Shulou(Shulou.com)06/02 Report--

Both the gateway server and the website server use centos 7 operating system

The gateway server installs three gigabit network cards, which are respectively connected to the Internet, the intranet and the website server.

The requirements are as follows:

The gateway server connects the Internet card ens33 as the public network IP address, which is assigned to the external area of the firewall; the connection internal network card ens37 address is 192.168.1.1, which is assigned to the trusted area of the firewall; and the connection server network card ens38 address is 192.168.2.1, which is assigned to the DMZ area of the firewall.

Both the website server and the gateway server are managed remotely through SSH. For security, change the default port of SSH to 12345.

The web server opens https to filter unencrypted http traffic.

The website server rejects ping, and the gateway server rejects ping from the Internet.

Intranet users need to share the Internet through the gateway server.

Internet users need to access the website server.

Basic environment configuration:

The gateway server configures the network card:

[root@localhost network-scripts] # ip a = ip addr2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:fc:60:4b brd ff:ff:ff:ff:ff:ff inet 100.0.0.1 brd 8 brd 100.255.255.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::5f65:9c3d:d218:7cea/64 scope link valid_lft forever preferred_lft forever3: ens36: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:fc:60:55 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global ens36 valid_lft forever preferred_lft forever inet6 fe80::7456:2bbc:dc20:31bd/64 scope link valid_lft forever preferred_lft forever4: ens37: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29: Fc:60:5f brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global ens37 valid_lft forever preferred_lft forever inet6 fe80::1e90:6601:56c2:c9ba/64 scope link valid_lft forever preferred_lft forever

Start the route forwarding function on the gateway server:

[root@localhost /] # vim / etc/sysctl.conf net.ipv4.ip_forward = 1 [root@localhost /] # sysctl-pnet.ipv4.ip_forward = 1

Configure the network card for the web server:

[root@localhost /] # ip a2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:2f:24:4b brd ff:ff:ff:ff:ff:ff inet 192.168.2.10 take 24 brd 192.168.2.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::19de:d9a7:568a:f34f/64 scope link valid_lft forever preferred_lft forever [root@localhost /] # route-nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 192.168.2.1 0.0.0.0 UG 100 00 ens33

Internet tester Nic configuration:

[root@localhost /] # ip a2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:45:66:64 brd ff:ff:ff:ff:ff:ff inet 100.0.0.10/8 brd 100.255.255.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::3ebc:8f75:cd28:e516/64 scope link tentative valid_lft forever preferred_lft forever

Build the web server environment:

[root@localhost ~] # systemctl start firewalld # start firewall [root@localhost ~] # yum-y install httpd mod_ssl # install httpd and mod_ SSL [root @ localhost ~] # systemctl start httpd # launch httpd service [root@localhost ~] # systemctl enable httpd # set to boot self-boot [root@localhost ~] # vim / var/www/html/index.html # New website test header Page file test.com [root@localhost ~] # vim / etc/ssh/sshd_config # change the listening port of SSH (SELinux needs to be closed): .Port 12345. [root@localhost ~] # systemctl restart sshd

Configure firewalld Firewall on the website server:

1. Set the default area to dmz:

[root@localhost] # firewall-cmd-- set-default-zone=dmzsuccess

2. Open the https service for the dmz region and add port 12345 of tcp:

[root@localhost] # firewall-cmd-- zone=dmz-- add-service=https-- permanentsuccess [root@localhost ~] # firewall-cmd-- zone=dmz-- add-port=12345/tcp-- permanentsuccess

3. Prohibit ping:

[root@localhost] # firewall-cmd-add-icmp-block=echo-request-zone=dmz-permanentsuccess

4. Because the default port of the predefined SSH service has been changed, the predefined SSH service is removed:

[root@localhost] # firewall-cmd-zone=dmz-remove-service=ssh-permanentsuccess

5. Reload the firewalld configuration and view the previous configuration:

[root@localhost] # firewall-cmd-- reloadsuccess [root@localhost ~] # firewall-cmd-- list-alldmz (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: https ports: 12345/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: echo-request rich rules:

Configure firewalld firewall on the gateway server:

1. Add the Nic to the specified area:

[root@localhost /] # systemctl start firewalld # enable firewall [root@localhost /] # firewall-cmd-- set-default-zone=external # set the default zone to externalsuccess [root@localhost /] # firewall-cmd-- change-interface=ens37-- zone=trusted # add ens37 to the trusted zone The interface is under control of NetworkManager Setting zone to 'trusted'.success [root@localhost /] # firewall-cmd-- change-interface=ens38-- zone=dmz # add ens38 to the dmz area The interface is under control of NetworkManager, setting zone to' dmz'.success

2. View the configuration and save it as permanent

[root@localhost /] # firewall-cmd-- get-active-zones dmz interfaces: ens37external interfaces: ens33trusted interfaces: ens36 [root@localhost /] # firewall-cmd-- runtime-to-permanent # Save the current configuration to a file success

3. Test on the internal host of the enterprise:

4. Change the listening port of SSH and restart the service (shut down SELinux):

[root@localhost ~] # vim / etc/ssh/sshd_config .Port 12345. [root@localhost ~] # systemctl restart sshd

5. Configure external region to add port 12345 of tcp:

[root@localhost /] # firewall-cmd-zone=external-add-port=12345/tcp-permanent success

6. Remove the SSH service from the external area:

[root@localhost /] # firewall-cmd-zone=external-remove-service=ssh-permanent success

7. Configure the external area to prohibit ping:

[root@localhost /] # firewall-cmd-zone=external-add-icmp-block=echo-request-permanentsuccess

8. Reload the firewall configuration:

[root@localhost /] # firewall-cmd-- reloadsuccess

Test the ssh connection:

Port 12345 of the external interface address of the gateway server connected to the Internet tester through SSH:

[root@localhost /] # ssh-p 12345 100.0.0.1The authenticity of host'[100.0.0.1]: 12345 ([100.0.0.1]: 12345) 'can't be established.ECDSA key fingerprint is 68:df:0f:ac:c7:75:df:02:88:7d:36:6a:1a:ae:27:23.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added'[100.0.0.1]: 12345' (ECDSA) to the list of known hosts.root@100.0.0.1's password: Last login: Sun Sep 1 16:36:33 2019 [root@localhost ~] #

Use the intranet test machine SSH to log in to port 12345 of the web website server:

[root@localhost /] # ssh-p 12345 192.168.2.10The authenticity of host'[192.168.2.10]: 12345 ([192.168.2.10]: 12345) 'can't be established.ECDSA key fingerprint is 68:df:0f:ac:c7:75:df:02:88:7d:36:6a:1a:ae:27:23.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added'[192.168.2.10]: 12345' (ECDSA) to the list of known hosts.root@192.168.2.10's password: Last login: Sun Sep 1 16:36:39 2019 [root@localhost ~] #

Implement IP camouflage and port forwarding:

1. Build a web service on the Internet test machine to test:

[root@localhost ~] # yum-y install httpd [root@localhost ~] # vim / var/www/html/index.html www.baidu.com [root@localhost ~] # systemctl enable httpd [root@localhost ~] # systemctl start httpd

2. You can access the website of the public network in both the internal test machine and the website service area of dmz (if not, it may be due to the firewall configuration problem of the public network test machine. You can first turn off the firewall of the public network test machine, or release the traffic of related services):

3. Check whether address masquerading is enabled in the external area of the gateway server:

[root@localhost /] # firewall-cmd-- list-all-- zone=external external (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: ports: 12345/tcp protocols: masquerade: yes # indicates that address camouflage is enabled forward-ports: sourceports: icmp-blocks: echo-request rich rules:

4. Only enable address IP camouflage for the source address 192.168.1.0 Universe 24 network segment.

Disable external default address camouflage on the gateway server, and add a rich rule, which requires that the source address in the external area is the address of 192.168.1.0 and24 network segment to enable IP masquerading:

[root@localhost] # firewall-cmd-- remove-masquerade-- zone=external success [root@localhost ~] # firewall-cmd-- zone=external-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'success

When testing access on the dmz zone, it is found that it is not accessible, but the private network host can:

[root@localhost /] # curl http://100.0.0.10curl: (7) Failed connect to 100.0.0.10 curl 80; No route to host

5. Configure port forwarding to enable Internet users to access internal web servers:

Configure on the gateway server:

[root@localhost /] # firewall-cmd-zone=external-add-forward-port=port=443:proto=tcp:toaddr=192.168.2.10success

The web server in the private network was successfully accessed on the Internet test machine:

6. Use rich rules to achieve port forwarding:

After the above configuration is completed, if the company applies for a new public network ip address 100.0.0.254, then port forwarding needs to be done again:

1. Configure the newly applied public network address 100.0.0.254 on the public network interface ens33 of the gateway server as the second IP address:

[root@localhost /] # vim / etc/sysconfig/network-scripts/ifcfg-ens33TYPE=EthernetBOOTPROTO=staticIPADDR0=100.0.0.1 # change to the next four lines PREFIX0=24IPADDR1=100.0.0.254PREFIX1=24 # to add two IPDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33DEVICE=ens33ONBOOT=yesZONE=external [root@localhost /] # ifdown ens33 Ifup ens33 # restart the Nic to make the configuration take effect [root@localhost /] # ip a # check whether the configuration is successful 2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:fc:60:4b brd ff:ff:ff:ff:ff:ff inet 100.0.0.1 pur24 brd 100.0.0.255 scope global ens33 valid_ Lft forever preferred_lft forever inet 100.0.0.254/24 brd 100.0.0.255 scope global secondary ens33 valid_lft forever preferred_lft forever inet6 fe80::5f65:9c3d:d218:7cea/64 scope link valid_lft forever preferred_lft forever

2. Configure port forwarding with rich rules:

[root@localhost /] # firewall-cmd-zone=external-add-rich-rule='rule family=ipv4 destination address=100.0.0.254/24 forward-port port=443 protocol=tcp to-addr=192.168.2.10' success

3. Verify:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.