一、實驗配置圖及要求
在路由上建立ACL擴展的配置要求如下:
1、允許PC1訪問Linux的web服務
2、允許PC2訪問Linux的ftp服務
3、禁止PC1與PC2訪問Linux的其它服務
4、允許PC1訪問PC2
二、實驗環境部署
1、pc1、pc2以及Linux系統均設置靜態IP、子掩及網關,並且進行對應的網卡綁定。
2、完成Linux服務器相關服務的安裝與啓動
[root@localhost ~]# yum install vsftpd -y //安裝ftp服務
[root@localhost ~]# yum install httpd -y //安裝http服務
[root@localhost ~]# systemctl stop firewalld.service //關閉防火牆
[root@localhost ~]# setenforce 0 //關閉增強性安全功能
[root@localhost ~]# systemctl start httpd //啓動服務
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# netstat -ntap | egrep '(21|80)' //檢查服務啓動狀況(80端口爲http,21端口爲ftp)
tcp6 0 0 :::80 :::* LISTEN 6399/httpd
tcp6 0 0 :::21 :::*
3、路由的配置:三個端口設置IP
R1#conf t
R1(config)#int f 0/0
R1(config-if)#ip add 192.168.90.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int f 0/1
R1(config-if)#ip add 192.168.80.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int f 1/0
R1(config-if)#ip add 192.168.100.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ex
R1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.90.0/24 is directly connected, FastEthernet0/0
C 192.168.80.0/24 is directly connected, FastEthernet0/1
C 192.168.100.0/24 is directly connected, FastEthernet1/0
4、進行擴展ACL的配置
R1(config)#access-list 100 permit tcp 192.168.80.20 0.0.0.255 192.168.100.100 0.0.0.255 eq 80
R1(config)#access-list 100 permit tcp host 192.168.90.10 host 192.168.100.100 eq 21
R1(config)#access-list 100 permit ip host 192.168.80.20 192.168.90.0 0.0.0.255
R1(config)#do show access-list
Extended IP access list 100
10 permit tcp 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255 eq www
20 permit tcp host 192.168.90.10 host 192.168.100.100 eq ftp
30 permit ip host 192.168.80.20 192.168.90.0 0.0.0.255
R1(config)#int f0/1
R1(config-if)#ip access-group 100 in
R1(config-if)#int f0/0
R1(config-if)#ip access-group 100 in
R1(config-if)#ex
5、結果測試
pc1可以訪問web網站服務
pc2可以訪問ftp服務
允許pc1訪問pc2