http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/

http://thomasvochten.com/archive/2015/03/labv2-part1/

http://www.letmefix-it.com/2016/07/07/vyos-nat-configuration-1-to-1/

https://github.com/rharmonson/richtech/wiki/Vyos-Firewall

1 基本配置

#配置外网接口

set interfaces ethernet eth0 address 10.0.1.32/24

set interfaces ethernet eth0 description public

#配置内网接口

set interfaces ethernet eth1 address 192.168.100.1/24

set interfaces ethernet eth1 description private

#指定静态路由

set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 distance 1


#启动ssh服务器

set service ssh port 29922

#设置主机名

set system host-name vyos-master

#设备时区

set system time-zone Asia/Shanghai


#提交修改

commit

#保存到启动文件

save

Saving configuration to '/config/config.boot'...

#回退

rollback

2 NAT

Source NAT

1 The internal IP addresses we want to translate

2 The outgoing interface to perform the translation on

3 The external IP address to translate to

# 内网开放访问外网权限

set nat source rule 100 outbound-interface eth0

set nat source rule 100 source address 192.168.100.0/24

set nat source rule 100 translation address masquerade

# 不使用防火墙外网地址,指派特定外网ip 10.0.1.100

set interfaces ethernet eth0 address 10.0.1.100/24

set nat source rule 100 outbound-interface eth0

set nat source rule 100 source address 192.168.100.0/24

set nat source rule 100 translation address 10.0.1.100

# 内网主机数量大时,使用地址池,推荐每256台主机分配1个外网地址

......

set nat source rule 100 translation address 10.0.1.101-10.0.1.132

# NAT Reflection 这个没搞懂是做什么用的?

set nat source rule 110 description 'NAT Reflection: INSIDE'

set nat source rule 110 destination address 192.168.100.0/24

set nat source rule 110 outbound-interface eth1

set nat source rule 110 source address 192.168.100.0/24

set nat source rule 110 translation address masquerade


Destination NAT

1 The interface traffic will be coming in on

2 The protocol and port we wish to forward

3 The IP address of the internal system we wish to forward traffic to

端口映射

# 10.0.1.100:80 -> 192.168.100.101:80

set nat destination rule 10 description 'Port Forward: 10.0.1.100:80 to 192.168.100.101:80'

set nat destination rule 10 inbound-interface eth0

set nat destination rule 10 destination address 10.0.1.100

set nat destination rule 10 destination port 80

set nat destination rule 10 protocol tcp

set nat destination rule 10 translation address 192.168.100.101

set nat destination rule 10 translation port 80

# 10.0.1.100:29922 -> 192.168.100.101:22

set nat destination rule 20 description 'Port Forward: 10.0.1.100:29922 to 192.168.100.101:22'

set nat destination rule 20 inbound-interface eth0

set nat destination rule 20 destination address 10.0.1.100

set nat destination rule 20 destination port 29922

set nat destination rule 20 protocol tcp

set nat destination rule 20 translation address 192.168.100.101

set nat destination rule 20 translation port 22

# 注意防火墙要增加规则放行22, 80的通讯

ip映射

set interfaces ethernet eth0 address 10.0.1.200/24

# 10.0.1.200 -> 192.168.100.102

set nat destination rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'

set nat destination rule 30 inbound-interface eth0

set nat destination rule 30 destination address 10.0.1.200

set nat destination rule 30 translation address 192.168.100.102

set nat source rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'

set nat source rule 30 outbound-interface eth1

set nat source rule 30 source address 192.168.100.102

set nat source rule 30 translation address 10.0.1.200

3 FIREWALL

# public区域包含外网接口,private区域包含内网接口,

set zone-policy zone public interface eth0

set zone-policy zone private interface eth1

# 防火墙所有端口禁ping

set firewall all-ping disable

# 防火墙初始策略

# 默认丢弃所有包

set firewall name private-public default-action drop

# private -> public 方向的防火墙策略

# 规则1 匹配成功的请求,允许建立与关联

set firewall name private-public rule 1 action accept

set firewall name private-public rule 1 state established enable

set firewall name private-public rule 1 state related enable

# 规则2 匹配失败的请求,记录日志

set firewall name private-public rule 2 action drop

set firewall name private-public rule 2 log enable

set firewall name private-public rule 2 state invalid enable

# 规则9999 匹配失败的请求,记录日志

set firewall name private-public rule 9999 action drop

set firewall name private-public rule 9999 log enable

# 规则100 允许ping

set firewall name private-public rule 100 action accept

set firewall name private-public rule 100 log enable

set firewall name private-public rule 100 protocol icmp

# 规则200 允许http https

set firewall name private-public rule 200 action accept

set firewall name private-public rule 200 destination port 80,443

set firewall name private-public rule 200 log enable

set firewall name private-public rule 200 protocol tcp

# 规则300 允许22(ssh), 29922

set firewall name private-public rule 300 action accept

set firewall name private-public rule 300 destination port 22,29922

set firewall name private-public rule 300 log enable

set firewall name private-public rule 300 protocol tcp

# 规则200 允许来自10.0.1.0/24的dns请求

set firewall name private-public rule 600 action accept

set firewall name private-public rule 600 destination port 53

set firewall name private-public rule 600 log enable

set firewall name private-public rule 600 protocol tcp_udp

set firewall name private-public rule 600 source address 10.0.1.0/24

# private-public规则集作用于从private到public的访问,效果是允许ping外网ip,允许到外网80,443的请求,允许来自10.0.1.0/24子网到外网的dns请求

set zone-policy zone public from private firewall name private-public

# public -> private方向的防火墙策略

set firewall name public-private default-action drop

set firewall name public-private rule 1 action accept

set firewall name public-private rule 1 state established enable

set firewall name public-private rule 1 state related enable

set firewall name public-private rule 2 action drop

set firewall name public-private rule 2 log enable

set firewall name public-private rule 2 state invalid enable

# 规则100 允许80, 443, 22, 29922的请求

set firewall name public-private rule 100 action accept

set firewall name public-private rule 100 destination port 80,443,22,29922

set firewall name public-private rule 100 log enable

set firewall name public-private rule 100 protocol tcp

set firewall name public-private rule 9999 action drop

set firewall name public-private rule 9999 log enable

# public-private规则集作用于从public到private的访问,允许到内网映射端口80,443,22,29922的访问,如ssh -p 29922 10.0.1.100, http://10.0.1.100

set zone-policy zone private from public firewall name public-private

vyos (一) 基础配置的更多相关文章

  1. vyos 基础配置

    vyos 基础配置 http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/http://thomasvo ...

  2. StackExchange.Redis帮助类解决方案RedisRepository封装(基础配置)

    本文版权归博客园和作者吴双本人共同所有,转载和爬虫,请注明原文地址.http://www.cnblogs.com/tdws/p/5815735.html 写在前面 这不是教程,分享而已,也欢迎园友们多 ...

  3. Hibernate 基础配置及常用功能(三)

    本章重点讲述Hibernate对象的三种状态以及如何配置二级缓存 有关Hibernate的三种状态如何相互转换网上都能查到,官方文档描述的也比较详细.这里主要是针对几个重点方法做代码演示. 一.状态转 ...

  4. Emacs学习心得之 基础配置

    作者:枫雪庭 出处:http://www.cnblogs.com/FengXueTing-px/ 欢迎转载 Emacs学习心得之 基础配置 1.前言2.基础配置 一.前言 本篇博文记录了Emacs的一 ...

  5. nginx 的基础配置[转]

    nginx 的基础配置 分类: 工具软件2013-11-13 23:26 11人阅读 评论(0) 收藏 举报   目录(?)[-] 管理配置文件 全局配置 虚拟机server配置 location配置 ...

  6. freeRadius 基础配置及测试

    国内私募机构九鼎控股打造APP,来就送 20元现金领取地址:http://jdb.jiudingcapital.com/phone.html 内部邀请码:C8E245J (不写邀请码,没有现金送) 国 ...

  7. Oracle 10g DataGuard手记之基础配置

    DataGuard为企业数据的高可用性,数据安全以及灾难恢复提供支持,一般由一个primary db与几个物理或逻辑standby db组成一个DataGuard配置. 系统环境 操作系统为windo ...

  8. SpringMVC最基础配置

    SpringMVC和Struts2一样,是前后台的一个粘合剂,struts2用得比较熟悉了,现在来配置一下SpringMVC,看看其最基础配置和基本使用.SpriingMVC不是太难,学习成本不高,现 ...

  9. 使用Java管理Azure(1):基础配置

    Azure针对Java开发人员提供了非常丰富的开发库,开发工具,和相关插件,让你通过Java对Azure进行服务管理和开发,本文第一步先介绍如何快速的配置Java开发工具,主要针对目前比较流行的Ecl ...

  10. Linux网络基础配置

    这是看itercast视频的笔记 Linux网络基础配置 以太网连接 在Linux中,以太网接口被命令为:eth0, eth1等, 0,1代表网卡编号 通过lspci命令可以查看网上硬件信息(如果是u ...

随机推荐

  1. C产品狗

    作者:郭琦链接:https://www.zhihu.com/question/29342383/answer/110823046来源:知乎著作权归作者所有.商业转载请联系作者获得授权,非商业转载请注明 ...

  2. capture同focus

    SetCapture函数功能:该函数在属于当前线程的指定窗口里设置鼠标捕获.一旦窗口捕获了鼠标,所有鼠标输入都针对该窗口,无论光标是否在窗口的边界内.同一时刻只能有一个窗口捕获鼠标.如果鼠标光标在另一 ...

  3. ADF_Starting系列4_使用ADF开发富Web应用程序之维护User Interface(Part1)

    2014-05-04 Created By BaoXinjian

  4. C#使用原生的Directx和OpenGL绘图

    原文 混合语言编程-C#使用原生的Directx和OpenGL绘图的方法 由于项目需要做一些图形展示,所以就想到了使用Directx和OpenGL来绘图,但项目准备使用C#来开发(大家比较熟悉C#), ...

  5. [复变函数]第11堂课 3.3 Cauchy 积分定理及其推论

    0. 引言 (1) Cauchy 积分定理: 设 $D$ 为 $(n+1)$ 连通区域, $f$ 在 $D$ 内解析且连续到边界 $C$, 则 $\dps{\int_C f(\zeta)\rd \ze ...

  6. css针对(各大浏览器、各版本)调兼容

    ie6\ie7\firefox之下各自识别的CSS符号 #1 { color: #333; } /* firefox */ * html #1 { color: #666; } /* IE6 */ * ...

  7. 树莓派安装3.5inch RPi LCD (A)显示屏

    3.5inch RPi LCD (A) 资料 产品介绍 用户手册 开发资料 开发软件 树莓派镜像 演示视频 FAQ 在自定义Raspbian系统镜像上怎么使用树莓派LCD? 先确保自定义镜像可正常进入 ...

  8. Ubuntu 12.04.2搭建nfs服务器

    1.安装nfs 服务器(192.168.0.1) apt-get install nfs-kernel-server 2.修改nfs配置文件: vim /etc/exports 在exports文件中 ...

  9. Xcode 的正确打开方式——Debugging(转载)

    Xcode 的正确打开方式——Debugging   程序员日常开发中有大量时间都会花费在 debug 上,从事 iOS 开发不可避免地需要使用 Xcode.这篇博客就主要介绍了 Xcode 中几种能 ...

  10. ubuntu14.04 wifi驱动安装

    重装linux后,一直搜不到wlan0,无法启动wifi,经过重重努力,终于成功,在此简单记录一下. 1. 查看网卡类型: ~$ lspci -nn -d 14e4: :]: Broadcom Cor ...