vyos 基礎配置
http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/
http://thomasvochten.com/archive/2015/03/labv2-part1/
http://www.letmefix-it.com/2016/07/07/vyos-nat-configuration-1-to-1/
https://github.com/rharmonson/richtech/wiki/Vyos-Firewall
1 基本配置
#配置外網接口 set interfaces ethernet eth0 address 10.0.1.32/24 set interfaces ethernet eth0 description public #配置內網接口 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 description private #指定靜態路由 set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 distance 1#啟動ssh服務器 set service ssh port 29922 #設置主機名 set system host-name vyos-master #設備時區 set system time-zone Asia/Shanghai#提交修改 commit #保存到啟動文件 save Saving configuration to '/config/config.boot'... #回退 rollback 2 NAT
Source NAT
1 The internal IP addresses we want to translate
2 The outgoing interface to perform the translation on
3 The external IP address to translate to
# 內網開放訪問外網權限 set nat source rule 100 outbound-interface eth0 set nat source rule 100 source address 192.168.100.0/24 set nat source rule 100 translation address masquerade # 不使用防火牆外網地址,指派特定外網ip 10.0.1.100 set interfaces ethernet eth0 address 10.0.1.100/24 set nat source rule 100 outbound-interface eth0 set nat source rule 100 source address 192.168.100.0/24 set nat source rule 100 translation address 10.0.1.100 # 內網主機數量大時,使用地址池,推薦每256台主機分配1個外網地址 ...... set nat source rule 100 translation address 10.0.1.101-10.0.1.132 # NAT Reflection 這個沒搞懂是做什么用的? set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address 192.168.100.0/24 set nat source rule 110 outbound-interface eth1 set nat source rule 110 source address 192.168.100.0/24 set nat source rule 110 translation address masqueradeDestination NAT
1 The interface traffic will be coming in on 2 The protocol and port we wish to forward 3 The IP address of the internal system we wish to forward traffic to 端口映射 # 10.0.1.100:80 -> 192.168.100.101:80 set nat destination rule 10 description 'Port Forward: 10.0.1.100:80 to 192.168.100.101:80' set nat destination rule 10 inbound-interface eth0 set nat destination rule 10 destination address 10.0.1.100 set nat destination rule 10 destination port 80 set nat destination rule 10 protocol tcp set nat destination rule 10 translation address 192.168.100.101 set nat destination rule 10 translation port 80 # 10.0.1.100:29922 -> 192.168.100.101:22 set nat destination rule 20 description 'Port Forward: 10.0.1.100:29922 to 192.168.100.101:22' set nat destination rule 20 inbound-interface eth0 set nat destination rule 20 destination address 10.0.1.100 set nat destination rule 20 destination port 29922 set nat destination rule 20 protocol tcp set nat destination rule 20 translation address 192.168.100.101 set nat destination rule 20 translation port 22 # 注意防火牆要增加規則放行22, 80的通訊 ip映射 set interfaces ethernet eth0 address 10.0.1.200/24 # 10.0.1.200 -> 192.168.100.102 set nat destination rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102' set nat destination rule 30 inbound-interface eth0 set nat destination rule 30 destination address 10.0.1.200 set nat destination rule 30 translation address 192.168.100.102 set nat source rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102' set nat source rule 30 outbound-interface eth1 set nat source rule 30 source address 192.168.100.102 set nat source rule 30 translation address 10.0.1.2003 FIREWALL
# public區域包含外網接口,private區域包含內網接口, set zone-policy zone public interface eth0 set zone-policy zone private interface eth1 # 防火牆所有端口禁ping set firewall all-ping disable # 防火牆初始策略 # 默認丟棄所有包 set firewall name private-public default-action drop # private -> public 方向的防火牆策略 # 規則1 匹配成功的請求,允許建立與關聯 set firewall name private-public rule 1 action accept set firewall name private-public rule 1 state established enable set firewall name private-public rule 1 state related enable # 規則2 匹配失敗的請求,記錄日志 set firewall name private-public rule 2 action drop set firewall name private-public rule 2 log enable set firewall name private-public rule 2 state invalid enable # 規則9999 匹配失敗的請求,記錄日志 set firewall name private-public rule 9999 action drop set firewall name private-public rule 9999 log enable # 規則100 允許ping set firewall name private-public rule 100 action accept set firewall name private-public rule 100 log enable set firewall name private-public rule 100 protocol icmp # 規則200 允許http https set firewall name private-public rule 200 action accept set firewall name private-public rule 200 destination port 80,443 set firewall name private-public rule 200 log enable set firewall name private-public rule 200 protocol tcp # 規則300 允許22(ssh), 29922 set firewall name private-public rule 300 action accept set firewall name private-public rule 300 destination port 22,29922 set firewall name private-public rule 300 log enable set firewall name private-public rule 300 protocol tcp # 規則200 允許來自10.0.1.0/24的dns請求 set firewall name private-public rule 600 action accept set firewall name private-public rule 600 destination port 53 set firewall name private-public rule 600 log enable set firewall name private-public rule 600 protocol tcp_udp set firewall name private-public rule 600 source address 10.0.1.0/24 # private-public規則集作用於從private到public的訪問,效果是允許ping外網ip,允許到外網80,443的請求,允許來自10.0.1.0/24子網到外網的dns請求 set zone-policy zone public from private firewall name private-public # public -> private方向的防火牆策略 set firewall name public-private default-action drop set firewall name public-private rule 1 action accept set firewall name public-private rule 1 state established enable set firewall name public-private rule 1 state related enable set firewall name public-private rule 2 action drop set firewall name public-private rule 2 log enable set firewall name public-private rule 2 state invalid enable # 規則100 允許80, 443, 22, 29922的請求 set firewall name public-private rule 100 action accept set firewall name public-private rule 100 destination port 80,443,22,29922 set firewall name public-private rule 100 log enable set firewall name public-private rule 100 protocol tcp set firewall name public-private rule 9999 action drop set firewall name public-private rule 9999 log enable # public-private規則集作用於從public到private的訪問,允許到內網映射端口80,443,22,29922的訪問,如ssh -p 29922 10.0.1.100, http://10.0.1.100 set zone-policy zone private from public firewall name public-private
====================== End