VYOS(방화벽)

Untitled

#vyos 기본 설정

install image

conf
set service ssh port 22
set system gateway-address 10.0.0.1
set interfaces ethernet eth0 address 10.10.91.10/8
set interfaces ethernet eth1 address 192.168.102.252/24
set interfaces ethernet eth2 address 172.16.101.252/24

set protocols ospf parameters router-id 10.1.1.1
set protocols ospf area 0 network 192.168.102.0/24

commit

set nat source rule 1 source address 172.16.101.0/24
set nat source rule 1 translation address 10.10.91.100
set nat source rule 1 outbound-interface eth0

set nat destination rule 1 inbound-interface eth0
set nat destination rule 1 translation address 172.16.101.80
set nat destination rule 1 protocol tcp
set nat destination rule 1 destination port 80, 22
commit

#vyos 임시로 외부 통신을 위한 NAT 설정

set nat source rule 2 source address 192.168.102.0/24
set nat source rule 2 translation address 10.10.91.100
set nat source rule 2 outbound-interface eth0
commit

#vyos NFS 설정

eth0 - 10.10.91.252 / 8 -public
eth1 - 192.168.102.252 /24 - private
eth2 - 172.16.101.252 / 24 -dmz

#PUBLIC, PRIVATE, DMZ 존 생성

set zone-policy zone public interface eth0
set zone-policy zone private interface eth1
set zone-policy zone dmz interface eth

#PUBLIC TO PRIVATE

set firewall name PUBLIC_TO_PRIVATE rule 10 action accept
set firewall name PUBLIC_TO_PRIVATE rule 10 protocol udp 
set firewall name PUBLIC_TO_PRIVATE rule 10 destination port 500,4500,111,2049,4001-4004

set firewall name PUBLIC_TO_PRIVATE rule 20 action accept
set firewall name PUBLIC_TO_PRIVATE rule 20 protocol udp 
set firewall name PUBLIC_TO_PRIVATE rule 20 destination port 111,2049,4001-4004

set firewall name PUBLIC_TO_PRIVATE rule 30 action accept
set firewall name PUBLIC_TO_PRIVATE rule 30 protocol icmp

set firewall name PUBLIC_TO_PRIVATE rule 40 action accept
set firewall name PUBLIC_TO_PRIVATE rule 40 state established enable
set firewall name PUBLIC_TO_PRIVATE rule 40 state related enable
set firewall name PUBLIC_TO_PRIVATE rule 40 protocol all

set firewall name PRIVATE_TO_PUBLIC rule 10 action accept 
set firewall name PRIVATE_TO_PUBLIC rule 10 state established enable 
set firewall name PRIVATE_TO_PUBLIC rule 10 state related enable 
set firewall name PRIVATE_TO_PUBLIC rule 10 protocol all

set firewall name PRIVATE_TO_PUBLIC rule 20 action accept
set firewall name PRIVATE_TO_PUBLIC rule 20 protocol icmp

set firewall name PRIVATE_TO_PUBLIC rule 30 action accept
set firewall name PRIVATE_TO_PUBLIC rule 30 protocol udp 
set firewall name PRIVATE_TO_PUBLIC rule 30 destination port 111,2049,4001-4004

set firewall name PRIVATE_TO_PUBLIC rule 40 action accept
set firewall name PRIVATE_TO_PUBLIC rule 40 protocol tcp 
set firewall name PRIVATE_TO_PUBLIC rule 40 destination port 111,2049,4001-4004

set zone-policy zone public from private firewall name PRIVATE_TO_PUBLIC 
set zone-policy zone private from public firewall name PUBLIC_TO_PRIVATE 
commit