Experimental topology map
p>
Experimental requirements
1. Intranet users of the company need to share the Internet through the gateway server
2. Internet users need to access the web server
3. Only 192.168.10 is allowed .0/24ping gateway and server
4. Both the website server and gateway server are managed remotely through SSH. For security, the SSH default port is changed to 12345, only 192.168.10.10 host SSH gateway and server are allowed, and the Internet SSH is allowed inside Server
Experimental environment
1. Gateway server: Centos7 -1
2. Enterprise intranet test machine: Centos7 -2
3 .Web server: Centos7 -3
4. Internet test machine: Centos7 -4
1, configure the network card and address of the gateway server
1) in the gateway The server creates 3 NICs, which are static, NIC 1 is bound to VMnet1, which is the trusted zone, NIC 2 is bound to VMnet2, which is the DMZ zone, and NIC 3 is bound to VMnet3. It is the external zone.
2) Configure the gateway address of each network card
ens33 network card
[[emailprotected] ~ ]# vim /etc/sysconfig/network- scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=88cf4975-29cf4975 -4041-9cb0-456a56d1fddb
DEVICE=ens33
ONBOOT=yes
IPADDR=100.1.1.10 ##Set gateway address
NETMASK=255.255.255.0 ##Set subnet mask
ens36 network card
[[email protected] ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens36
TYPE= Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_Atable_GEN privacy
NAME=ens36 ##Here you want to modify the network card to 36 and delete the UUID
DEVICE=ens36
ONBOOT=yes
IPADDR=192.168.10.1 ##Gateway address and subnet Mask
NETMASK=255.255.255.0
ens37 network card
[[emailprotected] ~ ]# vim /etc/sysconfig/network- scripts/ifcfg-ens37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37 ##This needs to be modified to 37, UUID should be deleted
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.20.1 ##Set gateway address, subnet mask
NETMASK=255.255.255.0
< h4>3) open Enable routing and forwarding function
[[emailprotected] ~]# vim /etc/sysctl.conf
...... //Omit the comment content
net.ipv4.ip_forward = 1 //Add this entry
[[email protected] network-scripts]# sysctl -p //Load sysctl configuration file
net.ipv4.ip_forward = 1
2 , Configure the address and gateway of the intranet test machine in the internal trust zone
1) Bind the network card to vmnet3 (host mode only)
2) Configure ip address and gateway
[[emailprotected] ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[[emailprotected] ]#service network restart //Restart network services
3, configure the address and gateway of the DMZ zone website server, and Open website service
1) Install http service in nat mode
[[emailprotected] ~]# yum install httpd -y
2) Binding Network card vmnet3 (host mode only)
3) Configure ip address and gateway
[[emailprotected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE =Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static //Change dhcp to static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT= yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_ GEN_MODE=stable-privacy
NAME=ens33
UUID=f4d8cf47-c855-4d04-8c68-75ab8644df70
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.20.20 //IP address
NETMASK=255.255.255.0 //Subnet mask
GATEWAY=192.168.20.1 //Gateway
[[emailprotected] ~]# service network restart //Restart the network Services
4) Open website services and edit web content
[[email protected] ~]# vim /var/www/html/index.html
[[email protected] ~]# cat /var/www/html/index.html
this is dmz web
[[emailprotected] html]# systemctl start httpd
4. Configure firewall policies on the DMZ zone website server
[[emailprotected] ~]# firewall-cmd --set-default-zone=dmz
success
[[email protected] ~]# firewall-cmd --add-service=http --zone=dmz --permanent
//Change the default zone of the firewall to the dmz zone
success
[[email protected] ~]# firewall-cmd --remove-service=ssh --zone=dmz --permanent
//Add http service to dmz zone permanent settings
success
[[email Protected] ~]# f irewall-cmd --add-icmp-block=echo-request --zone=dmz --permanent
//Ssh is prohibited for login
success
[[emailprotected] ~]# firewall-cmd --reload
//Reload the firewall
success
5, the address of the network card of the Internet test machine in the external zone, and start the website service
< h4>1) Install http service in nat mode
[[email protected] ~]# yum install httpd -y
2) Bind the network card to vmnet1 (host mode only)
3) Configure ip address and gateway
[[emailprotected] ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static //Change dhcp to static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_Atable_GEN privacy
NAME=ens33
UUID=f4d8cf47-c855-4d04-8c68-75ab8644df70
DEVICE=ens33
ONBOOT=yes
IPADDR=100.1.1.20 //IP address
NETMASK=255.255.255.0 //Subnet mask
GATEWAY=100.1.1.10 //Gateway
[[emailprotected] ~]# service network restart //Restart network service
4) Turn on the website service and turn off the firewall
[[emailprotected] ~]# systemctl stop firewalld.service //Turn off the firewall
[[emailprotected] ~]# setenforce 0
[[emailprotected] ~]# systemctl start httpd //Open http service
[[emailprotected] ~]# vim /var/www/html/index.html //Configure web content
this is external web
6, configure the firewall policy on the gateway server
[[emailprotected] ~]# firewall-cmd --set-default- zone=external
//Change the firewall default zone to external
success
[[emailprotected] ~]# firewall-cmd --change-interface=ens36 --zone=trusted - permanent
//Set the ens36 network card as a trusted zone
The interface is under control of NetworkManager, setting zone to'trusted'.
success
[[emailprotected] ~]# firewall-cmd --change-interface=ens37 --zone=dmz --permanent
//Set the ens37 network card to the dmz zone
The interface is under control of NetworkManager, setting zone to'dmz'.
success
[[emailprotected] ~]# firewall-cmd --zone=dmz --remove-service=ssh --permanent
//Ssh login is prohibited in the dmz zone
success
[[emailprotected] ~]# firewall -cmd --zone=dmz --add-service=http --permanent
//Add http service in dmz zone
success
[[emailprotected] ~]# firewall-cmd- -zone=dmz --add-icmp-block=echo-request --permanent
//Blocking the icmp protocol in the dmz zone
success
[[emailprotected] ~]# firewall-cmd --zone=external --add-service=http --permanent
//Add http service in external zone
success
[[emailprotected] ~]# firewall-cmd --reload
//Reload the firewall
success
7, use the corporate intranet test machine to verify the website server and the website provided by the Internet test machine
8, configure port conversion on the gateway server
[[emailprotected] ~]# firewall-cmd- -zone=external --add-forward port=port=80:proto=tcp:toaddr=192.168.20.20 --permanent
//Set port mapping
success
[[emailprotected] ~]# firewall-cmd --reload //Reload the firewall
success