # systemctl start vsftpd [root@localhost html] # cd / var/ftp [root@localhost ftp] # lspub [root@localhost ftp] # echo "this is ftp" > ftp .txt [root@localhost ftp] # lsftp.txt pub [root@localhost html] # netstat-nuap | egrep'(21 | 80) 'udp 0 192.168.122.1 1380/dnsmasq 53 0.0.0.0 * 1380/dnsmasq udp 000.0.0.0 root@localhost html 67 0.0.0.0 root@localhost html 12. Go to win10-1 to test whether you can access 192.168.100.100 if both services can be accessed.

13. Back to GNS3 to configure the ACL extended access control list R1#conf tR1 (config) # access-list 100 permit tcp host 192.168.1.2 host 192.168.100.100 eq www / / the sequence number of the extension is 100199, which allows the tcp protocol Fixed address 192.168.1.2 to access 192.168.100.100 followed by the port number 80 can also be the name R1 (config) # do show access-list / / View the access control list Extended IP access list 1010 permit tcp host 192.168.1.2 host 192.168.100.100 eq wwwR1 (config) # access-list 100 deny ip host 192.168.1.2 host 192.168.100.100R1 (config) # do show access-list Extended IP access list 100 10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www 20 deny ip host 192.168.1.2 host 192.168.100.100R1 (config) # access-list 100 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255R1 (config) # do show access-list Extended IP access list 100 10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www 20 deny ip host 192.168.1.2 host 192.168.100.100 30 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255R1 (config-if) # ip access-group 100 in / / Application on Interface The nearest port to the restricted party is the direction of the entrance. After the ACL extended access control list is configured, test whether win10-1 can access the ftp service

Our experiment was successful.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.