# DMZ - Firewall Настроить WAN и LAN на PfSense > Выбераем Set Interfaces (2) > WAN (1) > IPv4 (y) > IPv6 (n) > HTTP as the WebConfigurator (n) > Выбераем Set Interfaces (2) > LAN (2) > Указать LAN Ipv4 - xxx.xxx.xxx.xxx > Маска - 24 > DHCP server on LAN (n) > HTTP as the WebConfigurator (n) Настроить сеть на машине, которая выступает фаерволом > Переименовать машину - > `/etc/hosts > 127.0.0.1 Linux-FW` > `/etc/hostname > Linux-FW` > Настроить интерфейсы > > `nano /etc/network/interfaces` > `auto ens3` > `iface ens3 inet static` > `address 172.16.12.1/24` > `gateway 172.16.12.254` > > `auto ens4` > `iface ens4 inet static` > `address 192.168.100.254` > > `nano /etc/resolv.conf` > `nameserver 8.8.8.8` > > `reboot ` > > `apt update && apt upgrade -y` > > `apt install dnsmasq` > `mv etc/dnsmasq.conf /etc/dnsmasq.conf.bak` > `nano /etc/dnsmasq.conf` > `interface=ens4` > `dhcp-range=192.168.100.20,192.168.100.100,24h` > `dhcp-option=3,192.168.100.254` > `dhcp-option=6,8.8.8.8` > > `systemctl restart dnsmasq.service` > `systemctl enable dnsmasq.service` > > `nano /etc/sysctl.conf` > `sysctl -p > net.ipv4.ip_forward = 1` Настроить Kali-Linux ``` nano /etc/network/interfaces auto eth0 iface eth0 inet static address 172.16.12.10/24 gateway 172.16.12.254 nano /etc/resolv.conf nameserver 8.8.8.8 systemctl restart networking.service ``` Прописать сети за DMZ зоной (Linux-FW) > Отключаем Reserved Networks, block -> Save -> Apply Change > > Добавить Gateways > stem -> Routyng -> Gateways -> Add > > ![](https://i.imgur.com/a5IglSR.png) > > System -> Routyng -> Gateways -> Edit > interface -> LAN > Name -> LAN_GW > Gateway -> 172.16.12.1 > Save -> Apply Change > System -> Routyng -> Static Routes -> Add > > ![](https://i.imgur.com/Vf0w1OB.png) > > Destination network -> 192.168.100.0 /24 > Выбирать из списка LAN_GW > Description -> LAN Network > Save -> Apply Change Добавление Alias > > ![](https://i.imgur.com/G54poYh.png) > > Fierwal -> Aliases -> IP > Add > Name -> LAN_Networks > Description -> LAN Networks > Type -> Network(s) > Network or FQDN -> 192.168.100.0/24 LAN-main > Save -> Apply Change Разрешить трафик для LAN > Скопировать правило ниже > Source -> Single host or alias -> LAN_Network > Desription -> allow LAN to any rule > Save -> Apply Change > > > ![](https://i.imgur.com/k655wUQ.png) Настроить VLAN на Cisco > Switch> enable > Switch> conf t > Switch> hostname Switch-LAN > > Switch> int e0/0 > Switch> switchport trunk encapsulation dot1q > Switch> switchport mode trunk > > Switch> int e0/1 > Switch> switchport mode access > > Switch> int e0/2 > Switch> switchport mode access > Switch> switchport access vlan 20 > > Switch> int e0/3 > Switch> switchport mode access > Switch> switchport access vlan 10 > > Switch> do wr mem > Switch> do sh run Настроить DHCP для VLAN на Linux-FW > nano /etc/network/interfaces > > > auto ens4.10 > > iface ens4.10 inet static > > address 192.168.10.254/24 > > > > auto ens4.20 > > iface ens4.20 inet static > > address 192.168.20.254/24 > > nano /etc/dnsmasq.conf > > > interface=ens4 > > dhcp-range=192.168.100.20,192.168.100.100,24h > > dhcp-option=3,192.168.100.254 > > dhcp-option=6,8.8.8.8 > > > > interface=ens4.10 > > dhcp-range=192.168.10.20,192.168.10.100,24h > > dhcp-option=3,192.168.10.254 > > dhcp-option=6,8.8.8.8 > > > > interface=ens4.20 > > dhcp-range=192.168.20.20,192.168.20.100,24h > > dhcp-option=3,192.168.20.254 > > dhcp-option=6,8.8.8.8 IPTables > Три типа трафика для фильтрации цепочки (filter) > > Input > > Output > > Forward [НАСТРОЙКА IPTABLES](https://losst.ru/nastrojka-iptables-dlya-chajnikov) [Настройка Linux-файрвола iptables: Руководство для начинающих](https://1cloud.ru/help/linux/nastrojka_linus-firewall_iptables) NAT > Fierwall > NAT > Port Forward > edit > > ![](https://i.imgur.com/XUnGc0D.png) ###### tags: `Information Security Systems`