Gateway server and web server are used centos 7 operating system;
gateway server installed three Gigabit Ethernet, are connected to Internet, corporate intranet, web server. 
Requirements are as follows:
the gateway server is configured to connect to the Internet card ens33 public IP address assigned to the external region of the firewall; network card connected ens37 address 192.168.1.1, is assigned to the trusted firewall region; ens38 connection server NIC address 192.168.2.1 , assigned to the firewall of the DMZ.
The server and gateway server via SSH for remote administration, for safety, the default SSH port to 12345.
The server is turned on https, filtering unencrypted http traffic.
The server refused ping, ping on the gateway server rejected from the Internet.
Network users need to share Internet access through a gateway server.
Internet users need to access the web server.
The basic configuration of the environment:
the gateway server NIC configuration:
[root@localhost network-scripts]# ip a = ip addr
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:fc:60:4b brd ff:ff:ff:ff:ff:ff
inet 100.0.0.1/8 brd 100.255.255.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::5f65:9c3d:d218:7cea/64 scope link
valid_lft forever preferred_lft forever
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:fc:60:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global ens36
valid_lft forever preferred_lft forever
inet6 fe80::7456:2bbc:dc20:31bd/64 scope link
valid_lft forever preferred_lft forever
4: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:fc:60:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global ens37
valid_lft forever preferred_lft forever
inet6 fe80::1e90:6601:56c2:c9ba/64 scope link
valid_lft forever preferred_lft foreverRouting forwarding on the gateway server to start:
[root@localhost /]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@localhost /]# sysctl -p
net.ipv4.ip_forward = 1Configure the card web server:
[root@localhost /]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:2f:24:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.2.10/24 brd 192.168.2.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::19de:d9a7:568a:f34f/64 scope link
valid_lft forever preferred_lft forever
[root@localhost /]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 ens33
Internet test machine network card configuration:
[root@localhost /]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:45:66:64 brd ff:ff:ff:ff:ff:ff
inet 100.0.0.10/8 brd 100.255.255.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::3ebc:8f75:cd28:e516/64 scope link tentative
valid_lft forever preferred_lft foreverweb server environment to build:
[root@localhost ~]# systemctl start firewalld #启动防火墙
[root@localhost ~]# yum -y install httpd mod_ssl #安装httpd和mod_ssl
[root@localhost ~]# systemctl start httpd #启动httpd服务
[root@localhost ~]# systemctl enable httpd #设置为开机自启
[root@localhost ~]# vim /var/www/html/index.html #新建网站测试首页文件
<h1>test.com </h1>
[root@localhost ~]# vim /etc/ssh/sshd_config #更改SSH的侦听端口(需关闭SELinux):
................
Port 12345
................
[root@localhost ~]# systemctl restart sshdFirewalld firewall configuration on the site server:
1. Set the default area dmz area:
[root@localhost ~]# firewall-cmd --set-default-zone=dmz
success2, open https services dmz area and add tcp port 12345:
[root@localhost ~]# firewall-cmd --zone=dmz --add-service=https --permanent
success
[root@localhost ~]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
success3, prohibit ping:
[root@localhost ~]# firewall-cmd --add-icmp-block=echo-request --zone=dmz --permanent
success4, as it has changed the default SSH port predefined services, it will remove the predefined SSH service:
[root@localhost ~]# firewall-cmd --zone=dmz --remove-service=ssh --permanent
success5, reload firewalld configuration, and view previous configuration:
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
dmz (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-request
rich rules: Configure gateway server firewall on firewalld:
1, add the network card to the designated area:
[root@localhost /]# systemctl start firewalld #启用防火墙
[root@localhost /]# firewall-cmd --set-default-zone=external #设置默认区域为external
success
[root@localhost /]# firewall-cmd --change-interface=ens37 --zone=trusted #将ens37添加至trusted区域
The interface is under control of NetworkManager, setting zone to 'trusted'.
success
[root@localhost /]# firewall-cmd --change-interface=ens38 --zone=dmz #将ens38添加至dmz区域
The interface is under control of NetworkManager, setting zone to 'dmz'.
success2, review the configuration, and save it as a permanent
[root@localhost /]# firewall-cmd --get-active-zones
dmz
interfaces: ens37
external
interfaces: ens33
trusted
interfaces: ens36
[root@localhost /]# firewall-cmd --runtime-to-permanent # 将当前的配置保存到文件中
success3, on the internal host test:
4. Change SSH listening port, and restart the service (to be closed SELinux):
[root@localhost ~]# vim /etc/ssh/sshd_config
................
Port 12345
................
[root@localhost ~]# systemctl restart sshd5, the configuration of the external port 12345 tcp region added:
[root@localhost /]# firewall-cmd --zone=external --add-port=12345/tcp --permanent
success6, external area to remove the SSH service:
[root@localhost /]# firewall-cmd --zone=external --remove-service=ssh --permanent
success7, configure external area prohibited ping:
[root@localhost /]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent
success8, reload the firewall configuration:
[root@localhost /]# firewall-cmd --reload
successTest ssh connection:
connecting an external interface address of the gateway server via SSH in Internet tester port 12345:
[root@localhost /]# ssh -p 12345 100.0.0.1
The authenticity of host '[100.0.0.1]:12345 ([100.0.0.1]:12345)' can't be established.
ECDSA key fingerprint is 68:df:0f:ac:c7:75:df:02:88:7d:36:6a:1a:ae:27:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[100.0.0.1]:12345' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Sun Sep 1 16:36:33 2019
[root@localhost ~]# Use network tester SSH login web site server port 12345:
[root@localhost /]# ssh -p 12345 192.168.2.10
The authenticity of host '[192.168.2.10]:12345 ([192.168.2.10]:12345)' can't be established.
ECDSA key fingerprint is 68:df:0f:ac:c7:75:df:02:88:7d:36:6a:1a:ae:27:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.2.10]:12345' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Sun Sep 1 16:36:39 2019
[root@localhost ~]# Implementation of IP masquerading and port forwarding:
1, build web services on the Internet tester for testing:
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# vim /var/www/html/index.html
<h1> www.baidu.com</h1>
[root@localhost ~]# systemctl enable httpd
[root@localhost ~]# systemctl start httpd2, in-house testing machine and dmz site service area can access the Internet site (if not access, it may be a firewall configuration issue public network tester can turn off the firewall first public test machines, or release of relevant traffic services can): 
3, view the gateway server external area is opened masquerading:
[root@localhost /]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services:
ports: 12345/tcp
protocols:
masquerade: yes # 表示地址伪装已启用
forward-ports:
sourceports:
icmp-blocks: echo-request
rich rules: 4, open only address IP masquerading as a source address 192.168.1.0/24 network segment.
Close on the gateway server external default address masquerading, add rich rules that require within the external area, the source IP address to open the address disguised as address 192.168.1.0/24 network segment:
[root@localhost ~]# firewall-cmd --remove-masquerade --zone=external
success
[root@localhost ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'
successIn the area of the test access dmz found it impossible to access, but it can host within the network:
[root@localhost /]# curl http://100.0.0.10
curl: (7) Failed connect to 100.0.0.10:80; No route to host5, configure port forwarding to realize Internet users can access the internal web server:
configured on the gateway server:
[root@localhost /]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toaddr=192.168.2.10
successAccess intranet web server on the Internet successfully test machine: 
Sixth, use a rich port forwarding rules to achieve:
After the configuration, if now the company applied for a new public network ip address 100.0.0.254, then you need to re-do the port forwarding:
1, the public network address 100.0.0.254 new application is disposed on the external interface ens33 gateway server, as the second IP address:
[root@localhost /]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
IPADDR0=100.0.0.1 # 改到下四行
PREFIX0=24
IPADDR1=100.0.0.254
PREFIX1=24 # 添加成两个IP
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
DEVICE=ens33
ONBOOT=yes
ZONE=external
[root@localhost /]# ifdown ens33;ifup ens33 # 重启网卡使配置生效[root@localhost /]# ip a # 查看配置是否成功
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:fc:60:4b brd ff:ff:ff:ff:ff:ff
inet 100.0.0.1/24 brd 100.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet 100.0.0.254/24 brd 100.0.0.255 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::5f65:9c3d:d218:7cea/64 scope link
valid_lft forever preferred_lft forever2, using rich configure port forwarding rules:
[root@localhost /]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 destination address=100.0.0.254/24 forward-port port=443 protocol=tcp to-addr=192.168.2.10'
success3. Verification: