Firewalld firewall advanced configuration - (real world chapter!!)

Experimental topology Experimental requirement 1. Intranet users of the company need to share the Internet through the gateway server2. Internet user...
1. Configure the network card and address of the gateway server
2. Configure the address and gateway of the intranet tester in the internal trust zone
3. Configure the address and gateway of DMZ regional website server, and start the website service
4. Configure firewall policy on DMZ regional website server
5. Address of the network card of the Internet tester in the external area, and start the website service
6. Configure the firewall policy on the gateway server
7. Use intranet tester to verify website server and website provided by Internet tester
8. Configure port conversion on gateway server
9. Use the Internet tester to visit the DMZ website server, and you can see that the source address has been converted.
Experimental topology

Experimental requirement

1. Intranet users of the company need to share the Internet through the gateway server
2. Internet users need to visit the website server
3. Only 192.168.10.0/24ping gateway and server are allowed.
4. The website server and gateway server are managed remotely through SSH. For security, the SSH default port is changed to 12345, only the 192.168.10.10 host SSH gateway and server are allowed, and the Internet SSH internal server is allowed.

Experimental environment

1. Gateway server: centos7-1
2. Enterprise intranet tester: centos7-2
3. Website server: centos7-3
4.Internet tester: Centos7 -4

1. Configure the network card and address of the gateway server

1) create three network cards in the gateway server and do static work. The network card 1 is bound to VMnet1, which is the trust zone, the network card 2 is bound to VMnet2, which is the DMZ zone, and the network card 3 is bound to VMnet3. Which is the external zone.

2) configure the gateway address of each network card

ens33 NIC

[root@localhost ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=88cf4975-29b8-4041-9cb0-456a56d1fddb DEVICE=ens33 ONBOOT=yes IPADDR=100.1.1.10 ##Set gateway address NETMASK=255.255.255.0 ##Set subnet mask

ens36 NIC

[root@localhost ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens36 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens36 ##To modify the network card here to 36, and to delete the UUID DEVICE=ens36 ONBOOT=yes IPADDR=192.168.10.1 ##Gateway address and subnet mask NETMASK=255.255.255.0

ens37 NIC

[root@localhost ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-ens37 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens37 ##It needs to be changed to 37 here, and UUID needs to be deleted. DEVICE=ens37 ONBOOT=yes IPADDR=192.168.20.1 ##Set gateway address, subnet mask NETMASK=255.255.255.0
3) enable route forwarding function
[root@localhost ~]# vim /etc/sysctl.conf ...... //Omit comments net.ipv4.ip_forward = 1 //Add this entry [root@192 network-scripts]# sysctl -p / / load the sysctl configuration file net.ipv4.ip_forward = 1

2. Configure the address and gateway of the intranet tester in the internal trust zone

1) bind network card to vmnet3 (only host mode)

2) configure ip address and gateway

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 [root@localhost ]#service network restart / / restart the network service

3. Configure the address and gateway of DMZ regional website server, and start the website service

1) install http service in nat mode
[root@localhost ~]# yum install httpd -y
2) bind network card vmnet3 (only in host mode)

3) configure ip address and gateway
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static //Change dhcp to static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=f4d8cf47-c855-4d04-8c68-75ab8644df70 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.20.20 //IP address NETMASK=255.255.255.0 //Subnet mask GATEWAY=192.168.20.1 //gateway [root@localhost ~]# service network restart / / restart the network service
4) open web services and edit web content
[root@localhost ~]# vim /var/www/html/index.html [root@localhost ~]# cat /var/www/html/index.html <h1>this is dmz web</h1> [root@dmz html]# systemctl start httpd

4. Configure firewall policy on DMZ regional website server

[root@localhost ~]# firewall-cmd --set-default-zone=dmz success [root@localhost ~]# firewall-cmd --add-service=http --zone=dmz --permanent //Change the default zone of firewall to dmz zone success [root@localhost ~]# firewall-cmd --remove-service=ssh --zone=dmz --permanent //Add http service to dmz locale persistence success [root@localhost ~]# firewall-cmd --add-icmp-block=echo-request --zone=dmz --permanent //Disable ssh for login success [root@localhost ~]# firewall-cmd --reload //Reload firewall success

5. Address of the network card of the Internet tester in the external area, and start the website service

1) install http service in nat mode
[root@localhost ~]# yum install httpd -y
2) bind network card to vmnet1 (only host mode)

3) configure ip address and gateway
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static //Change dhcp to static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=f4d8cf47-c855-4d04-8c68-75ab8644df70 DEVICE=ens33 ONBOOT=yes IPADDR=100.1.1.20 //IP address NETMASK=255.255.255.0 //Subnet mask GATEWAY=100.1.1.10 //gateway [root@localhost ~]# service network restart / / restart the network service
4) turn on the website service and turn off the firewall
[root@localhost ~]# systemctl stop firewalld.service / / turn off the firewall [root@localhost ~]# setenforce 0 [root@localhost ~]# systemctl start httpd / / start http service [root@localhost ~]# vim /var/www/html/index.html / / configure web content <h1>this is external web</h1>

6. Configure the firewall policy on the gateway server

[root@localhost ~]# firewall-cmd --set-default-zone=external //Change the firewall default area to extemal success [root@localhost ~]# firewall-cmd --change-interface=ens36 --zone=trusted --permanent //Set ens36 network card as trust zone The interface is under control of NetworkManager, setting zone to 'trusted'. success [root@localhost ~]# firewall-cmd --change-interface=ens37 --zone=dmz --permanent //Set ens37 network card as dmz area The interface is under control of NetworkManager, setting zone to 'dmz'. success [root@localhost ~]# firewall-cmd --zone=dmz --remove-service=ssh --permanent //ssh login is prohibited in dmz area success [root@localhost ~]# firewall-cmd --zone=dmz --add-service=http --permanent //Add http service in dmz region success [root@localhost ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent //Blocking icmp Protocol in dmz region success [root@localhost ~]# firewall-cmd --zone=external --add-service=http --permanent //Add http service in external zone success [root@localhost ~]# firewall-cmd --reload //Reload firewall success

7. Use intranet tester to verify website server and website provided by Internet tester


8. Configure port conversion on gateway server

[root@localhost ~]# firewall-cmd --zone=external --add-forward port=port=80:proto=tcp:toaddr=192.168.20.20 --permanent //Set port mapping success [root@localhost ~]# Firewall CMD -- reload / / reload firewall success

9. Use the Internet tester to visit the DMZ website server, and you can see that the source address has been converted.

Thank you for reading!

21 October 2019, 13:10 | Views: 6134

Add new comment

For adding a comment, please log in
or create account

0 comments