Shulou(Shulou.com)06/03 Report--

For more information on the basic configuration of firewall, please refer to the blog post: introduction to CentOS 7 firewalld Firewall to ensure the Security of Linux system

For more information on firewall IP camouflage and port forwarding, please refer to the blog post: firewalld Firewall configuration address camouflage and Port forwarding to ensure the Security of Linux system

Case environment:

To ensure the security of Linux system configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

Requirements description:

Connect the intranet Nic with the ens33 address of 192.168.1.1 and assign it to the trusted area of firewall

The connection server network card ens37 address is 192.168.2.1, which is assigned to the dmz area of firewall

The gateway server connects to the Internet network card with the ens38 address of 192.168.3.1, which is the public network IP address and is assigned to the external area of firewall.

Both website server and gateway server are managed remotely through SSH. For security, change the default port of SSH to 12345.

The website server enables HTTPS to filter unencrypted HTTP traffic

The webserver rejects the ping test, and the gateway server rejects the ping test from the Internet

Intranet users of the company need to share the Internet through the gateway server.

Internet users need to access the website server

Operation steps

Basic environment configuration

Build the server environment of DMZ website and start the service

Start and configure the firewalld firewall policy on the DMZ website server

Internet test website environment to build and start services, set firewall rules

Gateway server configures firewalld policy

Configure IP camouflage and port forwarding

Case implementation

1. Basic environment configuration

(1) confirm the address of the gateway server

[root@localhost ~] # ifconfig ens33

Ens33: flags=4163 mtu 1500

Inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

Inet6 fe80::46cb:a832:aea4:7b65 prefixlen 64 scopeid 0x20

Ether 00:0c:29:00:11:89 txqueuelen 1000 (Ethernet)

RX packets 158 bytes 46815 (45.7 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 31 bytes 4270 (4.1 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~] # ifconfig ens37

Ens37: flags=4163 mtu 1500

Inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255

Inet6 fe80::8e69:6ed5:da33:fda4 prefixlen 64 scopeid 0x20

Ether 00:0c:29:00:11:93 txqueuelen 1000 (Ethernet)

RX packets 104 bytes 27490 (26.8 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 189 bytes 31923 (31.1KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~] # ifconfig ens38

Ens38: flags=4163 mtu 1500

Inet 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255

Inet6 fe80::5348:53e2:b3bc:d35b prefixlen 64 scopeid 0x20

Ether 00:0c:29:00:11:9d txqueuelen 1000 (Ethernet)

RX packets 101 bytes 27238 (26.5 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 188 bytes 31304 (30.5 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

(2) Gateway server enables routing function

[root@localhost ~] # vim / etc/sysctl.conf

. / / omit some of the contents and add the following

Net.ipv4.ip_forward = 1

[root@localhost] # sysctl-p

Net.ipv4.ip_forward = 1

(3) configure DMZ zone website server address and gateway

[root@localhost ~] # ifconfig ens33

Ens33: flags=4163 mtu 1500

Inet 192.168.2.2 netmask 255.255.255.0 broadcast 192.168.2.255

Inet6 fe80::8744:c79c:521f:823f prefixlen 64 scopeid 0x20

Ether 00:0c:29:2b:56:b5 txqueuelen 1000 (Ethernet)

RX packets 114bytes 34398 (33.5KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 30 bytes 4162 (4.0 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~] # route-n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 192.168.2.1 0.0.0.0 UG 100 00 ens33

(4) configure Internet test website server IP address and gateway

[root@localhost ~] # ifconfig ens33

Ens33: flags=4163 mtu 1500

Inet 192.168.3.2 netmask 255.255.255.0 broadcast 192.168.3.255

Inet6 fe80::7c8b:1ec0:7e4d:ac6 prefixlen 64 scopeid 0x20

Ether 00:0c:29:98:41:ac txqueuelen 1000 (Ethernet)

RX packets 113 bytes 31388 (30.6 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 40 bytes 4541 (4.4 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~] # route-n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 192.168.3.1 0.0.0.0 UG 100 00 ens33

(5) configure internal client IP address and gateway

[root@localhost ~] # ifconfig ens33

Ens33: flags=4163 mtu 1500

Inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255

Inet6 fe80::9bb5:2c48:1095:d75a prefixlen 64 scopeid 0x20

Ether 00:0c:29:fb:76:60 txqueuelen 1000 (Ethernet)

RX packets 106 bytes 29223 (28.5 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 31 bytes 4349 (4.2 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~] # route-n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 192.168.1.1 0.0.0.0 UG 100 00 ens33

2.DMZ website server environment and start the service

(1) enable firewalld Firewall

[root@localhost ~] # systemctl start firewalld

(2) build httpd service

[root@localhost ~] # yum-y install httpd

/ / HTTP website visited based on http

[root@localhost ~] # yum-y install httpd mod_ssl

/ / HTTP website visited based on https

[root@localhost ~] # systemctl start httpd

/ / enable HTTP service

(3) change the listening port of SSH (it is recommended to shut down SELinux when restarting the service)

[root@localhost ~] # vim / etc/ssh/sshd_config

. / / omit some of the contents and modify the following

Port 12345

[root@localhost ~] # setenforce 0

/ / temporarily close SELinux

[root@localhost ~] # systemctl restart sshd

/ / restart the ssh service

Start and configure the firewalld firewall policy on the 3.DMZ website server

(1) set the default zone of the firewall to dmz zone

[root@localhost] # firewall-cmd-- set-default-zone=dmz

Success

(2) add appropriate services and ports to the dmz area

[root@localhost] # firewall-cmd-- zone=dmz-- add-service=https

Success

[root@localhost] # firewall-cmd-- zone=dmz-- add-port=12345/tcp

Success

(3) prohibit ping testing

[root@localhost] # firewall-cmd-- zone=dmz-- add-icmp-block=echo-request

Success

(4) delete the default ssh service

[root@localhost] # firewall-cmd-- zone=dmz-- remove-service=ssh

Success

(5) Save the current firewall configuration

[root@localhost] # firewall-cmd-- runtime-to-permanent

Success

/ / convert temporary configuration to permanent configuration

[root@localhost] # firewall-cmd-- list-all-- zone=dmz

/ / View and confirm configuration information

Dmz (active)

Target: default

Icmp-block-inversion: no

Interfaces: ens33

Sources:

Services: https

Ports: 12345/tcp

Protocols:

Masquerade: no

Forward-ports:

Sourceports:

Icmp-blocks: echo-request

Rich rules:

Internet test website environment to build and start services, set firewall rules

For the construction method, please refer to steps 2 and 3.

Gateway server configures firewalld policy

(1) enable the firewall

[root@localhost ~] # systemctl start firewalld

(2) set the default area to externel region

[root@localhost] # firewall-cmd-- set-default-zone=external

Success

(3) assign each network card to the designated area

[root@localhost] # firewall-cmd-- change-interface=ens33-- zone=trusted

Success

[root@localhost] # firewall-cmd-- change-interface=ens37-- zone=dmz

Success

(4) Test of internal client accessing DMZ website

[root@localhost] # firewall-cmd-- runtime-to-permanent

Success

[root@localhost] # firewall-cmd-- get-active-zones

Dmz

Interfaces: ens37

External

Interfaces: ens38

Trusted

Interfaces: ens33

(5) Internal client accesses website server

To ensure the security of Linux system configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

To ensure the security of Linux system configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

(6) change the listening port of ssh service

[root@localhost ~] # vim / etc/ssh/sshd_config

. / / omit some of the contents and modify the following

Port 12345

[root@localhost ~] # setenforce 0

/ / temporarily close SELinux

[root@localhost ~] # systemctl restart sshd

/ / restart the ssh service

(7) configure external region to add port 12345 of TCP and remove ssh service

[root@localhost] # firewall-cmd-- zone=external-- add-port=12345/tcp

Success

[root@localhost] # firewall-cmd-- zone=external-- remove-service=ssh

Success

(8) configure external area for ping testing and save as permanent configuration

[root@localhost] # firewall-cmd-- zone=external-- add-icmp-block=echo-request

Success

[root@localhost] # firewall-cmd-- runtime-to-permanent

Success

(9) Internet test server remote gateway server

[root@localhost] # ssh-p 12345 192.168.3.1

The authenticity of host'[192.168.3.1]: 12345 ([192.168.3.1]: 12345) 'can't be established.

ECDSA key fingerprint is b2:4e:e8:f9:23:9f:85:dc:54:87:97:eb:15:cc:b0:48.

Are you sure you want to continue connecting (yes/no)?

(10) Internal client remote DMZ website server

[root@localhost] # ssh-p 12345 192.168.2.2

The authenticity of host'[192.168.2.2]: 12345 ([192.168.2.2]: 12345) 'can't be established.

ECDSA key fingerprint is 25:54:5c:d5:ce:e1:04:9f:25:19:be:73:ce:93:86:54.

Are you sure you want to continue connecting (yes/no)?

6. Configure IP forwarding and port forwarding on the gateway server

IP forwarding is available in the default external area!

(1) remove the IP masquerade in the external area and enable it using rich rules

[root@localhost] # firewall-cmd-- remove-masquerade-- zone=external

Success

[root@localhost] # firewall-cmd-- zone=external-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'

Success

(2) dmz website server test visit Internet test website

To ensure the security of Linux system configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

(3) configure port forwarding to realize Internet test website accessing dmz regional website server (direct rule)

[root@localhost] # firewall-cmd-- zone=external-- add-forward-port=port=443:proto=tcp:toaddr=192.168.2.2

Success

/ / the gateway server forwards the request of the Internet test machine to the dmz regional website server

(4) testing

To ensure the security of Linux system configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

(5) configure port forwarding to achieve Internet test website access to dmz regional website server (rich rules)

A temporary IP address needs to be configured on the ens38 network card

[root@localhost] # firewall-cmd-- zone=external-- add-rich-rule='rule family=ipv4 destination address=192.168.3.100 forward-port port=443 protocol=tcp to-addr=192.168.2.2'

Success

(6) testing

To ensure the security of Linux system configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.