Shulou(Shulou.com)06/02 Report--

For an overview of the principles of direct rules and rich rules of firewalld firewall, please refer to the previous blog post: the principle of firewalld firewall address camouflage and port forwarding in Centos 7.

The environment is shown in the following figure:

Both the gateway server and the website server use centos 7 operating system. The gateway server installs three gigabit network cards to connect with Internet, intranet and website server respectively.

The gateway server connects to the Internet card ens32, which is configured as the public network IP address of 192.168.100.10, which is assigned to the external area of firewall; the connection internal network card ens34 address is 192.168.10.100, which is assigned to the trusted area of firewall; and the connection server network card ens35 address is 192.168.20.100, assigned to the DMZ area of firewall.

Both website server and gateway server are managed remotely through SSH. For security, change the default port of SSH to 12345.

The website server enables https to filter unencrypted http traffic

The website server rejects ping, and the gateway server rejects ping from the Internet

Intranet users need to share the Internet through gateway servers.

Internet users need to access the website server First, start the basic configuration of the environment 1. Configure gateway server [root@firewalld ~] # ifconfig ens32: flags=4163 mtu 1500 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::20c:29ff:fe97:5c9f prefixlen 64 scopeid 0x20 ether 00:0c:29:97:5c:9f txqueuelen 1000 (Ethernet) RX packets 880 bytes 135724 (132.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 498 Bytes 71197 (KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens34: flags=4163 mtu 1500 inet 192.168.10.100 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe97:5ca9 prefixlen 64 scopeid 0x20 ether 00:0c:29:97:5c:a9 txqueuelen 1000 (Ethernet) RX packets 37 bytes 3555 (3.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 89 bytes 14988 (14.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens35: flags=4163 mtu 1500 inet 192.168.20.100 netmask 255.255.255.0 broadcast 192.168.20.255 inet6 fe80::20c:29ff:fe97:5cb3 prefixlen 64 scopeid 0x20 ether 00:0c:29:97:5c:b3 txqueuelen 1000 (Ethernet) RX packets 51 bytes 5019 (4.9 KiB) RX Errors 0 dropped 0 overruns 0 frame 0 TX packets 85 bytes 13888 (13.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 02, Gateway server enables route forwarding function [root@firewalld ~] # vim / etc/sysctl.confnet.ipv4.ip_forward = 1 [root@firewalld ~] # sysctl-pnet.ipv4.ip_forward = 13, Configure web server [root@web ~] # ifconfig ens32: flags=4163 mtu 1500 inet 192.168.20.10 netmask 255.255.255.0 broadcast 192.168.20.255 inet6 fe80::20c:29ff:fe62:325a prefixlen 64 scopeid 0x20 ether 00:0c:29:62:32:5a txqueuelen 1000 (Ethernet) RX packets 237 bytes 21594 (21.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 220 bytes 30673 (29.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@web ~] # route-n Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 192.168.20.100 0.0.0 UG 100 00 ens32192.168.20.0 0.0.0.0 255.255.255.0 U 1000 ens32192.168.122.0 0.0.0.0 255.255.255.0 U 00 virbr0 [root@web ~] # yum-y install httpd mod_ssl [root@web ~] # systemctl start httpd [root@web ~] # systemctl enable httpd [root@web ~] # echo "www.DMZ.web.com" > / var/www/html/index.html [root@web ~ ] # vim / etc/ssh/sshd_config Port 12345 [root@web ~] # systemctl restart sshd 4, Configure intranet client 1) configure IP address and gateway

2) testing and interworking between gateway server and website server

3) Test whether you can successfully access the website server

5. Configure public network client 1) configure IP address and gateway

2) Test the interconnection of the whole network

3) Test whether you have successfully accessed the website server

6. Configure the public network Centos client 1) modify the name [root@Centos04~] # hostnamectl set-hostname WAN_ Web [root @ Centos04~] # bash2) configure the IP address and gateway, and restart the network card service.

[root@wan_web ~] # systemctl restart network

3) View the configured IP address [root@wan_web ~] # ifconfigens32: flags=4163 mtu 1500 inet 192.168.100.30 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::20c:29ff:fe16:c54b prefixlen 64 scopeid 0x20 ether 00:0c:29:16:c5:4b txqueuelen 1000 (Ethernet) RX packets 37 bytes 4898 (4.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 84 bytes 13483 (13.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 04) View gateway information [root@wan_web ~] # route-nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 192.168.100.10 0.0.0 UG 10000 ens32192.168.100.0 0.0.0. 0 255.255.255.0 U 10000 ens32 II. Configure firewalld firewall [root@web ~] # systemctl start firewalld [root@web ~] # systemctl enable firewalld success [root@firewalld ~] # firewall-cmd-- change-interface=ens34-- zone=trusted The interface is under control of NetworkManager on the website server Setting zone to 'trusted'.success [root@firewalld ~] # firewall-cmd-- change-interface=ens35-- zone=dmz The interface is under control of NetworkManager, setting zone to' dmz'.success3, view configuration And save the configuration to a file, become the permanent configuration [root@firewalld ~] # firewall-cmd-- get-active-zones dmz interfaces: ens32trusted interfaces: ens34 [root@firewalld ~] # firewall-cmd-- runtime-to-permanent success4, and visit the website server on the enterprise intranet test machine, you will find that https can be accessed successfully, but http cannot.

5. Configure external region to add tcp port 12345 [root@firewalld ~] # firewall-cmd-- zone=external-- add-port=12345/tcp-- permanent success6, configure external region to remove SSH service [root@firewalld ~] # firewall-cmd-- zone=external-- remove-service=ssh-- permanent success7, Configure external zone to disable ping [root@firewalld ~] # firewall-cmd-- zone=external-- add-icmp-block=echo-request-- permanent success [root@firewalld ~] # firewall-cmd-- zone=external-- add-icmp-block=echo-reply-- permanent success8, reload firewall configuration Check the previous configuration [root@firewalld ~] # firewall-cmd-- reload success [root@firewalld ~] # firewall-cmd-- list-allexternal (active) target: default icmp-block-inversion: no interfaces: ens32 sources: services: ports: 12345/tcp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: echo-request echo-reply rich rules:

Start testing the ssh connection below:

9 、 On the Internet test machine, port 12345 [root@wan_web ~] # ssh-p 12345 root@192.168.100.10The authenticity of host'[192.168.100.10]: 12345 ([192.168.100.10]: 12345) 'can't be established.ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f at the external interface address of the gateway server through SSH 58:51:51:4b:3b.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added'[192.168.100.10]: 12345' (ECDSA) to the list of known hosts.root@192.168.100.10's password: Wed Nov 27 02:27:01 2019 from 192.168.100.20 [root@firewalld ~] # lsanaconda-ks.cfg initial-setup-ks.cfg10, login to port 12345 of the web website server using the intranet test machine SSH

The following tests the ping command:

11. The test website server rejected ping [root@firewalld ~] # ping 192.168.10.20PING 192.168.10.20 (192.168.10.20) 56 (84) bytes of data.From 192.168.10.100 icmp_seq=1 Destination Host UnreachableFrom 192.168.10.100 icmp_seq=2 Destination Host UnreachableFrom 192.168.10.100 icmp_seq=3 Destination Host Unreachable12, Test gateway server rejects from public network ping [root @ wan_web ~] # ping 192.168.100.10PING 192.168.100.10 (192.168.100.10) 56 (84) bytes of data.From 192.168.100.10 icmp_seq=1 Destination Host ProhibitedFrom 192.168.100.10 icmp_seq=2 Destination Host ProhibitedFrom 192.168.100.10 icmp_seq=3 Destination Host prohibited [root @ wan_web ~] # ping 192.168.10.20PING 192.168.10.20 ( 192.168.10.20) 56 (84) bytes of data.From 192.168.100.10 icmp_seq=1 Destination Host UnreachableFrom 192.168.100.10 icmp_seq=2 Destination Host UnreachableFrom 192.168.100.10 icmp_seq=3 Destination Host Unreachable 4, Configure IP camouflage and port forwarding 1. Build web service on the external network test machine Used to test [root@wan_web ~] # yum-y install httpd mod_ SSL [root @ wan_web ~] # systemctl start httpd [root @ wan_web ~] # systemctl enable httpd [root @ wan_web ~] # echo "WAN_Web.com" > / var/www/html/index.html2, can access the website of the external network in the internal test machine and the website service area of dmz (if not, it may be the firewall configuration problem of the public network test machine. You can first turn off the firewall of the public network test machine, or release the traffic of related services)

[root@web ~] # curl http://192.168.100.30WAN_Web.com3, check whether address masquerading is enabled in the external area of the gateway server [root@firewalld ~] # firewall-cmd-- list-all-- zone=external external (active) target: default icmp-block-inversion: no interfaces: ens32 sources: services: 12345/tcp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: echo-request echo-reply rich rules:4, Address IP masquerading is enabled only for the address of the source address 192.168.10.0 on the 24 network segment

Disable external default address camouflage on the gateway server, and add a rich rule, which requires that the source address in the external area is 192.168.10.0 and enable the address camouflage of the 24 network segment.

[root@firewalld] # firewall-cmd-- remove-masquerade-- zone=external success [root@firewalld ~] # firewall-cmd-- zone=external-- add-rich-rule='rule family=ipv4 source address=192.168.10.0/24 masquerade'success

Tested on the website server in the dmz area, it was found that the extranet website could not be accessed, but the intranet tester could

[root@web ~] # curl http://192.168.100.30curl: (7) Failed connect to 192.168.100.30 purl 80 No route to the host 5. Configure port forwarding to enable Internet users to access the internal web server 1) configure [root@firewalld ~] # firewall-cmd-- zone=external-- add-forward-port=port=443:proto=tcp:toaddr=192.168.20.10success2) under the gateway server to successfully access the intranet web server on the Internet test machine.

Finally, one uses rich rules to implement port forwarding.

After the above configuration is completed, now that the company has applied for a new public network ip address of 192.168.100.200, it needs to do port forwarding again.

1. Configure the newly applied public network address 192.168.100.200 on the public network interface ens33 of the gateway server As the second IP address [root@firewalld ~] # vim / etc/sysconfig/network-scripts/ifcfg-ens32TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=ens32DEVICE=ens32ONBOOT=yesIPADDR=192.168.100.10 NATEMASK=255.255.255.0ZONE=external PREFIX=24 IPADDR1=192.168.100.200 IPV4_FAILURE_FATAL=no PREFIX1=24 IPV6INIT=noUUID=152beb06-47c5-c5e8-95a9-385590654382 [root@firewalld ~] # systemctl restart network [root@firewalld ~] # ip add 1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6:: 1/128 scope host valid_lft forever preferred_lft forever2: ens32: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:97:5c:9f brd ff:ff:ff:ff:ff:ff inet 192.168.100.10/24 Brd 192.168.100.255 scope global ens32 valid_lft forever preferred_lft forever inet 192.168.100.200/24 brd 192.168.100.255 scope global secondary ens32 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe97:5c9f/64 scope link valid_lft forever preferred_lft forever2 、 Configure the port to forward [root@firewalld ~] # firewall-cmd-- zone=external-- add-rich-rule='rule family=ipv4 destination address=192.168.100.200/32 forward-port port=443 protocol=tcp to-addr=192.168.20.10'success3 using rich rules, and access the test results on the Internet test machine.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.