vyatta提供了强大的基于iptables的高级防火墙功能。
如果你没有定义防火墙,vyatta默认策略会禁止所有入站端口,放行所有出站。
vyatta的防火墙使用规则是这样的:
1、定义好规则模板。
2、将规则置于网卡之上生效。
比如开放http端口到公网:
- set firewall name LAN-IN rule 10 action accept
- set firewall name LAN-IN rule 10 description "allow http access from public"
- set firewall name LAN-IN rule 10 protocol tcp
- set firewall name LAN-IN rule 10 destination port http
-
- 这样就放行了所有对公网的web访问
再比如要限制公网的ssh访问:
- set firewall name LAN-IN rule 20 action accept
- set firewall name LAN-IN rule 20 description "allow ssh access from some IP"
- set firewall name LAN-IN rule 20 protocol tcp
- set firewall name LAN-IN rule 20 destination port ssh
- set firewall name LAN-IN rule 20 source address 202.96.134.133
再比如限制对内某台机器的访问,譬如邮件服务器:
- set firewall name LAN-IN rule 30 action accept
- set firewall name LAN-IN rule 30 description "allow smtp access from public to mail server"
- set firewall name LAN-IN rule 30 protocol tcp
- set firewall name LAN-IN rule 30 destination port smtp
- set firewall name LAN-IN rule 30 destination address 10.0.0.8
状态防火墙:
- set firewall name STATE-RULE description "Filter traffic statefully"
- set firewall name STATE-RULE rule 1 action accept
- set firewall name STATE-RULE rule 1 state established enable
- set firewall name STATE-RULE rule 1 state related enable
-
- set firewall name STATE-RULE rule 2 action drop
- set firewall name STATE-RULE rule 2 state invalid enable
- set firewall name STATE-RULE rule 2 log enable
-
- commit
将上面的策略放在公网网卡上:
- set interfaces ethernet eth1 firewall in name LAN-IN
- set interfaces ethernet eth1 firewall in name STATE-RULE
注意上面的in,在vyatta的防火墙中有三条通道:
in 指的是入站。
out 指的是出站。
local 指的是防火墙本机 。
vyatta的防火墙还有基于其他策略的高级规则链,这里略过,详情参考官网文档。
( 作者:紫色葡萄 ) |