Vezba Mrezna Barijera

,
1.
(firewall)
. , ,
.
,
.

,
.

( /) (iptables , pf OpenBSD, ipfw FreeBSD)
.
1.1. (Vyatta)
(, ). (
x86 ), .
-.
, ,
. , (iptables, iproute2,
ipsec), (quagga ).
,
www.vyatta.com. (www.vyatta.org/
forum),
.
1.2.
( , )
.
. , :
1. (firewall rule set). 1
( firewall-a)

2. .
3. ;
( , ).
1.3.
. (firewall rule
set) .
. (firewall-a). .
1.4.
. :
1. , , ; .
2. ,
, : , .
( .1, 2, ...).
. , . , . ,
, .
, .
, .
, , , ,
OSI , :
IP
ICMP
MAC
, . :
Accept;
Drop; ( )
Reject; (. TCP Reset )
Inspect; (Intrusion Prevention System)

, , . ,
( ) . , reject all,
.
1.5.
, , . , ( ) .
:
in; (
)
out; ( ;

local;
1.6.
(statefull firewall).
. ,
,
.
,
.
1: -
, (firewall) .
(in, out local). ( ) .
2.
,
:
2:
:
, ; ,
. . 192.168.1.0/24 eth1 .
, ;
4
,
. , eth2
.
3.
, ;
. eth0 , (x 2 , y 1 ).
:

:
,
eth0: ifdown eth0
nano /etc/network/interfaces; :
nano /etc/network/interfaces
, eth0 DHCP ; ; :
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
:
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
: Ctrl+, <Enter>, Ctrl+x
eth0: ifup eth0

5
4.
: ifconfig eth0

, -. .
vyatta vyatta (
).
vyatta vyatta
( $). :
configure ( #)
, :
set system host-name R1
vyatta :
set system login user vyatta authentication plaintext-password lab403

commit
exit, exit
5.
, vyatta lab403 (
R1)
(vyatta)
.
:
configure
eth0 (x
):
set interfaces ethernet eth0 address 172.17.32.x/24
eth1:
set interfaces ethernet eth1 address 192.168.1.1/24
eth2:
set interfaces ethernet eth2 address 10.10.10.1/24
:
6
set system gateway-address 172.17.32.1
:
commit
set neto ....
delete neto.. .
,
( ping; , ping CTRL+c):
ping , 172.17.32.1
ping , 192.168.1.10
ping , 10.10.10.10
, . , :
:
exit
init-floppy ( )
6.

. .
:
http, ssh ;

http, ftp
DNS
ICMP echo (ping)
ssh
DNS
http
.
7
( in , out ),
. , in .
3:

: IZ_LAN, IZ_DMZ, SA_INTERNETA. in . ,
, .
7.

.
:
:
configure
(firewall) IZ_LAN
set firewall name IZ_LAN
( 10
). ssh http
192.168.1.10.
,
set firewall name IZ_LAN rule 10
:
set firewall name IZ_LAN rule 10 action accept
:
set firewall name IZ_LAN rule 10 source address 10.10.10.0/24
:
set firewall name IZ_LAN rule 10 destination address 192.168.1.10
TCP, 22 (ssh) 80 (http)

set firewall name IZ_LAN rule 10 protocol tcp
set firewall name IZ_LAN rule 10 destination port ssh,www

( /etc/services). .
, 20,
ICMP cho ;
set firewall name IZ_LAN rule 20 destination address 192.168.1.0/24
set firewall name IZ_LAN rule 20 protocol icmp
set firewall name IZ_LAN rule 20 icmp type-name echo-request
ICMP (icmp type-name)

(echo-request)
, 30:
set firewall name IZ_LAN rule 30 action reject
set firewall name IZ_LAN rule 30 destination address 192.168.1.0/24
, http, ssh, icmp echo request.

, http, ftp ( 20,21):
,
set firewall name IZ_LAN rule 40 protocol tcp
set firewall name IZ_LAN rule 40 destination port http,ftp,ftp-data
DNS (DNS) UDP

40. domain UDP 53.
set firewall name IZ_LAN rule 50 protocol udp
set firewall name IZ_LAN rule 50 destination port domain
ICMP cho :
set firewall name IZ_LAN rule 60 protocol icmp
set firewall name IZ_LAN rule 60 icmp type-name echo-request
. , . , ( ) reject all.
:
show firewall name IZ_LAN
. ,
:
commit
8.
(
) :
1. ; ,
.
2. ;
, DNS , SMTP . ,
10
ICMP echo-request DNS .

IZ_DMZ:

vyatta ,
IZ_DMZ:
set firewall name IZ_DMZ
DNS :
set firewall name IZ_DMZ rule 10
set firewall name IZ_DMZ rule 10 action accept
set firewall name IZ_DMZ rule 10 source address 192.168.1.0/24
set firewall name IZ_DMZ rule 10 protocol udp
set firewall name IZ_DMZ rule 10 destination port domain
ICMP cho :
set firewall name IZ_DMZ rule 20 source address 192.168.1.0/24
set firewall name IZ_DMZ rule 20 protocol icmp
set firewall name IZ_DMZ rule 20 icmp type-name echo-request
(statefull firewall). ,
.
, ,
established related. (established) ( TCP),
(.
UDP DNS ) . (related)
, , ,
, FTP. FTP ,
,
, . ,
, ,
. 30, :
, established
related
set firewall name IZ_DMZ rule 30 state established enable
set firewall name IZ_DMZ rule 30 state related enable
, ,
11
, .
, , .
:
show firewall name IZ_DMZ
. ,
:
commit
9.
:

:
1. ; http
2. .
3. , ICMP time-exceeded, unreachable .
( )
SA_INTERNETA:

vyatta, SA_INTERNETA:
set firewall name SA_INTERNETA
http :
set firewall name SA_INTERNETA rule 10
set firewall name SA_INTERNETA rule 10 action accept
set firewall name SA_INTERNETA rule 10 destination address 192.168.1.10
set firewall name SA_INTERNETA rule 10 protocol tcp
set firewall name SA_INTERNETA rule 10 destination port http
:
set firewall name SA_INTERNETA rule 20 state established enable
set firewall name SA_INTERNETA rule 20 state related enable
ICMP Unreachable (ICMP 3):

set firewall name SA_INTERNETA rule 30 protocol icmp
12
,
set firewall name SA_INTERNETA rule 30 icmp type 3
ICMP Time Exceeded (ICMP 11):

set firewall name SA_INTERNETA rule 40 protocol icmp
set firewall name SA_INTERNETA rule 40 icmp type 11
, , .
:
show firewall name
SA_INTERNETA
. ,
:
commit
10. :
.

vyatta ,
.
set interfaces ethernet eth0 firewall in name SA_INTERNETA
set interfaces ethernet eth1 firewall in name IZ_DMZ
set interfaces ethernet eth2 firewall in name IZ_LAN
(eth0,
eth1, eth2), (in) .
:
show interfaces ethernet eth0 firewall
. ,
:
commit
11. :
, , nmap
.
:
nmap 10.10.10.10
13
,
nmap 192.168.1.10
,
80 192.168.1.10.
12. :

.
, .
( $ ):
;
( #),
:
exit

, :
show firewall
. :
show firewall detail
; .
, :
show firewall statistics
13. :
, ( ), . , , .
,
local. ,
,
, .
( ). INET_FW
,
configure
set firewall name INET_FW
set firewall name INET_FW rule 10
14
,
set firewall name INET_FW rule 10 action drop
. local eth0 :
set interfaces ethernet eth0 firewall local name INET_FW
. :
commit
. , .
DMZ_FW.
, :
set firewall name DMZ_FW
set firewall name DMZ_FW rule 10
set firewall name DMZ_FW rule 10 action accept
set firewall name DMZ_FW rule 10 state established enable
set firewall name DMZ_FW rule 10 state related enable
eth1
set interfaces ethernet eth0 firewall local name DMZ_FW
, :
commit
14. :

. SSH . , .
, ,
.
o SSH .
SSH , ( ),
.
IP (
iptables recent ).
()
/ .
, ssh , 15
. ssh
.
new ( established
related). LAN_FW:
, , ,
.
set firewall name LAN_FW
set firewall name LAN_FW rule 10

set firewall name LAN_FW rule 10 action drop
tcp 22 (ssh)
set firewall name LAN_FW rule 10 protocol tcp
set firewall name LAN_FW rule 10 destination port ssh
( ):
set firewall name LAN_FW rule 10 state new enable
3
30 :
set firewall name LAN_FW rule 10 recent count 3
set firewall name LAN_FW rule 10 recent time 30
, , ( 3 30 ).

22:
set firewall name LAN_FW rule 20 action permit
set firewall name LAN_FW rule 20 protocol tcp
set firewall name LAN_FW destination port 22
ICMP echo-request
set firewall name LAN_FW rule 30 action accept
16
,
set firewall name LAN_FW rule 30 protocol icmp
set firewall name LAN_FW rule 30 icmp type-name echo request
eth2
set interfaces ethernet eth2 firewall local LAN_FW
ssh :
set service ssh
:
commit
ssh .
17

Vezba Mrezna Barijera

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vezba Mrezna Barijera

Uploaded by

Copyright:

Available Formats

,

Reject; (. TCP Reset )

Inspect; (Intrusion Prevention System)

: Ctrl+, <Enter>, Ctrl+x

eth0: ifup eth0

set system gateway-address 172.17.32.1

ICMP echo (ping)

TCP, 22 (ssh) 80 (http)

ICMP (icmp type-name)

, http, ssh, icmp echo request.

DNS (DNS) UDP

ICMP echo-request DNS .

ICMP Unreachable (ICMP 3):

ICMP Time Exceeded (ICMP 11):

You might also like