Firewall firewall

1、Firewalld Network area of

2、 Firewalld Firewall configuration method

Configure firewall graphical interface

firewall-config

        （1） start-up 、 stop it 、 see Firewalld service

systemctl start firewalld      （ start-up ）

systemctl sotp  firewalld      （ stop it ）

systemctl enable firewalld     （ Boot up ）

systemctl disable firewalld    （ Power on does not start automatically ）

systemctl status firewalld     （ View running status ）

        （2） Regional management  

Display the current system default area  

firewall-cmd --get-default-zone

  Displays all rules in the default area

firewall-cmd --list-all

Show network interface ens33 Corresponding area

firewall-cmd --get-zone-of-interface=ens33

Put the network interface ens33 The corresponding area is changed to internal Area

firewall-cmd --zone=public --change One interface=ens33

firewall-cmd --zone=internal One list-interfaces

firewall-cmd --get-zone One of-interface=ens33

Show all active areas

firewall-cmd --get-active-zones

        （3） Service management

  Set the allowed services for the default locale

firawall-cmd --list-services            （ Displays all services that are allowed to be accessed in the default area ）

firawall-cmd --add-service=http         （ Set the default area to allow access http service ）

firawall-cmd --add-service=https        （ Set the default area to allow access https service ）

  by internsl Set the services that the locale allows access to

firewall-cmd --zone=internal --add-service=mysgl
( Set up internal The area allows access to mysql service )

firewall-cmd --zone=internal --remove-service=samba-client
( Set up internal The area is not allowed to access samba-client service )

firewall-cmd --zone=internal --list-services
( Show internal All services allowed to be accessed in the area )

         （4） Port Management

Designated area internal Add port 443/tcp

firewall-cmd --zone=internal --add-part=443/tep

Designated area internal prohibit 443/tcp Port access

firewall-cmd --zone=internal --remove-port=443/tep 

 3、Firewalld Firewall configuration application

Configure the firewall through the enterprise case , As shown in the figure, configure ip Address

The gateway server links to the Internet network card ens33 The address is 100.1.1.10, Public network IP Address , Distribute firewall Of external（ external ） Area , Connect the server network card ens38 The address is 192.168. 2.1, Assigned to firewall Of dmz（ Non military ） Area

        （1） Basic environment configuration
Configure the host name and network card on the gateway server

hostname gateway-server         （ Change the temporary hostname ）

vim /etc/hostname               （ Change host name permanently ）

  Turn on the routing and forwarding function of the gateway server

vim /etc/sysctl.conf   

net.ipv4.ip_forward = 1

sysctl -p

Configure the website （web） Server host name and network card address

vim /etc/hostname
web

hostname web

        （2） Web server environment collocation
install httpd and mod-ssl software package

rm -rf /etc/yum.repos.d/*

vim  /etc/yum.repos.d/a.repo
[aa]
name=aaa
baseurl=file:///media
gpgcheck=0


yum install -y httpd mod_ssl

  Start up and start up httpd service

systemctl start httpd

systemctl enable httpd

Create a web test page

vim /var/www/html/index.html
<h1>111111111111<h1>

  change ssh The listening address of , And restart sshd service , Need to be closed SELinux

vim /etc/ssh/sshd_config
Port 12345

systemctl restart sshd

        （3） Start and configure on the web server Firewalld A firewall

Start the firewall and set the default zone to dmz Area

systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld    （ View server status ）

firewall-cmd --set-default-zone=dmz

  by dmz Area open https Services and additions TCP Of 12345 port

firewall-cmd --zone=dmz --add-service=https --permanent

firewall-cmd --zone=dmz --add-port=12345/tcp --permanent

prohibit ping

firewall-cmd --add-icmp-block=echo-request --zone=dmz --permanent

Because predefined SSH The service has changed the default port . So it will be predefined SSH Service removal

firewall-cmd --zone=dmz --remove-service=ssh --permanent

Reload Firewalld Activate configuration , And check the configuration just now .

firewall-cmd --reload

firewall-cmd --list-all --zone=dmz

        （4） Configure... On the gateway server firewalld A firewall
verification firewalld Started and running on the gateway server

systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld

Set the default area to external Area , And check the matching results

firewall-cmd --set-default-zone=external

firewall-cmd --list-all

  take ens37 The network card is configured to trusted Area . take ens38 Configuration to dmz Area

firewall-cmd --change-interface=ens37  --zone=trusted

firewall-cmd --change-interface=ens38  --zone=dmz

Check the configuration as follows

firewall-cmd --get-active-zones

Visit the website server on the intranet tester

  change SSH Listen on the port of and restart the service ( Need to close SELinux )

vim /etc/ssh/sshd_config
Port 12345

systemctl restart sshd

  To configure external Area add TCP Of 12345 port

firewall-cmd --zone=external --add-port=12345/tcp --permanent

  To configure external Area removal SSH service

firewall-cmd --zone=external --remove-service=ssh --permanent

To configure external No area ping

firewall-cmd --zone=external --add-icmp-block=echo-request --permanent

Reload firewall activation configuration

firewall-cmd --reload

  Pass on the Internet test computer SSH Login gateway external interface address 12345 port . success

ssh -p 12345 [email protected]

On the intranet test computer SSH Sign in web Web server 12345 port . success

ssh -p 12345 [email protected]

4、 To configure IP Camouflage and port forwarding

         （1） Intranet users share the network through the gateway server
Internet testing machine to build website services , And add Web test content

vim /etc/hostname
internet

rm -rf /etc/yum.repos.d/*

vim /etc/yum.repos.d/a.repo
[aaa]
name=aaa
baseurl=file:///media
gpgcheck=0

yum install -y httpd

vim /var/www/html/index.html
<h1>22222<h1>

systemctl enable httpd
systemctl start httpd

Access the external network on the internal tester

Test on the website server

 curl http://100.1.1.20

View the status of the gateway server external Whether the area turns on address camouflage

firewall-cmd --list-all --zone=external 
( Display camouflage address on )
  masquerade: yes

Shut down on the gateway server exteranl Masquerade address of , stay external In the area , source address 192.168.1.0/24 Network segment opening address IP camouflage

firewall-cmd  --remove-masquerade --zone=external

firewall-cmd  --zone=external  --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'

Test on the website server , It is found that you cannot access the Internet website

curl https://100.1.1.20
curl: (7) Failed connect to 100.1.1.20:443;  There is no route to the host 

        （2） Configure port forwarding to enable Internet users to access internal web The server                                                             Configure the following on the gateway server

firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toaddr=192.168.2.10

Access the inside on the Internet tester web Server success

        （1）  To the intranet web The server applies for a new ip Address 100.1.15 Port forwarding

Need to put the new public address 100.1.1.15 Configure the external network interface of the gateway server ens33 On . As the second IP Address .

vim /etc/sysconfig/network-scripts/ifcfg-ens33
    （ add to ）

IPADDR1=100.1.1.15
PREFIX1=8
IPADDR0=100.1.1.10
PREFIX0=8

ifdown ens33

ifup ens33

Use rich rules to configure port forwarding

firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 destination address=100.1.1.15/32 forward-port port=443 protocol=tcp to-addr=192.168.2.10'

  Access the test results on the Internet tester