VyOS是一個基於Debian的網絡操作系統,是Vyatta的社區fork。Vyatta是博通的企業級的產品,通過這套系統,能在x86平台提供路由,防火牆和×××的功能。 這個系統提供了和其他諸如Cisco的IOS,Juniper的JUNOS類似的操作方式。不同於其他商業方案,它是一套完全開源的方案,使用GPL協議開源。 鏡像地址:http://vyos-mirror.per.webinabox.net.au/iso/release/
首先配置服務器端口ip一:
set interfaces ethernet eth0 address '10.0.97.1/24' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 hw-id '68:05:ca:66:87:10' set interfaces ethernet eth0 smp-affinity 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 address '10.0.99.1/24' set interfaces ethernet eth1 description 'INSIDE' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 hw-id '64:00:6a:04:2d:67' set interfaces ethernet eth1 policy set interfaces ethernet eth1 smp-affinity 'auto' set interfaces ethernet eth1 speed 'auto' set interfaces ethernet eth2 address '10.0.98.1/24' set interfaces ethernet eth2 duplex 'auto' set interfaces ethernet eth2 hw-id '**:05:ca:3f:55:**' set interfaces ethernet eth2 smp-affinity 'auto' set interfaces ethernet eth2 speed 'auto'
# 外網端口配置 set interfaces ethernet eth3 address '**.***.***.***/24' set interfaces ethernet eth3 description 'OUTSIDE' set interfaces ethernet eth3 duplex 'auto'
# 配置改接口使用防火牆OUTSIDE-IN 策略
set interfaces ethernet eth3 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth3 hw-id '**:05:ca:66:86:**'
set interfaces ethernet eth3 smp-affinity 'auto' set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
配置服務器端口ip二:
set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 hw-id '68:05:ca:66:87:11' set interfaces ethernet eth1 smp_affinity 'auto' set interfaces ethernet eth1 speed 'auto' set interfaces ethernet eth2 address '10.0.97.2/24' set interfaces ethernet eth2 duplex 'auto' set interfaces ethernet eth2 hw-id '68:05:ca:66:87:0d' set interfaces ethernet eth2 smp_affinity 'auto' set interfaces ethernet eth2 speed 'auto' set interfaces ethernet eth3 address '**.**.**.***/27' set interfaces ethernet eth3 description 'OUTSIDE' set interfaces ethernet eth3 duplex 'auto'
# 配置eth3使用outside-in 和outside-local 策略,使其可以內外訪問。 set interfaces ethernet eth3 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth3 firewall local name 'OUTSIDE-LOCAL' set interfaces ethernet eth3 hw-id '**:57:00:e6:11:**' set interfaces ethernet eth3 smp_affinity 'auto' set interfaces ethernet eth3 speed 'auto' set interfaces loopback 'lo'
其次防火牆策略配置一:
# 常規配置
set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall ip-src-route 'disable' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall log-martians 'enable'
#配置outside-in 策略 set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-IN rule 20 protocol 'icmp' set firewall name OUTSIDE-IN rule 20 state new 'enable' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable'
防火牆策略配置二:
# 配置outside-in 與 outside-out策略
set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 destination port '80' set firewall name OUTSIDE-IN rule 10 protocol 'tcp' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' set firewall name OUTSIDE-LOCAL rule 41 action 'accept' set firewall name OUTSIDE-LOCAL rule 41 destination port '500' set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 42 action 'accept' set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 43 action 'accept' set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
nat 配置一:
#簡單的snat配置,eth3 外網端口。
set nat source rule 10 outbound-interface 'eth3' set nat source rule 10 source address '0.0.0.0/0' set nat source rule 10 translation address 'masquerade'
nat 配置二:
#簡單的snat配置,eth3 外網端口。源地址為10.0.55.0/24
set nat source rule 100 outbound-interface 'eth3' set nat source rule 100 source address '10.0.55.0/24' set nat source rule 100 translation address 'masquerade'
靜態路由配置一:
# 第一配置靜態路由的網關。其它配置靜態路由:下一跳。使其可以互通
set protocols static route 0.0.0.0/0 next-hop **.***.207.1 set protocols static route 10.0.55.0/24 next-hop 10.0.97.2 set protocols static route 10.0.77.0/24 next-hop 10.0.99.2 set protocols static route 10.0.88.0/24 next-hop 10.0.99.2
靜態路由配置二:
# 第一配置靜態路由的網關。其它配置靜態路由:下一跳。使其可以互通
set protocols static route 0.0.0.0/0 next-hop '**.**.**.97' set protocols static route 10.0.77.0/24 next-hop '10.0.97.1' set protocols static route 10.0.88.0/24 next-hop '10.0.97.1'
dns配置一:
set service dns forwarding cache-size '0' set service dns forwarding listen-on 'eth1' set service dns forwarding listen-on 'eth2' set service dns forwarding listen-on 'eth0' set service dns forwarding name-server '8.8.8.8' set service dns forwarding name-server '8.8.4.4' set service dns forwarding name-server '202.106.0.20' set service dns forwarding name-server '219.232.48.61'
# 配置ssh服務端口 set service ssh port '22'
dns配置二:
set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding listen-on 'eth2'
set service dns forwarding listen-on 'eth3'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
set service dns forwarding name-server '202.106.0.20'
set service dns forwarding name-server '219.232.48.61'
set service ssh port '22'
系統配置:
set system 'config-management' set system host-name 'vyos' set system login user vyos authentication encrypted-password '$6$OML2Jc**a2ZW/$34iWc.unMd6oCPCstxGw/9Q7uMnbEqF6IvocP5hEBidQYcJt8Xkz4WkFA7yTC4wSZ39hYvpqyBVxC4or9ZzxH/' set system login user vyos authentication plaintext-password '' set system login user vyos level 'admin' set system name-server '202.106.0.20' set system ntp server '0.pool.ntp.org' set system ntp server '1.pool.ntp.org' set system ntp server '2.pool.ntp.org' set system syslog global facility all level 'info' set system syslog global facility protocols level 'debug' set system time-zone 'UTC'
vpn 配置:
set vpn ipsec ipsec-interfaces interface 'eth3' set vpn ipsec nat-networks allowed-network '0.0.0.0/0' set vpn ipsec nat-traversal 'enable' set vpn l2tp remote-access authentication local-users username admin password '********' set vpn l2tp remote-access authentication mode 'local' set vpn l2tp remote-access client-ip-pool start '10.0.55.100' set vpn l2tp remote-access client-ip-pool stop '10.0.55.254' set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret' set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret '********' set vpn l2tp remote-access ipsec-settings ike-lifetime '3600' set vpn l2tp remote-access outside-address '**.**.**.***'