4.3 Configure Firewall initially

• Startup the "Firewall" virtual machine (see 4.2 Startup Firewall virtual machine)

Now you could log in directly in the virtual machine as user root, but connecting through SSH from your host PC, makes it possible to copy and paste text into the console window

• Open "Command Prompt" on your host computer

Write what is highlighted in red

Instead of writing "teddy", then write the username you have created on the master virtual machine:

C:\Users\teddy>ssh teddy@192.168.0.128

teddy@192.168.0.128's password:write your user's password here

[teddy@localhost ~]$ su

Password:write the root password here

Set the hostname of this machine, but use your own domain name instead of "yddet.dk":

[root@localhost teddy]# hostnamectl set-hostname firewall.yddet.dk

Create a directory named "firewall", and create a bash file within called "firewall.sh":

[root@localhost teddy]# mkdir /var/firewall

[root@localhost teddy]# cd /var/firewall

[root@localhost firewall]# vim firewall.sh

Add these lines to the document:

#!/bin/bash -x

systemctl restart firewalld.service

# bind zones to the interfaces

firewall-cmd --zone=external --change-interface=eth0

firewall-cmd --zone=internal --change-interface=eth1

firewall-cmd --zone=dmz --change-interface=eth2

# allow traffic from the internal zone to the dmz zone

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth2 -j ACCEPT

# only allow responses from the dmz zone to the internal zone

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# restrict to 3 login attempts within 30 seconds through SSH

firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp --dport 22 -m state --state NEW -m recent --set

firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j REJECT --reject-with tcp-reset

Save the document and quit vim

Make the bash file executable:

[root@localhost firewall]# chmod 754 firewall.sh

Edit crontab:

[root@localhost firewall]# vim /etc/crontab

To have the newly created bash file, executed on system startup, add the line which is highlighted in red:

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

@reboot root /var/firewall/firewall.sh

Save the document and quit vim

Edit the configuration file for the first Ethernet adapter:

[root@localhost firewall]# cd /etc/sysconfig/network-scripts

[root@localhost network-scripts]# vim ifcfg-eth0

To change the static ip address of this interface, find this line and change it to:

IPADDR=192.168.0.254

Save the document and quit vim

Create and edit the configuration file for the second Ethernet adapter:

[root@localhost network-scripts]# cp ifcfg-eth0 ifcfg-eth1

[root@localhost network-scripts]# vim ifcfg-eth1

To configure this interface not to be a default route, and to change the name, find these lines and change them to:

DEFROUTE=no

IPV6_DEFROUTE=no

NAME=eth1

DEVICE=eth1

To change the static ip address of this interface, find this line and change it to:

IPADDR=192.168.1.1

To remove the gateway and dns server addresses from this interface, find these lines and delete them or add a comment mark to the beginning of the line:

# GATEWAY="192.168.0.1"

# DNS1=192.168.0.1

Save the document and quit vim

Create and edit the configuration file for the third Ethernet adapter:

[root@localhost network-scripts]# cp ifcfg-eth1 ifcfg-eth2

[root@localhost network-scripts]# vim ifcfg-eth2

Find these lines and change them to:

NAME=eth2

DEVICE=eth2

IPADDR=192.168.255.1

Add this line to the end of the document, but use your own domain name instead of "yddet.dk":

DOMAIN=yddet.dk

Save the document and quit vim

Shutdown the system, and exit "Command Prompt":

[root@firewall firewall]# shutdown -h now

Connection to 192.168.0.128 closed by remote host.

Connection to 192.168.0.128 closed.

C:\Users\teddy>exit

• Return to the "Firewall" virtual machine

• Click "X" to close the virtual machine