Experimental topology map

Firewalld firewall advanced configuration-(combat article!!)

Experimental requirements

1. Intranet users of the company need to share the Internet through the gateway server
2. Internet users need to access the web server
3. Only 192.168.10 is allowed .0/24ping gateway and server
4. Both the website server and gateway server are managed remotely through SSH. For security, the SSH default port is changed to 12345, only 192.168.10.10 host SSH gateway and server are allowed, and the Internet SSH is allowed inside Server

Experimental environment

1. Gateway server: Centos7 -1
2. Enterprise intranet test machine: Centos7 -2
3 .Web server: Centos7 -3
4. Internet test machine: Centos7 -4

1, configure the network card and address of the gateway server

1) in the gateway The server creates 3 NICs, which are static, NIC 1 is bound to VMnet1, which is the trusted zone, NIC 2 is bound to VMnet2, which is the DMZ zone, and NIC 3 is bound to VMnet3. It is the external zone.

Firewalld firewall advanced configuration-(actual article!)

2) Configure the gateway address of each network card

ens33 network card

[[emailprotected] ~ ]# vim /etc/sysconfig/network- scripts/ifcfg-ens33
 TYPE=Ethernet
 PROXY_METHOD=none
 BROWSER_ONLY=no
 BOOTPROTO=static 
 DEFROUTE=yes
 IPV4_FAILURE_FATAL=no
 IPV6INIT=yes
 IPV6_AUTOCONF=yes
 IPV6_DEFROUTE=yes
 IPV6_FAILURE_FATAL=no
 IPV6_ADDR_GEN_MODE=stable-privacy
 NAME=ens33
 UUID=88cf4975-29cf4975 -4041-9cb0-456a56d1fddb
 DEVICE=ens33
 ONBOOT=yes
 IPADDR=100.1.1.10 ##Set gateway address
 NETMASK=255.255.255.0 ##Set subnet mask

ens36 network card

[[email protected] ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens36
 TYPE= Ethernet
 PROXY_METHOD=none
 BROWSER_ONLY=no
 BOOTPROTO=static 
 DEFROUTE=yes
 IPV4_FAILURE_FATAL=no
 IPV6INIT=yes
 IPV6_AUTOCONF=yes
 IPV6_DEFROUTE=yes
 IPV6_FAILURE_FATAL=no
 IPV6_Atable_GEN privacy
 NAME=ens36 ##Here you want to modify the network card to 36 and delete the UUID
 DEVICE=ens36
 ONBOOT=yes
 IPADDR=192.168.10.1 ##Gateway address and subnet Mask
 NETMASK=255.255.255.0

ens37 network card

[[emailprotected] ~ ]# vim /etc/sysconfig/network- scripts/ifcfg-ens37
 TYPE=Ethernet
 PROXY_METHOD=none
 BROWSER_ONLY=no
 BOOTPROTO=static 
 DEFROUTE=yes
 IPV4_FAILURE_FATAL=no
 IPV6INIT=yes
 IPV6_AUTOCONF=yes
 IPV6_DEFROUTE=yes
 IPV6_FAILURE_FATAL=no
 IPV6_ADDR_GEN_MODE=stable-privacy
 NAME=ens37 ##This needs to be modified to 37, UUID should be deleted
 DEVICE=ens37
 ONBOOT=yes
 IPADDR=192.168.20.1 ##Set gateway address, subnet mask
 NETMASK=255.255.255.0

< h4>3) open Enable routing and forwarding function

[[emailprotected] ~]# vim /etc/sysctl.conf 
 ...... //Omit the comment content
 net.ipv4.ip_forward = 1 //Add this entry
 [[email protected] network-scripts]# sysctl -p //Load sysctl configuration file
 net.ipv4.ip_forward = 1

2 , Configure the address and gateway of the intranet test machine in the internal trust zone

1) Bind the network card to vmnet3 (host mode only)

Firewalld firewall advanced configuration— —(Practical articles! ! )

2) Configure ip address and gateway

[[emailprotected] ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[[emailprotected] ]#service network restart //Restart network services

Firewalld firewall advanced configuration ——(Practical article!!)

3, configure the address and gateway of the DMZ zone website server, and Open website service

1) Install http service in nat mode

[[emailprotected] ~]# yum install httpd -y

2) Binding Network card vmnet3 (host mode only)

Firewalld advanced firewall configuration-(actual combat!)

3) Configure ip address and gateway

[[emailprotected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
 TYPE =Ethernet
 PROXY_METHOD=none
 BROWSER_ONLY=no
 BOOTPROTO=static //Change dhcp to static
 DEFROUTE=yes
 IPV4_FAILURE_FATAL=no
 IPV6INIT= yes
 IPV6_AUTOCONF=yes
 IPV6_DEFROUTE=yes
 IPV6_FAILURE_FATAL=no
 IPV6_ADDR_ GEN_MODE=stable-privacy
 NAME=ens33
 UUID=f4d8cf47-c855-4d04-8c68-75ab8644df70
 DEVICE=ens33
 ONBOOT=yes
 IPADDR=192.168.20.20 //IP address
 NETMASK=255.255.255.0 //Subnet mask
 GATEWAY=192.168.20.1 //Gateway
 [[emailprotected] ~]# service network restart //Restart the network Services

4) Open website services and edit web content

[[email protected] ~]# vim /var/www/html/index.html
 [[email protected] ~]# cat /var/www/html/index.html
 this is dmz web

 [[emailprotected] html]# systemctl start httpd

4. Configure firewall policies on the DMZ zone website server

[[emailprotected] ~]# firewall-cmd --set-default-zone=dmz
 success
 [[email protected] ~]# firewall-cmd --add-service=http --zone=dmz --permanent
 //Change the default zone of the firewall to the dmz zone
 success
 [[email protected] ~]# firewall-cmd --remove-service=ssh --zone=dmz --permanent
 //Add http service to dmz zone permanent settings
 success
 [[email Protected] ~]# f irewall-cmd --add-icmp-block=echo-request --zone=dmz --permanent 
 //Ssh is prohibited for login
 success
 [[emailprotected] ~]# firewall-cmd --reload 
 //Reload the firewall
 success

5, the address of the network card of the Internet test machine in the external zone, and start the website service

< h4>1) Install http service in nat mode

[[email protected] ~]# yum install httpd -y

2) Bind the network card to vmnet1 (host mode only)

Firewalld firewall advanced configuration-(combat article! ! )

3) Configure ip address and gateway

[[emailprotected] ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
 TYPE=Ethernet
 PROXY_METHOD=none
 BROWSER_ONLY=no
 BOOTPROTO=static //Change dhcp to static 
 DEFROUTE=yes
 IPV4_FAILURE_FATAL=no
 IPV6INIT=yes
 IPV6_AUTOCONF=yes
 IPV6_DEFROUTE=yes
 IPV6_FAILURE_FATAL=no
 IPV6_Atable_GEN privacy
 NAME=ens33
 UUID=f4d8cf47-c855-4d04-8c68-75ab8644df70
 DEVICE=ens33
 ONBOOT=yes
 IPADDR=100.1.1.20 //IP address 
 NETMASK=255.255.255.0 //Subnet mask
 GATEWAY=100.1.1.10 //Gateway
 [[emailprotected] ~]# service network restart //Restart network service

4) Turn on the website service and turn off the firewall

[[emailprotected] ~]# systemctl stop firewalld.service //Turn off the firewall
 [[emailprotected] ~]# setenforce 0 
 [[emailprotected] ~]# systemctl start httpd //Open http service
 [[emailprotected] ~]# vim /var/www/html/index.html //Configure web content
 this is external web

6, configure the firewall policy on the gateway server

[[emailprotected] ~]# firewall-cmd --set-default- zone=external 
//Change the firewall default zone to external
success
[[emailprotected] ~]# firewall-cmd --change-interface=ens36 --zone=trusted - permanent 
//Set the ens36 network card as a trusted zone
The interface is under control of NetworkManager, setting zone to'trusted'.
success
[[emailprotected] ~]# firewall-cmd --change-interface=ens37 --zone=dmz --permanent 
//Set the ens37 network card to the dmz zone
The interface is under control of NetworkManager, setting zone to'dmz'. 
success
[[emailprotected] ~]# firewall-cmd --zone=dmz --remove-service=ssh --permanent 
//Ssh login is prohibited in the dmz zone
success
[[emailprotected] ~]# firewall -cmd --zone=dmz --add-service=http --permanent 
//Add http service in dmz zone
success
[[emailprotected] ~]# firewall-cmd- -zone=dmz --add-icmp-block=echo-request --permanent 
//Blocking the icmp protocol in the dmz zone
success
[[emailprotected] ~]# firewall-cmd --zone=external --add-service=http --permanent 
//Add http service in external zone
success
[[emailprotected] ~]# firewall-cmd --reload 
//Reload the firewall
success

7, use the corporate intranet test machine to verify the website server and the website provided by the Internet test machine

Firewalld firewall advanced configuration-(Practical articles! ! )

8, configure port conversion on the gateway server

[[emailprotected] ~]# firewall-cmd- -zone=external --add-forward port=port=80:proto=tcp:toaddr=192.168.20.20 --permanent 
//Set port mapping
success
[[emailprotected] ~]# firewall-cmd --reload //Reload the firewall
success

9, use the Internet test machine to access the DMZ website server, you can see that the source address is converted

Firewalld firewall advanced configuration-(combat article!)

Thank you for reading! !!!

FireWallD firewall advanced configuration – (actual combat !!)

Experimental requirements

Experimental environment

1, configure the network card and address of the gateway server

1) in the gateway The server creates 3 NICs, which are static, NIC 1 is bound to VMnet1, which is the trusted zone, NIC 2 is bound to VMnet2, which is the DMZ zone, and NIC 3 is bound to VMnet3. It is the external zone.

2) Configure the gateway address of each network card

2 , Configure the address and gateway of the intranet test machine in the internal trust zone

1) Bind the network card to vmnet3 (host mode only)

2) Configure ip address and gateway

3, configure the address and gateway of the DMZ zone website server, and Open website service

1) Install http service in nat mode

2) Binding Network card vmnet3 (host mode only)

3) Configure ip address and gateway

4) Open website services and edit web content

this is dmz web

4. Configure firewall policies on the DMZ zone website server

5, the address of the network card of the Internet test machine in the external zone, and start the website service

2) Bind the network card to vmnet1 (host mode only)

3) Configure ip address and gateway

4) Turn on the website service and turn off the firewall

this is external web

6, configure the firewall policy on the gateway server

7, use the corporate intranet test machine to verify the website server and the website provided by the Internet test machine

8, configure port conversion on the gateway server

9, use the Internet test machine to access the DMZ website server, you can see that the source address is converted

Thank you for reading! !!!

Leave a Comment Cancel reply