vyos (一) 基础配置
http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/
http://thomasvochten.com/archive/2015/03/labv2-part1/
http://www.letmefix-it.com/2016/07/07/vyos-nat-configuration-1-to-1/
https://github.com/rharmonson/richtech/wiki/Vyos-Firewall
1 基本配置
#配置外网接口
set interfaces ethernet eth0 address 10.0.1.32/24
set interfaces ethernet eth0 description public
#配置内网接口
set interfaces ethernet eth1 address 192.168.100.1/24
set interfaces ethernet eth1 description private
#指定静态路由
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 distance 1
#启动ssh服务器
set service ssh port 29922
#设置主机名
set system host-name vyos-master
#设备时区
set system time-zone Asia/Shanghai
#提交修改
commit
#保存到启动文件
save
Saving configuration to '/config/config.boot'...
#回退
rollback
2 NAT
Source NAT
1 The internal IP addresses we want to translate
2 The outgoing interface to perform the translation on
3 The external IP address to translate to
# 内网开放访问外网权限
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.100.0/24
set nat source rule 100 translation address masquerade
# 不使用防火墙外网地址,指派特定外网ip 10.0.1.100
set interfaces ethernet eth0 address 10.0.1.100/24
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.100.0/24
set nat source rule 100 translation address 10.0.1.100
# 内网主机数量大时,使用地址池,推荐每256台主机分配1个外网地址
......
set nat source rule 100 translation address 10.0.1.101-10.0.1.132
# NAT Reflection 这个没搞懂是做什么用的?
set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address 192.168.100.0/24
set nat source rule 110 outbound-interface eth1
set nat source rule 110 source address 192.168.100.0/24
set nat source rule 110 translation address masquerade
Destination NAT
1 The interface traffic will be coming in on
2 The protocol and port we wish to forward
3 The IP address of the internal system we wish to forward traffic to
端口映射
# 10.0.1.100:80 -> 192.168.100.101:80
set nat destination rule 10 description 'Port Forward: 10.0.1.100:80 to 192.168.100.101:80'
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 destination address 10.0.1.100
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 192.168.100.101
set nat destination rule 10 translation port 80
# 10.0.1.100:29922 -> 192.168.100.101:22
set nat destination rule 20 description 'Port Forward: 10.0.1.100:29922 to 192.168.100.101:22'
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 destination address 10.0.1.100
set nat destination rule 20 destination port 29922
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 192.168.100.101
set nat destination rule 20 translation port 22
# 注意防火墙要增加规则放行22, 80的通讯
ip映射
set interfaces ethernet eth0 address 10.0.1.200/24
# 10.0.1.200 -> 192.168.100.102
set nat destination rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'
set nat destination rule 30 inbound-interface eth0
set nat destination rule 30 destination address 10.0.1.200
set nat destination rule 30 translation address 192.168.100.102
set nat source rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'
set nat source rule 30 outbound-interface eth1
set nat source rule 30 source address 192.168.100.102
set nat source rule 30 translation address 10.0.1.200
3 FIREWALL
# public区域包含外网接口,private区域包含内网接口,
set zone-policy zone public interface eth0
set zone-policy zone private interface eth1
# 防火墙所有端口禁ping
set firewall all-ping disable
# 防火墙初始策略
# 默认丢弃所有包
set firewall name private-public default-action drop
# private -> public 方向的防火墙策略
# 规则1 匹配成功的请求,允许建立与关联
set firewall name private-public rule 1 action accept
set firewall name private-public rule 1 state established enable
set firewall name private-public rule 1 state related enable
# 规则2 匹配失败的请求,记录日志
set firewall name private-public rule 2 action drop
set firewall name private-public rule 2 log enable
set firewall name private-public rule 2 state invalid enable
# 规则9999 匹配失败的请求,记录日志
set firewall name private-public rule 9999 action drop
set firewall name private-public rule 9999 log enable
# 规则100 允许ping
set firewall name private-public rule 100 action accept
set firewall name private-public rule 100 log enable
set firewall name private-public rule 100 protocol icmp
# 规则200 允许http https
set firewall name private-public rule 200 action accept
set firewall name private-public rule 200 destination port 80,443
set firewall name private-public rule 200 log enable
set firewall name private-public rule 200 protocol tcp
# 规则300 允许22(ssh), 29922
set firewall name private-public rule 300 action accept
set firewall name private-public rule 300 destination port 22,29922
set firewall name private-public rule 300 log enable
set firewall name private-public rule 300 protocol tcp
# 规则200 允许来自10.0.1.0/24的dns请求
set firewall name private-public rule 600 action accept
set firewall name private-public rule 600 destination port 53
set firewall name private-public rule 600 log enable
set firewall name private-public rule 600 protocol tcp_udp
set firewall name private-public rule 600 source address 10.0.1.0/24
# private-public规则集作用于从private到public的访问,效果是允许ping外网ip,允许到外网80,443的请求,允许来自10.0.1.0/24子网到外网的dns请求
set zone-policy zone public from private firewall name private-public
# public -> private方向的防火墙策略
set firewall name public-private default-action drop
set firewall name public-private rule 1 action accept
set firewall name public-private rule 1 state established enable
set firewall name public-private rule 1 state related enable
set firewall name public-private rule 2 action drop
set firewall name public-private rule 2 log enable
set firewall name public-private rule 2 state invalid enable
# 规则100 允许80, 443, 22, 29922的请求
set firewall name public-private rule 100 action accept
set firewall name public-private rule 100 destination port 80,443,22,29922
set firewall name public-private rule 100 log enable
set firewall name public-private rule 100 protocol tcp
set firewall name public-private rule 9999 action drop
set firewall name public-private rule 9999 log enable
# public-private规则集作用于从public到private的访问,允许到内网映射端口80,443,22,29922的访问,如ssh -p 29922 10.0.1.100, http://10.0.1.100
set zone-policy zone private from public firewall name public-private
vyos (一) 基础配置的更多相关文章
- vyos 基础配置
vyos 基础配置 http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/http://thomasvo ...
- StackExchange.Redis帮助类解决方案RedisRepository封装(基础配置)
本文版权归博客园和作者吴双本人共同所有,转载和爬虫,请注明原文地址.http://www.cnblogs.com/tdws/p/5815735.html 写在前面 这不是教程,分享而已,也欢迎园友们多 ...
- Hibernate 基础配置及常用功能(三)
本章重点讲述Hibernate对象的三种状态以及如何配置二级缓存 有关Hibernate的三种状态如何相互转换网上都能查到,官方文档描述的也比较详细.这里主要是针对几个重点方法做代码演示. 一.状态转 ...
- Emacs学习心得之 基础配置
作者:枫雪庭 出处:http://www.cnblogs.com/FengXueTing-px/ 欢迎转载 Emacs学习心得之 基础配置 1.前言2.基础配置 一.前言 本篇博文记录了Emacs的一 ...
- nginx 的基础配置[转]
nginx 的基础配置 分类: 工具软件2013-11-13 23:26 11人阅读 评论(0) 收藏 举报 目录(?)[-] 管理配置文件 全局配置 虚拟机server配置 location配置 ...
- freeRadius 基础配置及测试
国内私募机构九鼎控股打造APP,来就送 20元现金领取地址:http://jdb.jiudingcapital.com/phone.html 内部邀请码:C8E245J (不写邀请码,没有现金送) 国 ...
- Oracle 10g DataGuard手记之基础配置
DataGuard为企业数据的高可用性,数据安全以及灾难恢复提供支持,一般由一个primary db与几个物理或逻辑standby db组成一个DataGuard配置. 系统环境 操作系统为windo ...
- SpringMVC最基础配置
SpringMVC和Struts2一样,是前后台的一个粘合剂,struts2用得比较熟悉了,现在来配置一下SpringMVC,看看其最基础配置和基本使用.SpriingMVC不是太难,学习成本不高,现 ...
- 使用Java管理Azure(1):基础配置
Azure针对Java开发人员提供了非常丰富的开发库,开发工具,和相关插件,让你通过Java对Azure进行服务管理和开发,本文第一步先介绍如何快速的配置Java开发工具,主要针对目前比较流行的Ecl ...
- Linux网络基础配置
这是看itercast视频的笔记 Linux网络基础配置 以太网连接 在Linux中,以太网接口被命令为:eth0, eth1等, 0,1代表网卡编号 通过lspci命令可以查看网上硬件信息(如果是u ...
随机推荐
- MyEclipse9中的不伤眼修改、FreeMarker插件、JQuery提示插件、全屏(FullScreen)插件的安装
============下载相关附件===================== http://files.cnblogs.com/fhtwins/eclipse-fullscreen_1.0.7.zi ...
- Logs
syslogs Fortinet: http://docs.fortinet.com/fgt.html
- mysql给日期增减
有个需求就是判断过期的供求信息,如果用户刷新了则判断过期日期是否小于现在,如果是则自动推迟7天. IF(expire<NOW(),DATE_ADD(NOW(), INTERVAL 7 DAY), ...
- iframe替代方案
自己写一个pagelet框架.封装成JSP的Taglib. <tms:view header="common-header" footer="common-foot ...
- haxm intelx86加速模拟器的安装
http://blog.csdn.net/huang9012/article/details/18082601 如果安装了还出现 创建模拟器 选项 CPU/abi的时候还出现 no system im ...
- RPC介绍
转载http://blog.csdn.net/mindfloating/article/details/39474123/ 近几年的项目中,服务化和微服务化渐渐成为中大型分布式系统架构的主流方式,而 ...
- iPhone播放音乐
来源:http://blog.csdn.net/htttw/article/details/7842295 iPhone播放音乐 今天我们简要介绍如何在iPhone中播放音乐: 强烈建议你参考官方文档 ...
- console,和自己定义事件
console.log这个指令是在浏览器控制台输出日志,用来调试程序 跟alert 类似 但不像alert那样会打断程序.
- 页面设计--RadioButton
RadioButton单选控件支持多分组模式 属性如下图 设计: web显示效果图:
- Temporary Segments: What Happens When a Sort Occurs (文档 ID 102339.1)
APPLIES TO: Oracle Database - Enterprise Edition - Version 8.1.7.4 to 11.2.0.1 [Release 8.1.7 to 11. ...