防火墙配置

基础配置

set interfaces ethernet eth1 address 192.168.201.1
set interfaces ethernet eth0 description 'INSIDE'
set service ssh port '22'
set interfaces ethernet eth2 address 10.75.206.151
set interfaces ethernet eth2 address 10.75.206.152  # 用于映射到内部KVM
set interfaces ethernet eth2 description 'OUTSIDE'

nat

snat

Source NAT
1 The internal IP addresses we want to translate
2 The outgoing interface to perform the translation on
3 The external IP address to translate to

# 内网开放访问外网权限
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.100.0/24
set nat source rule 100 translation address masquerade

# 不使用防火墙外网地址，指派特定外网ip　10.0.1.100
set interfaces ethernet eth0 address 10.0.1.100/24
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.100.0/24
set nat source rule 100 translation address 10.0.1.100

# 内网主机数量大时，使用地址池，推荐每256台主机分配1个外网地址
......
set nat source rule 100 translation address 10.0.1.101-10.0.1.132

# NAT Reflection 这个没搞懂是做什么用的？
set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address 192.168.100.0/24
set nat source rule 110 outbound-interface eth1
set nat source rule 110 source address 192.168.100.0/24
set nat source rule 110 translation address masquerade

dnat

Destination NAT
1 The interface traffic will be coming in on
2 The protocol and port we wish to forward
3 The IP address of the internal system we wish to forward traffic to

端口映射
# 10.0.1.100:80 -> 192.168.100.101:80
set nat destination rule 10 description 'Port Forward: 10.0.1.100:80 to 192.168.100.101:80'
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 destination address 10.0.1.100
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 192.168.100.101
set nat destination rule 10 translation port 80

# 10.0.1.100:29922 -> 192.168.100.101:22
set nat destination rule 20 description 'Port Forward: 10.0.1.100:29922 to 192.168.100.101:22'
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 destination address 10.0.1.100
set nat destination rule 20 destination port 29922
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 192.168.100.101
set nat destination rule 20 translation port 22

# 注意防火墙要增加规则放行22, 80的通讯

ip映射
<!-- set interfaces ethernet eth0 address 10.0.1.200/24 -->

# 10.75.206.152 -> 192.168.201.211
set nat destination rule 100 description 'NAT 1 to 1: 10.75.206.152 -> 192.168.201.211'
set nat destination rule 100 inbound-interface eth2
set nat destination rule 100 destination address 10.75.206.152
set nat destination rule 100 translation address 192.168.201.211

set nat source rule 101 description 'NAT 1 to 1: 192.168.201.211 -> 10.75.206.152'
set nat source rule 101 outbound-interface eth2
set nat source rule 101 source address 192.168.201.211
set nat source rule 101 translation address 10.75.206.152

vyos基本防火墙配置

firewall

添加防火墙规则

组/group 注: 同一个防火墙规则只能匹配一个组 ip组(黑名单)

set firewall group address-group Black-list address 10.75.206.21    # 添加了一个黑名单的地址组
set firewall name public-private rule 10 action drop
set firewall name public-private rule 10 log enable    # 使能日志
set firewall name public-private rule 10 source group address-group Black-list  # 匹配到规则10, 默认丢弃
测试:
10.75.206.7可以ssh到内网, 10.75.206.152--192.168.201.211
10.75.206.21不能ssh到内网, 10.75.206.152--192.168.201.211
日志记录
Aug 22 10:09:21 vyos-07 kernel: [436041.630786] [public-private-10-D]IN=eth2 OUT=eth1 MAC=52:54:00:37:db:43:a4:bf:01:4e:6c:f2:08:00 SRC=10.75.206.21 DST=192.168.201.211 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47620 DF PROTO=TCP SPT=38856 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 

网络组---限制网段访问

set firewall group network-group BAD-NETWORK
set firewall group network-group BAD-NETWORK network 10.75.20.0/24

接口组interface

set firewall group interface-group WAN interface eth2
set firewall group interface-group LAN interface eth1
set firewall group interface-group LAN interface eth0

开启dns请求

内网机器可以连接到dns服务器, 但是不能解析网址
可以ping通223.5.5.5, 不能ping www.baidu.com

# 添加规则允许DNS通过
set firewall name private-public rule 600 action accept
set firewall name private-public rule 600 destination port 53
set firewall name private-public rule 600 log enable
set firewall name private-public rule 600 protocol tcp_udp
set firewall name private-public rule 600 source address 192.168.201.0/24

开启http

# 规则200 允许http https
set firewall name private-public rule 200 action accept
set firewall name private-public rule 200 destination port 80,443 # 端口号一般对应不同协议
set firewall name private-public rule 200 log enable
set firewall name private-public rule 200 protocol tcp
开启之前不能访问www.baidu.com
开启之后测试
curl www.baidu.com可以收到响应

nginx测试 内部网络KVM开启nginx, 实现外部访问。 需要关闭KVM的防火墙 systemctl stop firewalld.service 测试 curl 10.75.206.152:80 可以访问到nginx响应内容

基于zone的防火墙

set firewall zone LAN interface eth1    # 对内网络
set firewall zone WAN interface eth2    # 对外网络
应用防火墙规则到对应域
set firewall zone WAN from LAN firewall name private-public
set firewall zone LAN from WAN firewall name public-private

防火墙基本配置 规则匹配原则, 序号低, 优先级高, default规则最后匹配

1. private-public --- LAN-WAN

set firewall name private-public default-action 'drop'

set firewall name private-public rule 1 action 'accept'
set firewall name private-public rule 1 state established 'enable'  // 允许状态为established和related的连接
set firewall name private-public rule 1 state related 'enable'      

# 添加规则100 允许ping
set firewall name private-public rule 100 action accept
set firewall name private-public rule 100 log enable    # 使能日志
set firewall name private-public rule 100 protocol icmp

# 规则300 允许22(ssh)
set firewall name private-public rule 300 action accept
set firewall name private-public rule 300 destination port 22
set firewall name private-public rule 300 log enable
set firewall name private-public rule 300 protocol tcp

# 规则200 允许http https
set firewall name private-public rule 200 action accept
set firewall name private-public rule 200 destination port 80,443
set firewall name private-public rule 200 log enable
set firewall name private-public rule 200 protocol tcp

# 添加规则 禁止连接
set firewall name private-public rule 12 action 'drop'
set firewall name private-public rule 11 source address '10.75.206.6'
# 添加规则 允许指定ip连接
set firewall name private-public rule 11 action 'accept'
set firewall name private-public rule 11 destination address '10.75.206.152'
set firewall name private-public rule 11 source address '10.75.206.6'

2. public-private --- WAN-LAN

# 规则200 允许外网对内网的http https
set firewall name public-private rule 200 action accept
set firewall name public-private rule 200 destination port 80,443
set firewall name public-private rule 200 log enable
set firewall name public-private rule 200 protocol tcp

3. 查看防火墙日志

show log firewall name <name>
show log firewall name private-public
注：在vyos系统config模式下输入以上命令不能查看日志, 需要退出config模式。

参考链接: (www.cnblogs.com/lsgxeva/p/1…] (blog.51cto.com/u_236859/18…]