Extended ACL Access Control List Detailed

Experiments of this chapter:

Win10-1 allow access linux web services

Win10-1 linux prohibit access other services

Allow access win10-2 host win10

Extended ACL Access Control List Detailed

1. Configure GNS3

Three hosts, a router
win10 -1: Binding VMnet1 NIC
win10-2: Binding VMnet2 NIC
linux: Binding Test as NIC VMnet8
F0 / 0: 192.168.1.1/24
F1 / 0: 192.168.2.1/24
F10 /1:192.168.100.1/24

2. Configure linux server, install the two services VSFTPD, HTTPD

[root@localhost ~]# yum install vsftpd -y
已加载插件：fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * extras: mirrors.cn99.com
 * updates: mirrors.cn99.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 vsftpd.x86_64.0.3.0.2-25.el7 将被 安装
--> 解决依赖关系完成

[root@localhost ~]# yum install httpd -y
已加载插件：fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * extras: mirrors.cn99.com
 * updates: mirrors.cn99.com
正在解决依赖关系
--> 正在检查事务

3. The linux server NIC binding VMnet8

4. The linux server set a static IP address

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=849aa04e-1874-490f-8cb0-b2fde4b9a6f8
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.100.100
NETMASK=255.255.255.0
GATWAY=192.168.100.1

[root@localhost ~]# systemctl restart network

重启linux服务器

5. win10 -1 to bind card and win10 -2

6.win10-2 set a fixed IP address

7.win10-1 set a fixed IP address

8. Back GNS3 to configure the interface address

R1#conf t
R1(config)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int f0/1
R1(config-if)#ip add 192.168.100.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int f1/0
R1(config-if)#ip add 192.168.2.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ex
R1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet1/0
C    192.168.100.0/24 is directly connected, FastEthernet0/1

9. The win10 -1 firewalls are turned off and win10-2

10. Use win10-2 to pingwin 10 -1, communication can look

C:\Users\CHEN>ping 192.168.1.2

正在 Ping 192.168.1.2 具有 32 字节的数据:
来自 192.168.1.2 的回复: 字节=32 时间=19ms TTL=127
来自 192.168.1.2 的回复: 字节=32 时间=18ms TTL=127
来自 192.168.1.2 的回复: 字节=32 时间=14ms TTL=127
来自 192.168.1.2 的回复: 字节=32 时间=15ms TTL=127

11.linux open the two services, and write the contents of two files

root@localhost chen]# systemctl stop firewalld.service
root@localhost chen]# setenforce 0
[root@localhost chen]# cd /var/www/html
[root@localhost html]# vim index.html 
<h1>this is test web</h1>
[root@localhost html]# ls
index.html
[root@localhost html]# systemctl start httpd
[root@localhost html]# systemctl start vsftpd
[root@localhost html]# cd /var/ftp
[root@localhost ftp]# ls
pub
[root@localhost ftp]# echo "this is ftp" > ftp.txt
[root@localhost ftp]# ls
ftp.txt  pub
[root@localhost html]# netstat -nuap | egrep '(21|80)'
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1380/dnsmasq        
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1380/dnsmasq        

12. go win10-1 test can not access the 192.168.100.100 two services are not able to access

13. Back GNS3 begin configuring ACL extended access control lists

R1#conf t
R1(config)#access-list 100 permit tcp host 192.168.1.2 host   192.168.100.100 eq www  
//扩展的序列号100-199，允许tcp协议，固定地址192.168.1.2去访问
192.168.100.100 后面跟端口号80也可以是名字
R1(config)#do show access-list  //查看访问控制列表
Extended IP access list 100
    10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
R1(config)#access-list 100 deny ip host 192.168.1.2 host 192.168.100.100
R1(config)#do show access-list                                          
Extended IP access list 100
    10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
    20 deny ip host 192.168.1.2 host 192.168.100.100
R1(config)#access-list 100 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
R1(config)#do show access-list                                             
Extended IP access list 100
    10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
    20 deny ip host 192.168.1.2 host 192.168.100.100
    30 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
R1(config-if)#ip access-group 100 in  //应用在接口，离限制方最近的端口，是入口方向。

After ACL extended access control lists configured, test win10-1 can not access the ftp service

Our experiment is successful