Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Firewall Advanced configuration example

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Brief description of demand

1. Intranet users of the company need to share the Internet through the gateway server.

two。 Internet users need to access the website server

3. Only 192.168.1.0 / 24ping gateways and servers are allowed

4. Both website server and gateway server are managed remotely through SSH. For security, change the SSH default port to 12345, only allow 192.168.1.10 host SSH gateway and server, and allow Internet SSH internal server.

Topological structure diagram

1. Gateway server: Centos7-1

two。 Enterprise intranet testing machine: Centos7-2

3. Website server: Centos7-3

4.Internet testing machine: Centos7-4

Step 1 of the experiment: configure the network card and address of the gateway server

1. Add a network card and bind it to VMent2 host-only mode

two。 Configure and confirm the gateway address

[root@192 network-scripts] # ifconfigens33: flags=4163 mtu 1500 inet 100.1.1.10 netmask 255.255.255.0 broadcast 100.1.1.255 inet6 fe80::839c:1220:87fc:aef prefixlen 64 scopeid 0x20 ether 00:0c:29:70:78:f5 txqueuelen 1000 (Ethernet) RX packets 2715 bytes 723845 (706.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 623 bytes 55679 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens36: flags=4163 mtu 1500 inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::3d7f:4cdc:f7ec:8638 prefixlen 64 scopeid 0x20 ether 00:0c:29:70:78:09 txqueuelen 1000 (Ethernet) RX packets 38 bytes 7923 (7.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets Bytes 24516 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens37: flags=4163 mtu 1500 inet 192.168.20.1 netmask 255.255.255.0 broadcast 192.168.255 inet6 fe80::a6c3:1677:f71d:8e29 prefixlen 64 scopeid 0x20 ether 00:0c:29:70:78:ff txqueuelen 1000 (Ethernet) RX packets 38 bytes 7923 (7.7 KiB) RX errors 0 dropped 0 overruns 0 Frame 0 TX packets 138 bytes 23100 (22.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

3. Enable routing forwarding function

[root@192 network-scripts] # vim / etc/sysctl.conf. / / omit comments net.ipv4.ip_forward = 1 / / add this entry [root@192 network-scripts] # sysctl-p / / load sysctl configuration file net.ipv4.ip_forward = 1 step 2: configure the address and gateway of the intranet test machine in the internal area

1. Bind the Nic to VMent3 host-only mode

two。 Configure and confirm IP address and gateway

[root@192 network-scripts] # ifconfig / / View ip address and subnet mask ens33: flags=4163 mtu 1500 inet 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::839c:1220:87fc:aef prefixlen 64 scopeid 0x20 ether 00:0c:29:90:44:7f txqueuelen 1000 (Ethernet) RX packets 2647 bytes 190172 (185.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 453bytes 51940 (50.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@192 network-scripts] # route-n / / View routing information Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.10.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33 step 3: configure the address and gateway of the DMZ zone web server And start the website service

1. First download and install the httpd service in the network state

[root@192 ~] # yum install httpd-y

two。 Bind the Nic to VMent3 host-only mode * *

3. Configure and confirm IP address and gateway

[root@dmz] # ifconfigens33: flags=4163 mtu 1500 inet 192.168.20.20 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::839c:1220:87fc:aef prefixlen 64 scopeid 0x20 inet6 fe80::791b:db71:8a12:f34 prefixlen 64 scopeid 0x20 ether 00:0c:29:de:4a:b8 txqueuelen 1000 (Ethernet) RX packets 5353 bytes 3513622 (3.3MiB) RX errors 0 dropped 0 Overruns 0 frame 0 TX packets 1143 bytes 105439 (102.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@dmz ~] # route-nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.20.0 0.0.0.0 255.255.255.0 U 10000 ens33

4. Start the website service

[root@192 ~] # vim / var/www/html/index.html [root@192 ~] # cat / var/www/html/index.htmlthis is dmz web [root@dmz html] # systemctl start httpd step 4: configure the firewall policy on the DMZ area website server [root@dmz ~] # firewall-cmd-- set-default-zone=dmzsuccess [root@dmz ~] # firewall-cmd-- add-service=http-- zone=dmz-- permanent / / change the default zone of the firewall to dmz zone success [root@dmz ~] # firewall-cmd-- remove-service=ssh-- zone=dmz-- permanent / / add http services to the permanent settings of dmz zone success [root@dmz ~] # firewall-cmd-- add-icmp-block=echo-request-- zone=dmz-- permanent / / disable using ssh to login to success [root@dmz ~] # firewall-cmd-- reload / / reload firewall success step 5: configure the Internet tester network card and address in the external area And start the website service

1. First download and install the httpd service in the network state

[root@192 ~] # yum install httpd-y

two。 Bind the Nic to VMent1 host-only mode

3. Configure and confirm IP address and gateway

[root@192 ~] # ifconfigens33: flags=4163 mtu 1500 inet 100.1.1.20 netmask 255.255.255.0 broadcast 100.1.1.255 inet6 fe80::839c:1220:87fc:aef prefixlen 64 scopeid 0x20 inet6 fe80::791b:db71:8a12:f34 prefixlen 64 scopeid 0x20 ether 00:0c:29:9e:f9:aa txqueuelen 1000 (Ethernet) RX packets 6587 bytes 4090863 (3.9MiB) RX errors 0 dropped 0 Overruns 0 frame 0 TX packets 1266 bytes 105686 (103.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@192 ~] # route-nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface100.1.1.0 0.0.0.0 255.255.255.0 U 10000 ens33

4. Turn on website services and turn off firewalls and enhanced security features

[root@192 ~] # vim / var/www/html/index.html [root@192 ~] # cat / var/www/html/index.htmlthis is external web [root@192 ~] # systemctl stop firewalld.service [root@192 ~] # setenforce 0 step 6: configure firewall policy on the gateway server [root@192 ~] # firewall-cmd-- set-default-zone=external / / change the firewall default zone to extemalsuccess [root@192 ~ ] # firewall-cmd-- change-interface=ens36-- zone=trusted-- permanent / / set the ens36 Nic to the trust zone The interface is under control of NetworkManager Setting zone to 'trusted'.success [root@192 ~] # firewall-cmd-- change-interface=ens37-- zone=dmz-- permanent / / set the ens37 Nic to dmz area The interface is under control of NetworkManager Setting zone to 'dmz'.success [root@192 ~] # firewall-cmd-- zone=dmz-- remove-service=ssh-- permanent / / dmz region forbids using ssh to log in to success [root@192 ~] # firewall-cmd-- zone=dmz-- add-service=http-- permanent / / dmz region to add http service success [root@192 ~] # firewall-cmd-- zone=dmz-- add-icmp-block=echo- Request-- blocking icmp protocol in permanent / / dmz area success [root@192 ~] # firewall-cmd-- zone=external-- add-service=http-- permanent / / add http service success [root@192 ~] # firewall-cmd-- reload / / reload firewall success step 7: use intranet The test machine verifies the web pages provided by the website server and the internel test machine

Step 8: configure port translation on the gateway server [root@192 ~] # firewall-cmd-- zone=external-- add-forward port=port=80:proto=tcp:toaddr=192.168.2.10-- permanent / / set port mapping success [root@192 ~] # firewall-cmd-- reload / / reload firewall success step 9: use the Internet test machine to access the web page provided by the website server, you can see that the source IP address has been translated (NAT)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report