BestHub
Sign in
Information Security 7 min read

Master Linux Firewall & SSH: Step‑by‑Step Guide to Secure Web Server Access

This tutorial walks through configuring a Linux firewall and web server, setting up network interfaces across four virtual machines, enabling NAT, defining DMZ zones, securing SSH on a non‑standard port, and verifying connectivity, providing a comprehensive hands‑on guide for robust network security.

Raymond Ops
Raymond Ops
Raymond Ops
Master Linux Firewall & SSH: Step‑by‑Step Guide to Secure Web Server Access

Linux Firewall Practical Guide for Web Server and SSH Remote Service Configuration

In the digital age, network security is crucial. Linux, as an open‑source OS, is widely used for server management and network configuration. This article details how to configure Linux firewalls and a web server to ensure secure internal and external access, and how to manage servers remotely via SSH.

Experimental Environment

Four servers are used:

One as firewall (interfaces ens33, ens36, ens37)

One simulating the external network (ens37)

One web server (ens36)

One internal PC for testing (NAT mode)

Experiment Requirements

Internal PC can access the web server, but ICMP ping to the web server is blocked.

Internal PC accesses the web server via SSH on port 1234.

External network accesses the firewall via SSH on port 1234.

Network Environment Configuration

Firewall NIC configuration:

Firewall NIC diagram
Firewall NIC diagram
cd /etc/sysconfig/network-scripts/
cp -p ifcfg-ens33 ifcfg-ens36
cp -p ifcfg-ens33 ifcfg-ens37

Configure ens36 and ens37 interfaces (images omitted for brevity).

Enable IP forwarding:

vim /etc/sysctl.conf
# add or uncomment:
net.ipv4.ip_forward = 1
sysctl -p

Web Server Configuration

Install and start Apache:

yum install -y httpd
echo testsmqnz > /var/www/html/index.html
curl 127.0.0.1

Configure DMZ zone and open ports:

firewall-cmd --zone=dmz --change-interface=ens33
firewall-cmd --zone=dmz --add-port=80/tcp --permanent
firewall-cmd --zone=dmz --add-port=443/tcp --permanent
firewall-cmd --reload

SSH Port Modification

Disable SELinux, edit SSH daemon configuration, and restart:

vim /etc/ssh/sshd_config
Port 12345
systemctl restart sshd

Open the new port in the firewall:

firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
firewall-cmd --reload

Testing

From the internal PC: ssh [email protected] -p 12345 From the external network:

ssh [email protected] -p 12345

Conclusion

By following this guide, readers learn the basics of Linux firewall and web server configuration, as well as secure network access through proper firewall rules and SSH management, essential for building a safe network environment.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

firewallLinuxWeb servernetwork securityCentOSSSH
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment