graph TB
    subgraph host["Хост-машина"]
        subgraph fw["firewall-host (защищаемый хост, iptables)"]
            fw_lo["lo: 127.0.0.1/8"]
            fw_nat["enp0s3 &lpar;NAT&rpar;<br/>10.0.2.15/24"]
            fw_int["enp0s8 &lpar;Internal&rpar;<br/>192.168.100.1/24"]
        end
        subgraph ec["external-client (внешний клиент)"]
            ec_nat["enp0s3 &lpar;NAT&rpar;<br/>10.0.2.15/24"]
            ec_int["enp0s8 &lpar;Internal&rpar;<br/>192.168.100.2/24"]
        end
    end

    fw_int <--->|"Internal Network &lpar;intnet&rpar;<br/>192.168.100.0/24"| ec_int

    inet["Интернет<br/>&lpar;DNS: 10.0.2.3, HTTP/HTTPS,<br/>ICMP: 8.8.8.8 и др.&rpar;"]
    fw_nat -->|"NAT"| inet

    style fw fill:#e8f4e8,stroke:#2d7d2d,stroke-width:2px
    style ec fill:#e8e8f4,stroke:#2d2d7d,stroke-width:2px
    style host fill:#f9f9f9,stroke:#999,stroke-width:1px
    style inet fill:#fff3e0,stroke:#e65100,stroke-width:2px
    style fw_lo fill:#fff,stroke:#666
    style fw_nat fill:#fff,stroke:#666
    style fw_int fill:#fff,stroke:#666
    style ec_nat fill:#fff,stroke:#666
    style ec_int fill:#fff,stroke:#666