How to Securely Configure Linux Firewall, Web Server, and SSH Access

In modern digital environments, securing network services on Linux is essential. This article provides a step‑by‑step tutorial for configuring a Linux firewall, a web server, and SSH access to ensure safe communication between internal and external networks.

Experiment Environment

Four virtual machines are used:

One firewall machine with interfaces ens33, ens36, ens37 One external‑network simulator (interface ens37)

One web server (interface ens36)

One internal PC for testing (NAT mode)

Key requirements:

Internal PC can access the web server via HTTP but cannot ping it.

Internal PC must SSH to the web server on port 12345.

External network must SSH to the firewall on port 12345.

Network Interface Configuration

Copy the existing network script for ens33 to create configurations for ens36 and ens37:

cd /etc/sysconfig/network-scripts/
cp -p ifcfg-ens33 ifcfg-ens36
cp -p ifcfg-ens33 ifcfg-ens37

Adjust the IP settings for each interface as shown in the accompanying screenshots (omitted for brevity).

Enable IP Forwarding on the Firewall

vim /etc/sysctl.conf
# add or uncomment the line
net.ipv4.ip_forward = 1
sysctl -p

Test Connectivity

After configuring interfaces and enabling forwarding, verify that the firewall can reach all other machines. Screenshots demonstrate successful ping and traceroute results.

Web Server Setup (DMZ Zone)

Install Apache and create a test page:

yum install -y httpd
echo testsmqnz > /var/www/html/index.html
curl 127.0.0.1

Configure the firewall to expose the DMZ zone and open HTTP/HTTPS ports:

firewall-cmd --zone=dmz --change-interface=ens33
firewall-cmd --zone=dmz --add-port=80/tcp --permanent
firewall-cmd --zone=dmz --add-port=443/tcp --permanent
firewall-cmd --reload

Use firewall-config GUI to assign interfaces to zones (trusted, dmz, external) and enable the httpd service.

Block ICMP Echo Requests to the Web Server

firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent
firewall-cmd --reload

Testing shows the internal PC can reach the web server via HTTP but ping attempts are blocked.

SSH Port Remapping

On the web server, disable the default SSH service in the DMZ zone and later add a custom port:

# Remove default SSH service
firewall-cmd --zone=dmz --remove-service=ssh --permanent
firewall-cmd --reload
# Add custom SSH port 12345
firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
firewall-cmd --reload

Modify /etc/ssh/sshd_config to listen on the new port and restart the service:

vim /etc/ssh/sshd_config
Port 12345
systemctl restart sshd
netstat -nultp | grep sshd

Verification shows sshd listening on port 12345. Internal PC can now connect using:

ssh [email protected] -p 12345

External Access to the Firewall

Similarly, edit the firewall’s SSH configuration to use port 12345 and restart:

vim /etc/ssh/sshd_config
Port 12345
systemctl restart sshd

Open the port in the firewall’s external zone:

firewall-cmd --zone=external --add-port=12345/tcp --permanent
firewall-cmd --reload

External testing from a remote host confirms successful SSH connection:

ssh [email protected] -p 12345

Conclusion

The tutorial demonstrates how to configure a Linux firewall with multiple zones, set up a web server in a DMZ, block unwanted ICMP traffic, and securely remap SSH ports for both internal and external access. Proper firewall rules and SSH hardening are critical for protecting network resources.

Successful networking requires diligent configuration and continuous testing. Apply these practices to build a robust, secure environment.