Step-by-Step Guide to Configuring Linux Firewall, Web Server, and SSH Access
This tutorial walks through setting up a Linux firewall with multiple network interfaces, configuring a DMZ web server, enabling HTTP/HTTPS services, blocking ICMP ping, and securely exposing SSH on a custom port for both internal and external access, complete with command examples and verification steps.
Experiment Environment
Four virtual machines are used: a firewall node with three NICs (ens33, ens36, ens37), an external network simulator (ens37), a web server (ens36), and an internal PC for testing (NAT mode).
Network Interface Configuration
Duplicate the existing NIC configuration files to set up the additional interfaces:
cd /etc/sysconfig/network-scripts/
cp -p ifcfg-ens33 ifcfg-ens36
cp -p ifcfg-ens33 ifcfg-ens37Adjust ifcfg-ens33, ifcfg-ens36, and ifcfg-ens37 as needed for each machine’s IP addressing.
Enable IP Forwarding on the Firewall
vim /etc/sysctl.conf
# add or uncomment the line
net.ipv4.ip_forward = 1
sysctl -pAfter reloading, the firewall can route traffic between zones.
Testing Basic Connectivity
Ping and traceroute commands confirm that the firewall routes packets correctly before any rules are applied.
Web Server Setup
Install Apache HTTPD and create a simple test page:
yum install -y httpd
echo testsmqnz > /var/www/html/index.html
curl 127.0.0.1Configure the firewall’s DMZ zone to allow HTTP/HTTPS traffic:
firewall-cmd --zone=dmz --change-interface=ens33
firewall-cmd --zone=dmz --add-port=80/tcp --permanent
firewall-cmd --zone=dmz --add-port=443/tcp --permanent
firewall-cmd --reloadAfter reloading, internal PCs can reach the web server.
Blocking ICMP Ping to the Web Server
firewall-cmd --zone=dmz --add-icmp-block=echo-request --permanent
firewall-cmd --reloadVerification shows that ping requests are dropped while HTTP traffic still works.
SSH Port Remapping
First, disable the default SSH service in the DMZ zone and change the SSH daemon port to 12345 on the web server:
# Remove default SSH service
firewall-cmd --zone=dmz --remove-service=ssh --permanent
firewall-cmd --reload
# Edit SSH config
vim /etc/ssh/sshd_config
Port 12345
systemctl restart sshd
# Open the new port in the firewall
firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
firewall-cmd --reloadTest the new SSH access from the internal PC:
ssh [email protected] -p 12345External SSH Access to the Firewall
Modify the firewall’s own SSH daemon to listen on the same custom port and open it in the external zone:
vim /etc/ssh/sshd_config
Port 12345
systemctl restart sshd
firewall-cmd --zone=external --add-port=12345/tcp --permanent
firewall-cmd --reloadConfirm the service is listening: netstat -nultp | grep sshd External users can now connect:
ssh [email protected] -p 12345Conclusion
The guide demonstrates how to build a multi‑zone Linux firewall, expose a web service securely, block unwanted ICMP traffic, and relocate SSH to a non‑standard port for both internal and external access, providing a solid foundation for network security hardening.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.