企业网络架构案例
实验拓扑图
| 项目要求: |
一.项目分析和介绍: 企业需要对外提供web服务,对内提供PXE装机、dhcp、dns、nfs、远程管理等服务。 二.项目要求: (一)部署管理服务器ADM: 1.部署PXE+kickstart自动化装机,只为服务器区提供自动装机。 2.部署DHCP服务为运维组和开发组自动分配IP地址(网关防火墙设置dhcp中继)。 3.配置dns分离解析: 1)要求给内网提供解析192.168.100.0/24网段的dbs、adm、gw、www的解析。为内网解析www地址为192.168.100.50; 2)要求给外网用户提供公网的ip地址解析www为发布到网关的接口ip地址; (二)部署NFS存储及数据库DBS: 1.安装mysql数据库,安装方式不限,修改mysql的root用户密码为123123,同时删除空密码和空用户。 2.部署NFS服务,仅对www主机提供rw、squash_all权限 (三)部署网站www: 1.搭建LAMP环境。 2.挂载nfs到网页的根目录。 3.在DBS上创建bbsdb并授权给runbbs以123123的密码从www上访问数据 4.解压discuz并放到/opt/lamp目录下,并授权授权deamon用户对相关目录有写入权限 3.访问测试。 (四)配置网关服务GW: 1.SNAT共享公网IP地址上网,要求服务器区域、运维组、开发组均能上网。 2.DNAT发布网站www.linux.com到外网,发布dns到外网; 3.配置dhcp中继静态路由及iptables实现dhcp给运维和开放分配IP地址; 4.配置主机型防火墙保护GW的安全,允许eth1和eth2所有的dhcp中继请求入站,只允许运维组ssh远程管理,配置内部网络访问外网的流量转发,配置运维组和开发组到dns和dhcp的流量转发,配置运维组和开发组到www网站服务的流量转发,配置运维组和开发组到ftp服务的流量转发; |
| 第一步 |
1.配置网关服务GW: |
| 第二步 |
2.部署管理服务器ADM: |
| 第三步 |
3.部署网站www: |
| 第四步 |
4.部署NFS存储及数据库DBS: |
| 第五步 |
5.发布discuz论坛: |
网关服务器为centos7.4 VM1 VM2 VM8 桥接
[root@gw ~]# cd /etc/sysconfig/network-scripts/
[root@gw network-scripts]# vim ifcfg-eth0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=yes
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.100.254
NETMASK=255.255.255.0
[root@gw network-scripts]# vim ifcfg-eth1
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=yes
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.10.254
NETMASK=255.255.255.0
[root@gw network-scripts]# vim ifcfg-eth2
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=yes
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth2
DEVICE=eth2
ONBOOT=yes
IPADDR=172.16.20.254
NETMASK=255.255.255.0
[root@gw network-scripts]# vim ifcfg-eth3
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=yes
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eth3
DEVICE=eth3
ONBOOT=yes
[root@gw ~]# ip a | grep /24
inet 192.168.100.254/24 brd 192.168.100.255 scope global eth0
inet 172.16.10.254/24 brd 172.16.10.255 scope global eth1
inet 172.16.20.254/24 brd 172.16.20.255 scope global eth2
inet 192.168.1.159/24 brd 192.168.1.255 scope global dynamic eth3
[root@gw ~]# ip r
default via 192.168.1.1 dev eth3 proto static metric 100
172.16.10.0/24 dev eth1 proto kernel scope link src 172.16.10.254 metric 100
172.16.20.0/24 dev eth2 proto kernel scope link src 172.16.20.254 metric 100
192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.159 metric 100
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.254 metric 100
[root@gw ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@gw ~]# sysctl -p
[root@gw ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth3 -j MASQUERADE
[root@gw ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o eth3 -j MASQUERADE
[root@gw ~]# iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o eth3 -j MASQUERADE
[root@gw ~]# yum -y install dhcp
[root@gw ~]# dhcrelay 192.168.100.150 #此处为DHCP服务器的IP,做中继
[root@gw ~]# iptables -t nat -A PREROUTING -i eth3 -d 192.168.1.159 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.50
[root@gw ~]# iptables -t nat -A PREROUTING -i eth3 -d 192.168.1.159 -p tcp --dport 53 -j DNAT --to-destination 192.168.100.150
[root@gw ~]# iptables -t nat -A PREROUTING -i eth3 -d 192.168.1.159 -p udp --dport 53 -j DNAT --to-destination 192.168.100.150
[root@gw ~]# iptables -A INPUT -s 192.168.100.1 -d 192.168.100.254 -p tcp --dport 22 -j ACCEPT
[root@gw ~]# iptables -A INPUT -s 192.168.100.150 -d 192.168.100.254 -p tcp --dport 22 -j ACCEPT
[root@gw ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@gw ~]# iptables -P INPUT DROP
[root@gw ~]# iptables -A INPUT -s 192.168.100.0/24 -i eth0 -p icmp -j ACCEPT
[root@gw ~]# iptables -A INPUT -i eth1 -p tcp --dport 67 -j ACCEPT
[root@gw ~]# iptables -A INPUT -i eth0 -p tcp --dport 67 -j ACCEPT
[root@gw ~]# iptables -A INPUT -i eth2 -p tcp --dport 67 -j ACCEPT
[root@gw ~]# iptables -A INPUT -i eth0 -p tcp --dport 68 -j ACCEPT
[root@gw ~]# iptables -A INPUT -i eth1 -p tcp --dport 68 -j ACCEPT
[root@gw ~]# iptables -A INPUT -i eth2 -p tcp --dport 68 -j ACCEPT
[root@gw ~]# iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT
[root@gw ~]# iptables -A FORWARD -d 192.168.100.0/24 -j ACCEPT
[root@gw ~]# iptables -A FORWARD -d 172.16.10.0/24 -j ACCEPT
[root@gw ~]# iptables -A FORWARD -s 172.16.10.0/24 -j ACCEPT
[root@gw ~]# iptables -A FORWARD -s 172.16.20.0/24 -j ACCEPT
[root@gw ~]# iptables -A FORWARD -d 172.16.20.0/24 -j ACCEPT
[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.100.0/24 -d 192.168.1.0/24 -p tcp --sport 80 -j ACCEPT
[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.100.0/24 -d 192.168.1.0/24 -p tcp --sport 53 -j ACCEPT
[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.100.0/24 -d 192.168.1.0/24 -p udp --sport 53 -j ACCEPT
[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -p tcp --dport 80 -j ACCEPT
[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -p tcp --dport 53 -j ACCEPT
[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -p udp --dport 53 -j ACCEPT
[root@gw ~]# iptables -P FORWARD DROP
管理服务器为centos6.5 VM1
[root@adm ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:39:AD:AB
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.100.150
NETMASK=255.255.255.0
GATEWAY=192.168.100.254
[root@adm ~]# ip a | grep /24
inet 192.168.100.150/24 brd 192.168.100.255 scope global eth0
[root@adm ~]# yum -y install dhcp vsftpd tftp-server tftp syslinux
[root@adm ~]# vi /etc/dhcp/dhcpd.conf
option domain-name "adm.org";
option domain-name-servers 192.168.100.150;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 192.168.100.0 netmask 255.255.255.0 {
option routers 192.168.100.254;
range 192.168.100.50 192.168.100.80;
next-server 192.168.100.150; ##指定tftp-server的ip地址
filename "pxelinux.0";
}
subnet 172.16.10.0 netmask 255.255.255.0 {
option routers 172.16.10.254;
range 172.16.10.50 172.16.10.80;
}
subnet 172.16.20.0 netmask 255.255.255.0 {
option routers 172.16.20.254;
range 172.16.20.50 172.16.20.80;
}
[root@adm ~]# /etc/init.d/dhcpd start
[root@adm ~]# chkconfig dhcpd on
[root@adm ~]# vi /etc/xinetd.d/tftp
disable = no ##启用tftp
[root@adm ~]# /etc/init.d/xinetd start
[root@adm ~]# chkconfig xinetd on
[root@adm ~]# cd /mnt/images/pxeboot
[root@adm pxeboot]# cp vmlinuz initrd.img /var/lib/tftpboot ##准备内核文件、初始化镜像文件
[root@adm pxeboot]# cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot
[root@adm pxeboot]# cd /var/lib/tftpboot/
[root@adm tftpboot]# mkdir pxelinux.cfg
[root@adm tftpboot]# vim pxelinux.cfg/default
default auto
prompt 0
label auto
kernel vmlinuz
append ks=ftp://192.168.100.150/pub/ks.cfg initrd=initrd.img devfs=nomount ramdisk_size=8192
[root@adm ~]# yum -y install system-config-kickstart
[root@adm ~]# system-config-kickstart ##调用xmanager工具进行图形界面的配置
[root@adm ~]# cat /var/ftp/pub/ks.cfg
#platform=x86, AMD64, 或 Intel EM64T
#version=DEVEL
# Firewall configuration
firewall --disabled
# Install OS instead of upgrade
install
# Use network installation
url --url="ftp://192.168.100.150/centos6"
# Root password
rootpw --plaintext 123123
# System authorization information
auth --useshadow --passalgo=sha512
# Use graphical install
graphical
# System keyboard
keyboard us
# System language
lang zh_CN
# SELinux configuration
selinux --disabled
# Do not configure the X Window System
skipx
# Installation logging level
logging --level=info
# Reboot after installation
reboot
# System timezone
timezone Africa/Abidjan
# Network information
network --bootproto=dhcp --device=eth0 --onboot=on
# System bootloader configuration
bootloader --location=mbr
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part /boot --fstype="ext4" --size=500
part swap --fstype="swap" --size=2048
part / --fstype="ext4" --grow --size=1
%packages
@development
%end
[root@adm ~]# /etc/init.d/dhcpd restart
[root@adm ~]# /etc/init.d/vsftpd restart
[root@adm ~]# /etc/init.d/xinetd restart
[root@adm ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.100.150; };
directory "/var/named";
allow-query { any; };
recursion yes;
forwarders {202.106.0.20;114.114.114.114;8.8.8.8;};
};
view "internal" {
match-clients {
172.16.10.0/24;
172.16.20.0/24;
192.168.100.0/24;
};
zone "linux.com" IN {
type master;
file "linux.com.zone";
};
zone "." IN {
type hint;
file "named.ca";
};
};
view "external" {
match-clients { any; };
zone "linux.com" IN {
type master;
file "linux.com.wan";
};
};
[root@adm ~]# cd /var/named/
[root@adm named]# vim linux.com.zone
$TTL 86400 ;有效解析记录的默认缓存时间
@ IN SOA linux.com. root.linux.com. (
20151212 ; 更新序列号,不能超过10位,主服务器更新后,版本号需要手动递增
1D ; 刷新时间,从服务器多久向主服务器同步
1H ; 重试延时,同步失败后,在此发起同步的时间间隔
1W ; 失效时间,超过该事件若还无法同步,则放弃同步
3H ) ; 地址数据库中不包含的解析记录的默认缓存时间
IN NS ns.adm.com.
ns IN A 192.168.100.150
IN A 192.168.100.150
IN MX 10 mail.linux.com.
mail IN A 192.168.100.50
www IN A 192.168.100.50
ftp IN CNAME www
[root@adm named]# vim linux.com.wan
$TTL 86400 ;有效解析记录的默认缓存时间
@ IN SOA linux.com. root.linux.com. (
20151211 1D 1H 1W 3H )
IN NS ns.adm.com.
ns IN A 192.168.100.150
IN A 192.168.100.150
IN MX 10 mail.linux.com.
mail IN A 192.168.1.159 ;公网IP
www IN A 192.168.1.159
ftp IN CNAME www
[root@adm named]# /etc/init.d/named start
这时PXE自动装机已经完成网站和存储两台主机的安装
存储服务器配置为centos6.5
[root@nfs ~]# ip a | grep /24
inet 192.168.100.51/24 brd 192.168.100.255 scope global eth0
[root@nfs ~]# yum -y install rpcbind nfs-utils mysql-server
[root@nfs ~]# mkdir /opt/lamp
[root@nfs ~]# chmod 777 /opt/lamp/ -R
[root@nfs ~]# vim /etc/exports
/opt/lamp 192.168.100.0/24(rw,sync,no_root_squash)
[root@nfs ~]# /etc/init.d/rpcbind start
[root@nfs ~]# /etc/init.d/nfs start
[root@nfs ~]# /etc/init.d/mysqld start
[root@nfs ~]# unzip discuz_7.2_full_sc_utf8.zip
[root@nfs ~]# cp -rf upload/* /opt/lamp/
[root@nfs ~]# mysql -uroot -p123123
mysql> create database bbsdb;
mysql> grant all on bbsdb.* to 'runbbs'@'192.168.100.50' identified by '123123';
mysql> flush privileges;
mysql> quit
[root@nfs ~]# cd /opt/lamp/
[root@nfs lamp]# chown daemon forumdata/ attachments/ uc_client/data/cache/ templates/ config.inc.php -R
[root@nfs ~]# iptables -A INPUT -s 192.168.100.1 -p tcp --dport 22 -j ACCEPT
[root@nfs ~]# iptables -A INPUT -s 192.168.100.150 -p tcp --dport 22 -j ACCEPT
[root@nfs ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p tcp --dport 3306 -j ACCEPT
[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p tcp --dport 111 -j ACCEPT
[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p tcp --dport 825 -j ACCEPT
[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p udp --dport 825 -j ACCEPT
[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p udp --dport 111 -j ACCEPT
[root@nfs ~]# iptables -P INPUT DROP
[root@nfs ~]# iptables -P FORWARD DROP
[root@nfs ~]# iptables -A INPUT -s 192.168.100.0/24 -i eth0 -p icmp -j ACCEPT
网站服务器配置为centos6.5
[root@lamp ~]# ip a | grep /24
inet 192.168.100.50/24 brd 192.168.100.255 scope global eth0
[root@lamp ~]# yum -y install httpd mysql-server mysql php php-mysql
[root@lamp ~]# yum -y install rpcbind nfs-utils
[root@lamp ~]# /etc/init.d/rpcbind start
[root@lamp ~]# /etc/init.d/nfs start
[root@lamp ~]# /etc/init.d/httpd start
[root@lamp ~]# /etc/init.d/mysqld start
[root@lamp ~]# iptables -A INPUT -s 192.168.100.1 -p tcp --dport 22 -j ACCEPT
[root@lamp ~]# iptables -A INPUT -s 192.168.100.150 -p tcp --dport 22 -j ACCEPT
[root@lamp ~]# iptables -A INPUT -d 192.168.100.50 -p tcp --dport 80 -j ACCEPT
[root@lamp ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p tcp --dport 111 -j ACCEPT
[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p tcp --dport 825 -j ACCEPT
[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p udp --dport 825 -j ACCEPT
[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p udp --dport 111 -j ACCEPT
[root@lamp ~]# iptables -P INPUT DROP
[root@lamp ~]# iptables -P FORWARD DROP
[root@lamp ~]# iptables -A INPUT -s 192.168.100.0/24 -i eth0 -p icmp -j ACCEPT
WIN7内网客户端VM1
WIN7运维组VM2
WIN7开发组VM8
WIN7外网客户端桥接模式
