关于防火墙基础配置可参考博文:保证Linux系统安全之CentOS 7 firewalld防火墙入门详解 关于防火墙IP伪装和端口转发可参考博文:保证Linux系统安全之firewalld防火墙配置地址伪装和端口转发详解 案例环境:
保证Linux系统安全之配置firewalld防火墙的地址伪装及端口转发实例,可跟做!!!
需求描述:
连接内网网卡ens33地址为192.168.1.1,分配到firewall的trusted区域; 连接服务器网卡ens37地址为192.168.2.1,分配到firewall的dmz区域; 网关服务器连接互联网网卡ens38地址为192.168.3.1,为公网IP地址,分配到firewall的external区域; 网站服务器和网关服务器均通过SSH来远程管理,为了安全,将SSH默认端口改为12345; 网站服务器开启 HTTPS,过滤未加密的HTTP流量; 网站务器拒绝ping测试,网关服务器拒绝来自互联网上的ping测试; 公司内网用户需要通过网关服务器共享上网; 互联网用户需要访问网站服务器; 操作步骤
基本环境配置; DMZ网站服务器环境搭建并启动服务; DMZ网站服务器上启动并配置firewalld防火墙策略; Internet测试网站环境搭建并启动服务、设置防火墙规则; 网关服务器配置firewalld策略; 配置IP伪装与端口转发; 案例实施
1.基本环境配置
(1)确认网关服务器地址
[root@localhost ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::46cb:a832:aea4:7b65 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:00:11:89 txqueuelen 1000 (Ethernet) RX packets 158 bytes 46815 (45.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 31 bytes 4270 (4.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# ifconfig ens37 ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::8e69:6ed5:da33:fda4 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:00:11:93 txqueuelen 1000 (Ethernet) RX packets 104 bytes 27490 (26.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 189 bytes 31923 (31.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# ifconfig ens38 ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::5348:53e2:b3bc:d35b prefixlen 64 scopeid 0x20<link> ether 00:0c:29:00:11:9d txqueuelen 1000 (Ethernet) RX packets 101 bytes 27238 (26.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 188 bytes 31304 (30.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 (2)网关服务器开启路由功能
[root@localhost ~]# vim /etc/sysctl.conf ……………… //省略部分内容,添加以下内容 net.ipv4.ip_forward = 1 [root@localhost ~]# sysctl -p net.ipv4.ip_forward = 1 (3)配置DMZ区域网站服务器地址、网关
[root@localhost ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.2 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::8744:c79c:521f:823f prefixlen 64 scopeid 0x20<link> ether 00:0c:29:2b:56:b5 txqueuelen 1000 (Ethernet) RX packets 114 bytes 34398 (33.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30 bytes 4162 (4.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 ens33 (4)配置Internet测试网站服务器IP地址、网关
[root@localhost ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.3.2 netmask 255.255.255.0 broadcast 192.168.3.255 inet6 fe80::7c8b:1ec0:7e4d:ac6 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:98:41:ac txqueuelen 1000 (Ethernet) RX packets 113 bytes 31388 (30.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 40 bytes 4541 (4.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.3.1 0.0.0.0 UG 100 0 0 ens33 (5)配置内部客户机IP地址、网关
[root@localhost ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::9bb5:2c48:1095:d75a prefixlen 64 scopeid 0x20<link> ether 00:0c:29:fb:76:60 txqueuelen 1000 (Ethernet) RX packets 106 bytes 29223 (28.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 31 bytes 4349 (4.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 ens33 2.DMZ网站服务器环境并启动服务
(1)开启firewalld防火墙
[root@localhost ~]# systemctl start firewalld (2)搭建httpd服务
[root@localhost ~]# yum -y install httpd //基于http访问的HTTP网站 [root@localhost ~]# yum -y install httpd mod_ssl //基于https访问的HTTP网站 [root@localhost ~]# systemctl start httpd //开启HTTP服务 (3)更改SSH的监听端口(重启服务时建议关闭SELinux)
[root@localhost ~]# vim /etc/ssh/sshd_config ………… //省略部分内容,修改以下内容 Port 12345 [root@localhost ~]# setenforce 0 //临时关闭SELinux [root@localhost ~]# systemctl restart sshd //重启ssh服务 3.DMZ网站服务器上启动并配置firewalld防火墙策略
(1)设置防火墙默认区域为dmz区域
[root@localhost ~]# firewall-cmd --set-default-zone=dmz success (2)为dmz区域添加相应服务及端口
[root@localhost ~]# firewall-cmd --zone=dmz --add-service=https success [root@localhost ~]# firewall-cmd --zone=dmz --add-port=12345/tcp success (3)禁止ping测试
[root@localhost ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-request success (4)将默认的ssh服务删除
[root@localhost ~]# firewall-cmd --zone=dmz --remove-service=ssh success (5)保存当前防火墙配置
[root@localhost ~]# firewall-cmd --runtime-to-permanent success //将临时配置转换为永久配置 [root@localhost ~]# firewall-cmd --list-all --zone=dmz //查看并确认配置信息 dmz (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: https ports: 12345/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: echo-request rich rules: 4. Internet测试网站环境搭建并启动服务、设置防火墙规则
搭建方法可参考第2、3步
- 网关服务器配置firewalld策略
(1)开启防火墙
[root@localhost ~]# systemctl start firewalld (2)设置默认区域为externel区域
[root@localhost ~]# firewall-cmd --set-default-zone=external success (3)将各个网卡分配至指定区域
[root@localhost ~]# firewall-cmd --change-interface=ens33 --zone=trusted success [root@localhost ~]# firewall-cmd --change-interface=ens37 --zone=dmz success (4)内部客户机访问DMZ网站测试
[root@localhost ~]# firewall-cmd --runtime-to-permanent success [root@localhost ~]# firewall-cmd --get-active-zones dmz interfaces: ens37 external interfaces: ens38 trusted interfaces: ens33 (5)内部客户机访问网站服务器
保证Linux系统安全之配置firewalld防火墙的地址伪装及端口转发实例,可跟做!!! 保证Linux系统安全之配置firewalld防火墙的地址伪装及端口转发实例,可跟做!!!
(6)更改ssh服务监听端口
[root@localhost ~]# vim /etc/ssh/sshd_config ………… //省略部分内容,修改以下内容 Port 12345 [root@localhost ~]# setenforce 0 //临时关闭SELinux [root@localhost ~]# systemctl restart sshd //重启ssh服务 (7)配置external区域添加TCP的12345端口、移除ssh服务
[root@localhost ~]# firewall-cmd --zone=external --add-port=12345/tcp success [root@localhost ~]# firewall-cmd --zone=external --remove-service=ssh success (8)配置external区域进行ping测试、保存为永久配置
[root@localhost ~]# firewall-cmd --zone=external --add-icmp-block=echo-request success [root@localhost ~]# firewall-cmd --runtime-to-permanent success (9)Internet测试服务器远程网关服务器
[root@localhost ~]# ssh -p 12345 192.168.3.1 The authenticity of host '[192.168.3.1]:12345 ([192.168.3.1]:12345)' can't be established. ECDSA key fingerprint is b2:4e:e8:f9:23:9f:85:dc:54:87:97:eb:15:cc:b0:48. Are you sure you want to continue connecting (yes/no)? (10)内部客户机远程DMZ网站服务器
[root@localhost ~]# ssh -p 12345 192.168.2.2 The authenticity of host '[192.168.2.2]:12345 ([192.168.2.2]:12345)' can't be established. ECDSA key fingerprint is 25:54:5c:d5:ce:e1:04:9f:25:19:be:73:ce:93:86:54. Are you sure you want to continue connecting (yes/no)? 6.网关服务器上配置IP转发与端口转发
默认external区域有IP转发功能!
(1)删除external区域中的IP伪装,并利用富规则开启
[root@localhost ~]# firewall-cmd --remove-masquerade --zone=external success [root@localhost ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade' success (2)dmz网站服务器测试访问Internet测试网站
保证Linux系统安全之配置firewalld防火墙的地址伪装及端口转发实例,可跟做!!!
(3)配置端口转发实现Internet测试网站访问dmz区域网站服务器(直接规则)
[root@localhost ~]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toaddr=192.168.2.2 success //网关服务器将互联网测试机的请求转发到dmz区域网站服务器 (4)测试
保证Linux系统安全之配置firewalld防火墙的地址伪装及端口转发实例,可跟做!!!
(5)配置端口转发实现Internet测试网站访问dmz区域网站服务器(富规则)
需在ens38网卡上配置一个临时IP地址
[root@localhost ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 destination address=192.168.3.100 forward-port port=443 protocol=tcp to-addr=192.168.2.2' success (6)测试
保证Linux系统安全之配置firewalld防火墙的地址伪装及端口转发实例,可跟做!!!
