Master Linux Firewall & SSH: Step‑by‑Step Guide to Secure Web and Remote Access

Linux Firewall Practical Guide: Configuring Web Server and SSH Remote Services

In today's digital era, network security is crucial. Linux, as an open‑source operating system, is widely used for server management and network configuration. This article details how to configure a Linux firewall and a web server to ensure secure access between internal and external networks, and how to manage remote servers via SSH.

Experiment Environment

Four servers are used:

One as firewall (interfaces: ens33, ens36, ens37)

One simulating the external network (ens37)

One web server (ens36)

One internal PC for access testing (NAT mode)

Experiment Requirements

Internal PC can access the web server, but cannot ping it via ICMP.

Internal PC accesses the web server via SSH on port 1234.

External network accesses the firewall via SSH on port 1234.

Network Environment Configuration

Configure firewall network interfaces:

cd /etc/sysconfig/network-scripts/
cp -p ifcfg-ens33 ifcfg-ens36
cp -p ifcfg-ens33 ifcfg-ens37

Configure ens36 and ens37 interfaces as needed (static or DHCP). Set the internal gateway to point to the firewall.

Configure the web server interface ( ens33) and the external network interface similarly.

Enable IP Forwarding

vim /etc/sysctl.conf
# add or uncomment the line:
net.ipv4.ip_forward = 1
sysctl -p   # reload

Web Server Configuration

Install and start Apache:

yum install -y httpd
echo testsmqnz > /var/www/html/index.html
curl 127.0.0.1   # should return "testsmqnz"

Configure the DMZ zone and open required ports:

firewall-cmd --zone=dmz --change-interface=ens33
firewall-cmd --zone=dmz --add-port=80/tcp --permanent
firewall-cmd --zone=dmz --add-port=443/tcp --permanent
firewall-cmd --reload

After configuration, both the internal network and the firewall can access the web server.

Testing SSH

Modify the SSH daemon to listen on a custom port (12345) and disable the default service in the DMZ zone:

# Remove default SSH service
firewall-cmd --zone=dmz --remove-service=ssh --permanent
firewall-cmd --reload
# Verify rules
firewall-cmd --list-all -zone=dmz

Disable SELinux, edit the SSH configuration, and restart the service:

vim /etc/ssh/sshd_config
Port 12345
systemctl restart sshd
netstat -nultp | grep sshd   # should show port 12345 listening

Open the new SSH port in the firewall:

firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
firewall-cmd --reload

Test from the internal PC:

ssh [email protected] -p 12345

External Network Remote Access to Firewall

Allow external access to the firewall's SSH port (12345):

vim /etc/ssh/sshd_config
# Change Port line to 12345
systemctl restart sshd
firewall-cmd --zone=external --add-port=12345/tcp --permanent
firewall-cmd --reload

Verify the port is listening:

netstat -nultp | grep sshd
# Expected output shows 0.0.0.0:12345 and :::12345 LISTEN

Test from the external network:

ssh [email protected] -p 12345

Conclusion

Through this article, readers learn the basic configuration of Linux firewalls and web servers, as well as secure network access via SSH. Proper firewall settings and SSH management are key to safeguarding network security, and these skills can be applied in real‑world environments to build a secure network infrastructure.