Shulou(Shulou.com)06/03 Report--

Deployment of practice environment

Server: one Linux virtual machine (CentOS 7)

Client: two Windows 10 virtual machines (win10-1\ win0-2)

Topological structure diagram

Practice step 1: install the service using the Linux server to verify the ACL effect 1. Networking installation service yum install httpd-y / / install web service yum install vsftpd-y / / install ftp service 2. Create a test file Used to verify root@192 ~] # cd / var/www/html/ enter the web site directory [root@192 html] # vim index.html / / Edit the web content file this is test web / / write content [root@192 ftp] # cd / var/ftp/ enter the ftp directory [root@192 ftp] # echo "this is test ftp" > test. Txt / / write the content to the test text [root@192 ftp] # cat test.txt / / View the file and content this is test ftp3. Turn off the security item and enable the service [root@192] # systemctl start httpd / / enable the web service [root@192] # systemctl start vsftpd / / enable the ftp service [root@192] # systemctl stop firewalld.service / / turn off the firewall [root@192] # setenforce 0 / / turn off the enhanced security feature [root@192] # netstat-ntap | egrep'(21 | 80)'/ / View the service port status tcp6 0 0:: 80: * LISTEN 3293/httpd tcp6 0 0: 21: * LISTEN 3312/vsftpd step 2: adjust the network connection mode 1. Bind static IP for Linux server, and bind Nic to host-only mode [root@192 ~] # vim / etc/sysconfig/network-scripts/ifcfg-ens33 / / Edit Nic file TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=static / / replace dhcp with static Static mode DEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=88cf4975-29b8-4041-9cb0-456a56d1fddbDEVICE=ens33ONBOOT=yesIPADDR=192.168.100.100 / / set IP address NETMASK=255.255.255.0 / / set subnet mask GATEWAY=192.168.100.1 / / set gateway ip Address [root@192 ~] # systemctl restart network / / restart network service 2. The client manually configures the IP address and turns off the firewall

(1) configure the IP address of win10-1

(2) configure the IP address of win10-2

(3) turn off the firewall

Step 3: configure router R1R1#conf tR1 (config-if) # int f0amp 0 R1 (config-if) # ip add 192.168.1.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f1/0R1 (config-if) ) # ip add 192.168.2.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # do show ip routeC 192.168.1.0 is directly connected FastEthernet0/0C 192.168.2.0 FastEthernet0/0C 24 is directly connected, FastEthernet1/0C 192.168.100.0 FastEthernet0/1 24 is directly connected, step 4: test client-to-client communication and access service 1. Test the communication between client win10-1 and client win10-2 C:\ Users\ czt > ping 192.168.2.2 / / using the client win10-1ping client win10-2IP address is Ping 192.168.2.2 with 32 bytes of data: reply from 192.168.2.2: byte = 32 time = 14ms TTL=127 reply from 192.168.2.2: byte = 32 Between = 13ms TTL=127 reply from 192.168.2.2: byte = 32 time = 19ms TTL=127 reply from 192.168.2.2: byte = 32 time = Ping Statistics of 18ms TTL=127192.168.2.2: packet: sent = 4 Received = 4, lost = 0 (0% lost), estimated round trip time (in milliseconds): shortest = 13ms, longest = 19ms, average = 16ms2. Use client win10-1 to access services provided by Linux

(1) access web service

(2) Service ftp service

Step 5: according to the demand. Set extended ACLR1 (config) # access-list 100 permit tcp host 192.168.1.2 host 192.168.100.100 eq www / / allow client 1 to access Linux server's web service R1 (config) # access-list 100 deny ip host 192.168.1.2 host 192.168.100.100 / / set other services R1 (config) # access-list that deny guest 1 access to Linux server 100 permit ip host 192.168.1.2 192.168.1.2 192.168.2.0 0.0.0.255 / / allow client 1 to access the entire network segment of client 2 R1 (config) # int f0aper0 R1 (config-if) # ip access-group 100in / / place the extended ACL in the ingress direction R1 (config-if) # do show access-list / / View the ACL list Extended IP access list 100 / / extended IP access list 10010 permit tcp host 192.168.1.2 host 192.168.100.100 eq www 20 deny ip host 192.168.1.2 host 192.168.100.100 (6 matches) 30 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255 / / step 6: test the effect of setting ACL item by item. Test communication between client win10-1 and client win10-2 C:\ Users\ czt > ping 192.168.2.2 is Ping 192.168.2.2 with 32 bytes of data: reply from 192.168.2.2: byte = 32 time = 14ms TTL=127 reply from 192.168.2.2: byte = 32 time = 21ms TTL=127 reply from 192.168.2.2: byte = 32 time = 15ms TTL=127 from 192.168.2 .2 reply: byte = 32 time = Ping statistics for 20ms TTL=127192.168.2.2: packet: sent = 4 Received = 4, lost = 0 (0% lost), estimated round trip time (in milliseconds): shortest = 14ms, longest = 21ms, average = 17ms2. Use client win10-1 to access services provided by Linux

(1) access web service, which can be accessed normally in reverse.

(2) the service ftp service will pop up the message that the server cannot be connected.

Here to expand the ACL practice has been successfully completed, interested friends can give it a try!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.