关于firewalld防火墙的直接规则、富规则等原理概述可以参考上一篇博文：Centos 7的firewalld防火墙地址伪装和端口转发原理

环境如下图所示：
网关服务器和网站服务器都采用centos 7操作系统，网关服务器安装3块千兆网卡，分别连接Internet、企业内网、网站服务器。

• 网关服务器连接互联网卡ens32配置为公网IP地址为192.168.100.10，分配到firewall的external区域；连接内网网卡ens34地址为192.168.10.100，分配到firewall的trusted区域；连接服务器网卡ens35地址为192.168.20.100，分配到firewall的DMZ区域；

• 网站服务器和网关服务器都通过SSH来远程管理，为了安全，将SSH默认端口改为12345；

• 网站服务器开启https，过滤未加密的http流量；

• 网站服务器拒绝ping，网关服务器拒绝来自互联网上的ping；

• 内网用户需要通过网关服务器共享上网；

• 互联网用户需要访问网站服务器；

一、开始基本的环境配置

1、配置网关服务器

[root@firewalld ~]# ifconfig  
ens32: flags=4163  mtu 1500
        inet 192.168.100.10  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:fe97:5c9f  prefixlen 64  scopeid 0x20
        ether 00:0c:29:97:5c:9f  txqueuelen 1000  (Ethernet)
        RX packets 880  bytes 135724 (132.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 498  bytes 71197 (69.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens34: flags=4163  mtu 1500
        inet 192.168.10.100  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:fe97:5ca9  prefixlen 64  scopeid 0x20
        ether 00:0c:29:97:5c:a9  txqueuelen 1000  (Ethernet)
        RX packets 37  bytes 3555 (3.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 89  bytes 14988 (14.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens35: flags=4163  mtu 1500
        inet 192.168.20.100  netmask 255.255.255.0  broadcast 192.168.20.255
        inet6 fe80::20c:29ff:fe97:5cb3  prefixlen 64  scopeid 0x20
        ether 00:0c:29:97:5c:b3  txqueuelen 1000  (Ethernet)
        RX packets 51  bytes 5019 (4.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 85  bytes 13888 (13.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2、网关服务器开启路由转发功能

[root@firewalld ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

[root@firewalld ~]# sysctl -p
net.ipv4.ip_forward = 1

3、配置web服务器

[root@web ~]# ifconfig     
ens32: flags=4163  mtu 1500
        inet 192.168.20.10  netmask 255.255.255.0  broadcast 192.168.20.255
        inet6 fe80::20c:29ff:fe62:325a  prefixlen 64  scopeid 0x20
        ether 00:0c:29:62:32:5a  txqueuelen 1000  (Ethernet)
        RX packets 237  bytes 21594 (21.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 220  bytes 30673 (29.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@web ~]# route -n  
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.20.100  0.0.0.0         UG    100    0        0 ens32
192.168.20.0    0.0.0.0         255.255.255.0   U     100    0        0 ens32
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
[root@web ~]# yum -y install httpd mod_ssl 
[root@web ~]# systemctl start httpd   
[root@web ~]# systemctl enable httpd  
[root@web ~]# echo "www.DMZ.web.com" > /var/www/html/index.html  
[root@web ~]# vim /etc/ssh/sshd_config   
           
Port 12345
[root@web ~]# systemctl restart sshd 

4、配置内网客户端

1）配置IP地址及网关

2）测试和网关服务器和网站服务器互通

3）测试是否可以成功访问网站服务器

5、配置外网客户端

1） 配置IP地址及网关

2） 测试全网互通

3）测试是否成功访问网站服务器

6、配置外网Centos客户端

1）修改名字

[root@Centos04~]# hostnamectl set-hostname WAN_Web
[root@ Centos04 ~]# bash

2）配置IP地址及网关，重启网卡服务

[root@wan_web ~]# systemctl restart network

3）查看配置完成的IP地址

[root@wan_web ~]# ifconfig
ens32: flags=4163  mtu 1500
        inet 192.168.100.30  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:fe16:c54b  prefixlen 64  scopeid 0x20
        ether 00:0c:29:16:c5:4b  txqueuelen 1000  (Ethernet)
        RX packets 37  bytes 4898 (4.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 84  bytes 13483 (13.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

4）查看网关信息

[root@wan_web ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.10  0.0.0.0         UG    100    0        0 ens32
192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 ens32

二、在网站服务器上配置firewalld防火墙

[root@web ~]# systemctl start firewalld    
[root@web ~]# systemctl enable firewalld 
success  
[root@firewalld ~]# firewall-cmd --change-interface=ens34 --zone=trusted    
The interface is under control of NetworkManager, setting zone to 'trusted'.
success
[root@firewalld ~]# firewall-cmd --change-interface=ens35 --zone=dmz       
The interface is under control of NetworkManager, setting zone to 'dmz'.
success

3、查看配置，并将配置保存到文件中，成为永久配置

[root@firewalld ~]# firewall-cmd --get-active-zones 
dmz
  interfaces: ens35
external
  interfaces: ens32
trusted
  interfaces: ens34
[root@firewalld ~]# firewall-cmd --runtime-to-permanent  
success

4、在企业内网测试机上访问网站服务器，会发现https可以成功访问，而http访问不了

5、配置external区域添加tcp的12345端口

[root@firewalld ~]# firewall-cmd --zone=external --add-port=12345/tcp --permanent success

6、配置external区域移除SSH服务

[root@firewalld ~]# firewall-cmd --zone=external --remove-service=ssh --permanent success

7、配置external区域禁止ping

[root@firewalld ~]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent 
success
[root@firewalld ~]# firewall-cmd --zone=external --add-icmp-block=echo-reply --permanent 
success

8、重新加载防火墙配置，查看之前配置

[root@firewalld ~]# firewall-cmd --reload 
success
[root@firewalld ~]# firewall-cmd --list-all
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: 
  ports: 12345/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: echo-request echo-reply
  rich rules: 

以下开始测试ssh连接：

9、在互联网测试机通过SSH连接网关服务器的外部接口地址的12345端口

[root@wan_web ~]# ssh -p 12345 root@192.168.100.10
The authenticity of host '[192.168.100.10]:12345 ([192.168.100.10]:12345)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.100.10]:12345' (ECDSA) to the list of known hosts.
root@192.168.100.10's password: 
Last login: Wed Nov 27 02:27:01 2019 from 192.168.100.20
[root@firewalld ~]# ls
anaconda-ks.cfg  initial-setup-ks.cfg

10、使用内网测试机SSH登录web网站服务器的12345端口

以下测试ping命令：

11、测试网站服务器拒绝ping

[root@firewalld ~]# ping 192.168.10.20
PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data.
From 192.168.10.100 icmp_seq=1 Destination Host Unreachable
From 192.168.10.100 icmp_seq=2 Destination Host Unreachable
From 192.168.10.100 icmp_seq=3 Destination Host Unreachable

12、测试网关服务器拒绝来自公网ping

[root@wan_web ~]# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
From 192.168.100.10 icmp_seq=1 Destination Host Prohibited
From 192.168.100.10 icmp_seq=2 Destination Host Prohibited
From 192.168.100.10 icmp_seq=3 Destination Host Prohibited

[root@wan_web ~]# ping 192.168.10.20
PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data.
From 192.168.100.10 icmp_seq=1 Destination Host Unreachable
From 192.168.100.10 icmp_seq=2 Destination Host Unreachable
From 192.168.100.10 icmp_seq=3 Destination Host Unreachable

四、配置IP伪装与端口转发

1、在外网测试机上搭建web服务，用于测试

[root@wan_web ~]# yum -y install httpd mod_ssl
[root@wan_web ~]# systemctl start httpd
[root@wan_web ~]# systemctl enable httpd
[root@wan_web ~]# echo "WAN_Web.com" > /var/www/html/index.html

2、在内部测试机和dmz的网站服务区都可以访问外网的网站（若访问不了，则可能是公网测试机的防火墙配置问题，可先将公网测试机的防火墙关闭，或放行相关服务的流量即可）

[root@web ~]# curl http://192.168.100.30
WAN_Web.com

3、查看网关服务器的external区域是否开启了地址伪装

[root@firewalld ~]# firewall-cmd --list-all --zone=external 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: 
  ports: 12345/tcp
  protocols: 
  masquerade: yes   
  forward-ports: 
  source-ports: 
  icmp-blocks: echo-request echo-reply
  rich rules:

4、只为源地址192.168.10.0/24网段的地址开启地址IP伪装

在网关服务器上关闭external默认的地址伪装，添加富规则，要求external区域内，源地址为192.168.10.0/24网段的地址开启地址IP伪装

[root@firewalld ~]# firewall-cmd --remove-masquerade --zone=external 
success
[root@firewalld ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.10.0/24 masquerade'
success

在dmz区域的网站服务器上测试，发现无法访问外网网站，但是内网测试机可以

[root@web ~]# curl http://192.168.100.30
curl: (7) Failed connect to 192.168.100.30:80; 没有到主机的路由

5、配置端口转发实现互联网用户可以访问内部web服务器

1）在网关服务器下做如下配置

[root@firewalld ~]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toaddr=192.168.20.10
success

2）在互联网测试机上可以成功访问内网的web服务器

五、 最后来一个使用富规则实现端口转发

上述配置完成后，现在公司申请了一个新的公网ip地址192.168.100.200，那么就需要重新做端口转发了

1、将新申请的公网地址192.168.100.200配置在网关服务器的外网接口ens33上，作为第二个IP地址

[root@firewalld ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
NAME=ens32
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.100.10   
NATEMASK=255.255.255.0
ZONE=external 
PREFIX=24        
IPADDR1=192.168.100.200    
     
IPV4_FAILURE_FATAL=no 
PREFIX1=24           
IPV6INIT=no
UUID=152beb06-47c5-c5e8-95a9-385590654382
[root@firewalld ~]# systemctl restart network  
[root@firewalld ~]# ip add     
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:97:5c:9f brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.10/24 brd 192.168.100.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet 192.168.100.200/24 brd 192.168.100.255 scope global secondary ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe97:5c9f/64 scope link 
       valid_lft forever preferred_lft forever

2、使用富规则配置端口转发

[root@firewalld ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 destination address=192.168.100.200/32 forward-port port=443 protocol=tcp to-addr=192.168.20.10'
success

3、在互联网测试机上访问测试结果

—————— 本文至此结束，感谢阅读 ——————