企业网络架构案例

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Richardlygo/article/details/81637928

实验拓扑图

 

项目要求:

一.项目分析和介绍:

企业需要对外提供web服务,对内提供PXE装机、dhcp、dns、nfs、远程管理等服务。

二.项目要求:

(一)部署管理服务器ADM:

1.部署PXE+kickstart自动化装机,只为服务器区提供自动装机。

2.部署DHCP服务为运维组和开发组自动分配IP地址(网关防火墙设置dhcp中继)。

3.配置dns分离解析:

1)要求给内网提供解析192.168.100.0/24网段的dbs、adm、gw、www的解析。为内网解析www地址为192.168.100.50

2)要求给外网用户提供公网的ip地址解析www为发布到网关的接口ip地址;

(二)部署NFS存储及数据库DBS:

1.安装mysql数据库,安装方式不限,修改mysql的root用户密码为123123,同时删除空密码和空用户。

2.部署NFS服务,仅对www主机提供rw、squash_all权限

(三)部署网站www:

1.搭建LAMP环境。

2.挂载nfs到网页的根目录。

3.在DBS上创建bbsdb并授权给runbbs以123123的密码从www上访问数据

4.解压discuz并放到/opt/lamp目录下,并授权授权deamon用户对相关目录有写入权限

3.访问测试。

(四)配置网关服务GW:

1.SNAT共享公网IP地址上网,要求服务器区域、运维组、开发组均能上网。

2.DNAT发布网站www.linux.com到外网,发布dns到外网;

3.配置dhcp中继静态路由及iptables实现dhcp给运维和开放分配IP地址;

4.配置主机型防火墙保护GW的安全,允许eth1和eth2所有的dhcp中继请求入站,只允许运维组ssh远程管理,配置内部网络访问外网的流量转发,配置运维组和开发组到dns和dhcp的流量转发,配置运维组和开发组到www网站服务的流量转发,配置运维组和开发组到ftp服务的流量转发;

第一步

1.配置网关服务GW:

第二步

2.部署管理服务器ADM

第三步

3.部署网站www:

第四步

4.部署NFS存储及数据库DBS

第五步

5.发布discuz论坛:

 

网关服务器为centos7.4  VM1  VM2  VM8  桥接

[root@gw ~]# cd /etc/sysconfig/network-scripts/

[root@gw network-scripts]# vim ifcfg-eth0

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=yes

BOOTPROTO=static

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

NAME=eth0

DEVICE=eth0

ONBOOT=yes

IPADDR=192.168.100.254

NETMASK=255.255.255.0

 

[root@gw network-scripts]# vim ifcfg-eth1

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=yes

BOOTPROTO=static

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

NAME=eth1

DEVICE=eth1

ONBOOT=yes

IPADDR=172.16.10.254

NETMASK=255.255.255.0

 

[root@gw network-scripts]# vim ifcfg-eth2

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=yes

BOOTPROTO=static

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

NAME=eth2

DEVICE=eth2

ONBOOT=yes

IPADDR=172.16.20.254

NETMASK=255.255.255.0

 

[root@gw network-scripts]# vim ifcfg-eth3

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=yes

BOOTPROTO=dhcp

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

NAME=eth3

DEVICE=eth3

ONBOOT=yes

 

[root@gw ~]# ip a | grep /24

    inet 192.168.100.254/24 brd 192.168.100.255 scope global eth0

    inet 172.16.10.254/24 brd 172.16.10.255 scope global eth1

    inet 172.16.20.254/24 brd 172.16.20.255 scope global eth2

inet 192.168.1.159/24 brd 192.168.1.255 scope global dynamic eth3

 

[root@gw ~]# ip r

default via 192.168.1.1 dev eth3 proto static metric 100

172.16.10.0/24 dev eth1 proto kernel scope link src 172.16.10.254 metric 100

172.16.20.0/24 dev eth2 proto kernel scope link src 172.16.20.254 metric 100

192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.159 metric 100

192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.254 metric 100

 

[root@gw ~]# vim /etc/sysctl.conf

net.ipv4.ip_forward=1

 

[root@gw ~]# sysctl -p

[root@gw ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth3 -j MASQUERADE

[root@gw ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o eth3 -j MASQUERADE

[root@gw ~]# iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o eth3 -j MASQUERADE

[root@gw ~]# yum -y install dhcp

[root@gw ~]# dhcrelay 192.168.100.150  #此处为DHCP服务器的IP,做中继

[root@gw ~]# iptables -t nat -A PREROUTING -i eth3 -d 192.168.1.159 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.50

 

[root@gw ~]# iptables -t nat -A PREROUTING -i eth3 -d 192.168.1.159 -p tcp --dport 53 -j DNAT --to-destination 192.168.100.150

 

[root@gw ~]# iptables -t nat -A PREROUTING -i eth3 -d 192.168.1.159 -p udp --dport 53 -j DNAT --to-destination 192.168.100.150

 

[root@gw ~]# iptables -A INPUT -s 192.168.100.1 -d 192.168.100.254 -p tcp --dport 22 -j ACCEPT

[root@gw ~]# iptables -A INPUT -s 192.168.100.150 -d 192.168.100.254 -p tcp --dport 22 -j ACCEPT

[root@gw ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@gw ~]# iptables -P INPUT DROP

[root@gw ~]# iptables -A INPUT -s 192.168.100.0/24 -i eth0 -p icmp -j ACCEPT

[root@gw ~]# iptables -A INPUT -i eth1 -p tcp --dport 67 -j ACCEPT

[root@gw ~]# iptables -A INPUT -i eth0 -p tcp --dport 67 -j ACCEPT

[root@gw ~]# iptables -A INPUT -i eth2 -p tcp --dport 67 -j ACCEPT

[root@gw ~]# iptables -A INPUT -i eth0 -p tcp --dport 68 -j ACCEPT

[root@gw ~]# iptables -A INPUT -i eth1 -p tcp --dport 68 -j ACCEPT

[root@gw ~]# iptables -A INPUT -i eth2 -p tcp --dport 68 -j ACCEPT

[root@gw ~]# iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT

[root@gw ~]# iptables -A FORWARD -d 192.168.100.0/24 -j ACCEPT

[root@gw ~]# iptables -A FORWARD -d 172.16.10.0/24 -j ACCEPT

[root@gw ~]# iptables -A FORWARD -s 172.16.10.0/24 -j ACCEPT

[root@gw ~]# iptables -A FORWARD -s 172.16.20.0/24 -j ACCEPT

[root@gw ~]# iptables -A FORWARD -d 172.16.20.0/24 -j ACCEPT

[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.100.0/24 -d 192.168.1.0/24 -p tcp --sport 80 -j ACCEPT

 

[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.100.0/24 -d 192.168.1.0/24 -p tcp --sport 53 -j ACCEPT

 

[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.100.0/24 -d 192.168.1.0/24 -p udp --sport 53 -j ACCEPT

 

[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -p tcp --dport 80 -j ACCEPT

 

[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -p tcp --dport 53 -j ACCEPT

 

[root@gw ~]# iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -p udp --dport 53 -j ACCEPT

 

[root@gw ~]# iptables -P FORWARD DROP

 

 

 

 

管理服务器为centos6.5   VM1

[root@adm ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

HWADDR=00:0C:29:39:AD:AB

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=static

IPADDR=192.168.100.150

NETMASK=255.255.255.0

GATEWAY=192.168.100.254

 

[root@adm ~]# ip a | grep /24

inet 192.168.100.150/24 brd 192.168.100.255 scope global eth0

[root@adm ~]# yum -y  install  dhcp  vsftpd  tftp-server  tftp  syslinux

[root@adm ~]# vi  /etc/dhcp/dhcpd.conf

option domain-name "adm.org";

option domain-name-servers 192.168.100.150;

 

default-lease-time 600;

max-lease-time 7200;

log-facility local7;

 

subnet 192.168.100.0 netmask 255.255.255.0 {

option routers 192.168.100.254;

range 192.168.100.50 192.168.100.80;

next-server 192.168.100.150;   ##指定tftp-server的ip地址

filename "pxelinux.0";

}

 

subnet 172.16.10.0 netmask 255.255.255.0 {

option routers 172.16.10.254;

range 172.16.10.50 172.16.10.80;

}

 

subnet 172.16.20.0 netmask 255.255.255.0 {

option routers 172.16.20.254;

range 172.16.20.50 172.16.20.80;

}

[root@adm ~]# /etc/init.d/dhcpd  start

[root@adm ~]# chkconfig dhcpd  on

[root@adm ~]# vi  /etc/xinetd.d/tftp

disable = no   ##启用tftp

 

[root@adm ~]# /etc/init.d/xinetd  start

[root@adm ~]# chkconfig xinetd on

[root@adm ~]# cd  /mnt/images/pxeboot

[root@adm pxeboot]# cp  vmlinuz  initrd.img  /var/lib/tftpboot ##准备内核文件、初始化镜像文件

[root@adm pxeboot]# cp  /usr/share/syslinux/pxelinux.0  /var/lib/tftpboot   

[root@adm pxeboot]# cd  /var/lib/tftpboot/

[root@adm tftpboot]# mkdir pxelinux.cfg

[root@adm tftpboot]# vim pxelinux.cfg/default

default auto

prompt 0

label auto

        kernel vmlinuz

        append ks=ftp://192.168.100.150/pub/ks.cfg initrd=initrd.img devfs=nomount ramdisk_size=8192

 

[root@adm ~]# yum -y install system-config-kickstart

[root@adm ~]# system-config-kickstart  ##调用xmanager工具进行图形界面的配置

 

[root@adm ~]# cat /var/ftp/pub/ks.cfg

#platform=x86, AMD64, 或 Intel EM64T

#version=DEVEL

# Firewall configuration

firewall --disabled

# Install OS instead of upgrade

install

# Use network installation

url --url="ftp://192.168.100.150/centos6"

# Root password

rootpw --plaintext 123123

# System authorization information

auth  --useshadow  --passalgo=sha512

# Use graphical install

graphical

# System keyboard

keyboard us

# System language

lang zh_CN

# SELinux configuration

selinux --disabled

# Do not configure the X Window System

skipx

# Installation logging level

logging --level=info

# Reboot after installation

reboot

# System timezone

timezone  Africa/Abidjan

# Network information

network  --bootproto=dhcp --device=eth0 --onboot=on

# System bootloader configuration

bootloader --location=mbr

# Clear the Master Boot Record

zerombr

# Partition clearing information

clearpart --all --initlabel

# Disk partitioning information

part /boot --fstype="ext4" --size=500

part swap --fstype="swap" --size=2048

part / --fstype="ext4" --grow --size=1

 

%packages

@development

 

%end

 

[root@adm ~]# /etc/init.d/dhcpd restart

[root@adm ~]# /etc/init.d/vsftpd restart

[root@adm ~]# /etc/init.d/xinetd restart

 

[root@adm ~]# vim /etc/named.conf

options {

listen-on port 53 { 192.168.100.150; };

directory "/var/named";

allow-query     { any; };

recursion yes;

forwarders {202.106.0.20;114.114.114.114;8.8.8.8;};

 

};

 

view "internal" {

match-clients {

        172.16.10.0/24;

        172.16.20.0/24;

        192.168.100.0/24;

};

zone "linux.com" IN {

type master;

file "linux.com.zone";

};

 

zone "." IN {

type hint;

file "named.ca";

};

};

 

view "external" {

match-clients { any; };

zone "linux.com" IN {

type master;

file "linux.com.wan";

};

};

 

[root@adm ~]# cd /var/named/

[root@adm named]# vim linux.com.zone

$TTL 86400                                                                                              ;有效解析记录的默认缓存时间

@       IN SOA  linux.com. root.linux.com. (

                                        20151212        ; 更新序列号,不能超过10位,主服务器更新后,版本号需要手动递增

                                        1D              ; 刷新时间,从服务器多久向主服务器同步

                                        1H              ; 重试延时,同步失败后,在此发起同步的时间间隔

                                        1W              ; 失效时间,超过该事件若还无法同步,则放弃同步

                                        3H )            ; 地址数据库中不包含的解析记录的默认缓存时间

        IN      NS      ns.adm.com.

ns      IN      A       192.168.100.150

        IN      A       192.168.100.150

        IN      MX 10   mail.linux.com.

mail    IN      A       192.168.100.50

www     IN      A       192.168.100.50

ftp     IN      CNAME   www

 

[root@adm named]# vim linux.com.wan

 

$TTL 86400                                                                                              ;有效解析记录的默认缓存时间

@       IN SOA  linux.com. root.linux.com. (

                                        20151211                                                 1D                                                      1H                                                      1W                                                       3H )                    

IN      NS      ns.adm.com.

ns      IN      A       192.168.100.150

        IN      A       192.168.100.150

        IN      MX 10   mail.linux.com.

mail    IN      A       192.168.1.159 ;公网IP

www     IN      A       192.168.1.159

ftp     IN      CNAME   www

 

[root@adm named]# /etc/init.d/named start

 

 

 

这时PXE自动装机已经完成网站存储两台主机的安装

 

 

 

存储服务器配置为centos6.5

[root@nfs ~]# ip a | grep /24

    inet 192.168.100.51/24 brd 192.168.100.255 scope global eth0

[root@nfs ~]# yum -y install rpcbind nfs-utils mysql-server

[root@nfs ~]# mkdir /opt/lamp

[root@nfs ~]# chmod 777 /opt/lamp/ -R

[root@nfs ~]# vim /etc/exports

/opt/lamp       192.168.100.0/24(rw,sync,no_root_squash)

 

[root@nfs ~]# /etc/init.d/rpcbind start

[root@nfs ~]# /etc/init.d/nfs start

[root@nfs ~]# /etc/init.d/mysqld start

[root@nfs ~]# unzip discuz_7.2_full_sc_utf8.zip

[root@nfs ~]# cp -rf upload/* /opt/lamp/

[root@nfs ~]# mysql -uroot -p123123

mysql> create database bbsdb;

mysql> grant all on bbsdb.* to 'runbbs'@'192.168.100.50' identified by '123123';

mysql> flush privileges;

mysql> quit

[root@nfs ~]# cd /opt/lamp/

[root@nfs lamp]# chown daemon forumdata/ attachments/ uc_client/data/cache/ templates/ config.inc.php -R

 

[root@nfs ~]# iptables -A INPUT -s 192.168.100.1 -p tcp --dport 22 -j ACCEPT

[root@nfs ~]# iptables -A INPUT -s 192.168.100.150 -p tcp --dport 22 -j ACCEPT

[root@nfs ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p tcp --dport 3306 -j ACCEPT

[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p tcp --dport 111 -j ACCEPT

[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p tcp --dport 825 -j ACCEPT

[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p udp --dport 825 -j ACCEPT

[root@nfs ~]# iptables -A INPUT -s 192.168.100.50 -d 192.168.100.51 -p udp --dport 111 -j ACCEPT

[root@nfs ~]# iptables -P INPUT DROP

[root@nfs ~]# iptables -P FORWARD DROP

[root@nfs ~]# iptables -A INPUT -s 192.168.100.0/24 -i eth0 -p icmp -j ACCEPT

 

 

 

网站服务器配置为centos6.5

[root@lamp ~]# ip a | grep /24

    inet 192.168.100.50/24 brd 192.168.100.255 scope global eth0

[root@lamp ~]# yum -y install httpd mysql-server mysql php php-mysql

[root@lamp ~]# yum -y install rpcbind nfs-utils

[root@lamp ~]# /etc/init.d/rpcbind start

[root@lamp ~]# /etc/init.d/nfs start

[root@lamp ~]# /etc/init.d/httpd start

[root@lamp ~]# /etc/init.d/mysqld start

[root@lamp ~]# iptables -A INPUT -s 192.168.100.1 -p tcp --dport 22 -j ACCEPT

[root@lamp ~]# iptables -A INPUT -s 192.168.100.150 -p tcp --dport 22 -j ACCEPT

[root@lamp ~]# iptables -A INPUT -d 192.168.100.50 -p tcp --dport 80 -j ACCEPT

[root@lamp ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p tcp --dport 111 -j ACCEPT

[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p tcp --dport 825 -j ACCEPT

[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p udp --dport 825 -j ACCEPT

[root@lamp ~]# iptables -A INPUT -s 192.168.100.51 -d 192.168.100.50 -p udp --dport 111 -j ACCEPT

[root@lamp ~]# iptables -P INPUT DROP

[root@lamp ~]# iptables -P FORWARD DROP

[root@lamp ~]# iptables -A INPUT -s 192.168.100.0/24 -i eth0 -p icmp -j ACCEPT

 

 

 

 

WIN7内网客户端VM1

 

 

 

WIN7运维组VM2

 

 

 

WIN7开发组VM8

 

 

 

WIN7外网客户端桥接模式

 

展开阅读全文

没有更多推荐了,返回首页