http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/

http://thomasvochten.com/archive/2015/03/labv2-part1/

http://www.letmefix-it.com/2016/07/07/vyos-nat-configuration-1-to-1/

https://github.com/rharmonson/richtech/wiki/Vyos-Firewall

1 基本配置

#配置外网接口

set interfaces ethernet eth0 address 10.0.1.32/24

set interfaces ethernet eth0 description public

#配置内网接口

set interfaces ethernet eth1 address 192.168.100.1/24

set interfaces ethernet eth1 description private

#指定静态路由

set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 distance 1


#启动ssh服务器

set service ssh port 29922

#设置主机名

set system host-name vyos-master

#设备时区

set system time-zone Asia/Shanghai


#提交修改

commit

#保存到启动文件

save

Saving configuration to '/config/config.boot'...

#回退

rollback

2 NAT

Source NAT

1 The internal IP addresses we want to translate

2 The outgoing interface to perform the translation on

3 The external IP address to translate to

# 内网开放访问外网权限

set nat source rule 100 outbound-interface eth0

set nat source rule 100 source address 192.168.100.0/24

set nat source rule 100 translation address masquerade

# 不使用防火墙外网地址,指派特定外网ip 10.0.1.100

set interfaces ethernet eth0 address 10.0.1.100/24

set nat source rule 100 outbound-interface eth0

set nat source rule 100 source address 192.168.100.0/24

set nat source rule 100 translation address 10.0.1.100

# 内网主机数量大时,使用地址池,推荐每256台主机分配1个外网地址

......

set nat source rule 100 translation address 10.0.1.101-10.0.1.132

# NAT Reflection 这个没搞懂是做什么用的?

set nat source rule 110 description 'NAT Reflection: INSIDE'

set nat source rule 110 destination address 192.168.100.0/24

set nat source rule 110 outbound-interface eth1

set nat source rule 110 source address 192.168.100.0/24

set nat source rule 110 translation address masquerade


Destination NAT

1 The interface traffic will be coming in on

2 The protocol and port we wish to forward

3 The IP address of the internal system we wish to forward traffic to

端口映射

# 10.0.1.100:80 -> 192.168.100.101:80

set nat destination rule 10 description 'Port Forward: 10.0.1.100:80 to 192.168.100.101:80'

set nat destination rule 10 inbound-interface eth0

set nat destination rule 10 destination address 10.0.1.100

set nat destination rule 10 destination port 80

set nat destination rule 10 protocol tcp

set nat destination rule 10 translation address 192.168.100.101

set nat destination rule 10 translation port 80

# 10.0.1.100:29922 -> 192.168.100.101:22

set nat destination rule 20 description 'Port Forward: 10.0.1.100:29922 to 192.168.100.101:22'

set nat destination rule 20 inbound-interface eth0

set nat destination rule 20 destination address 10.0.1.100

set nat destination rule 20 destination port 29922

set nat destination rule 20 protocol tcp

set nat destination rule 20 translation address 192.168.100.101

set nat destination rule 20 translation port 22

# 注意防火墙要增加规则放行22, 80的通讯

ip映射

set interfaces ethernet eth0 address 10.0.1.200/24

# 10.0.1.200 -> 192.168.100.102

set nat destination rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'

set nat destination rule 30 inbound-interface eth0

set nat destination rule 30 destination address 10.0.1.200

set nat destination rule 30 translation address 192.168.100.102

set nat source rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'

set nat source rule 30 outbound-interface eth1

set nat source rule 30 source address 192.168.100.102

set nat source rule 30 translation address 10.0.1.200

3 FIREWALL

# public区域包含外网接口,private区域包含内网接口,

set zone-policy zone public interface eth0

set zone-policy zone private interface eth1

# 防火墙所有端口禁ping

set firewall all-ping disable

# 防火墙初始策略

# 默认丢弃所有包

set firewall name private-public default-action drop

# private -> public 方向的防火墙策略

# 规则1 匹配成功的请求,允许建立与关联

set firewall name private-public rule 1 action accept

set firewall name private-public rule 1 state established enable

set firewall name private-public rule 1 state related enable

# 规则2 匹配失败的请求,记录日志

set firewall name private-public rule 2 action drop

set firewall name private-public rule 2 log enable

set firewall name private-public rule 2 state invalid enable

# 规则9999 匹配失败的请求,记录日志

set firewall name private-public rule 9999 action drop

set firewall name private-public rule 9999 log enable

# 规则100 允许ping

set firewall name private-public rule 100 action accept

set firewall name private-public rule 100 log enable

set firewall name private-public rule 100 protocol icmp

# 规则200 允许http https

set firewall name private-public rule 200 action accept

set firewall name private-public rule 200 destination port 80,443

set firewall name private-public rule 200 log enable

set firewall name private-public rule 200 protocol tcp

# 规则300 允许22(ssh), 29922

set firewall name private-public rule 300 action accept

set firewall name private-public rule 300 destination port 22,29922

set firewall name private-public rule 300 log enable

set firewall name private-public rule 300 protocol tcp

# 规则200 允许来自10.0.1.0/24的dns请求

set firewall name private-public rule 600 action accept

set firewall name private-public rule 600 destination port 53

set firewall name private-public rule 600 log enable

set firewall name private-public rule 600 protocol tcp_udp

set firewall name private-public rule 600 source address 10.0.1.0/24

# private-public规则集作用于从private到public的访问,效果是允许ping外网ip,允许到外网80,443的请求,允许来自10.0.1.0/24子网到外网的dns请求

set zone-policy zone public from private firewall name private-public

# public -> private方向的防火墙策略

set firewall name public-private default-action drop

set firewall name public-private rule 1 action accept

set firewall name public-private rule 1 state established enable

set firewall name public-private rule 1 state related enable

set firewall name public-private rule 2 action drop

set firewall name public-private rule 2 log enable

set firewall name public-private rule 2 state invalid enable

# 规则100 允许80, 443, 22, 29922的请求

set firewall name public-private rule 100 action accept

set firewall name public-private rule 100 destination port 80,443,22,29922

set firewall name public-private rule 100 log enable

set firewall name public-private rule 100 protocol tcp

set firewall name public-private rule 9999 action drop

set firewall name public-private rule 9999 log enable

# public-private规则集作用于从public到private的访问,允许到内网映射端口80,443,22,29922的访问,如ssh -p 29922 10.0.1.100, http://10.0.1.100

set zone-policy zone private from public firewall name public-private

vyos (一) 基础配置的更多相关文章

  1. vyos 基础配置

    vyos 基础配置 http://www.lowefamily.com.au/2015/11/29/using-a-vyos-router-with-hyper-v/1/http://thomasvo ...

  2. StackExchange.Redis帮助类解决方案RedisRepository封装(基础配置)

    本文版权归博客园和作者吴双本人共同所有,转载和爬虫,请注明原文地址.http://www.cnblogs.com/tdws/p/5815735.html 写在前面 这不是教程,分享而已,也欢迎园友们多 ...

  3. Hibernate 基础配置及常用功能(三)

    本章重点讲述Hibernate对象的三种状态以及如何配置二级缓存 有关Hibernate的三种状态如何相互转换网上都能查到,官方文档描述的也比较详细.这里主要是针对几个重点方法做代码演示. 一.状态转 ...

  4. Emacs学习心得之 基础配置

    作者:枫雪庭 出处:http://www.cnblogs.com/FengXueTing-px/ 欢迎转载 Emacs学习心得之 基础配置 1.前言2.基础配置 一.前言 本篇博文记录了Emacs的一 ...

  5. nginx 的基础配置[转]

    nginx 的基础配置 分类: 工具软件2013-11-13 23:26 11人阅读 评论(0) 收藏 举报   目录(?)[-] 管理配置文件 全局配置 虚拟机server配置 location配置 ...

  6. freeRadius 基础配置及测试

    国内私募机构九鼎控股打造APP,来就送 20元现金领取地址:http://jdb.jiudingcapital.com/phone.html 内部邀请码:C8E245J (不写邀请码,没有现金送) 国 ...

  7. Oracle 10g DataGuard手记之基础配置

    DataGuard为企业数据的高可用性,数据安全以及灾难恢复提供支持,一般由一个primary db与几个物理或逻辑standby db组成一个DataGuard配置. 系统环境 操作系统为windo ...

  8. SpringMVC最基础配置

    SpringMVC和Struts2一样,是前后台的一个粘合剂,struts2用得比较熟悉了,现在来配置一下SpringMVC,看看其最基础配置和基本使用.SpriingMVC不是太难,学习成本不高,现 ...

  9. 使用Java管理Azure(1):基础配置

    Azure针对Java开发人员提供了非常丰富的开发库,开发工具,和相关插件,让你通过Java对Azure进行服务管理和开发,本文第一步先介绍如何快速的配置Java开发工具,主要针对目前比较流行的Ecl ...

  10. Linux网络基础配置

    这是看itercast视频的笔记 Linux网络基础配置 以太网连接 在Linux中,以太网接口被命令为:eth0, eth1等, 0,1代表网卡编号 通过lspci命令可以查看网上硬件信息(如果是u ...

随机推荐

  1. Exception error message with incorrect line number

    In Release mode the number in front of the exception is NOT the line of code. Instead it's an offset ...

  2. python-unicode十进制数字转中文

    #coding:utf-8 '''主要是unichr()函数.以下数组中的元素转换后为繁体中文,若不加encode("GB18030")就不能正确显示,而且会报错:('gbk' c ...

  3. HDU 1506 Largest Rectangle in a Histogram set+二分

    Largest Rectangle in a Histogram Problem Description: A histogram is a polygon composed of a sequenc ...

  4. hdu1358 Period

    首先给个博客:http://blog.csdn.net/lttree/article/details/20732385 感觉他说的很好,尤其是引用的那个博客,清晰的说明了循环节的两个公式. http: ...

  5. codeforces 553A . Kyoya and Colored Balls 组合数学

    Kyoya Ootori has a bag with n colored balls that are colored with k different colors. The colors are ...

  6. ylbtech-dbs:ylbtech-3,BarCode(条码资源系统)

    ylbtech-dbs:ylbtech-3,BarCode(条码资源系统) -- =============================================-- 条码资源系统-- YU ...

  7. android xml操作

    import java.io.FileInputStream; import java.io.FileOutputStream; import java.util.ArrayList; import ...

  8. phpStudy Linux安装集成环境 (CentOS--7)

    phpStudy for Linux (lnmp+lamp一键安装包) phpStudy for Linux 支持Apache/Nginx/Tengine/Lighttpd, 支持php5.2/5.3 ...

  9. 20145305 《Java程序设计》实验一

    实验名称 实现凯撒密码,并进行测试. 实验内容 它是一种代换密码.据说凯撒是率先使用加密函的古代将领之一,因此这种加密方法被称为恺撒密码. 凯撒密码作为一种最为古老的对称加密体制,在古罗马的时候都已经 ...

  10. C++学习27 用全局函数重载运算符

    运算符重载函数既可以声明为类的成员函数,也可以声明为所有类之外的全局函数. 运算符重载函数作为类的成员函数 将运算符重载函数声明为类的成员函数时,二元运算符的参数只有一个,一元运算符不需要参数.之所以 ...