vyos@vyos$ conf
# IP 지정
vyos@vyos#set int eth eth0 address 211.183.3.252/24
2. gateway 설정
# default-gateway 설정
vyos@vyos# set system gateway-address 211.183.3.2
3. ssh 포트 설정 & 반영(commit)
# ssh port 설정
vyos@vyos# set service ssh port 22
# 반영
vyos@vyos#commit
4. 외부 접속 가능 여부 확인
외부 접속 가능 여부 확인
ssh 접속 가능 확인
5. eth1 NIC 추가 & 설정
NIC 추가
eth1 IP 설정
vyos@vyos# set int eth eth1 address 10.10.3.252/24
[edit]
vyos@vyos# commit
[ interfaces ethernet eth1 duplex auto ]
Cannot get current device settings: Operation not supported
not setting autoneg
[edit]
6. eth2 NIC 추가 & 설정
NIC 추가
eth2 IP 설정
vyos@vyos# set int eth eth2 address 10.10.4.252/24
[edit]
vyos@vyos# commit
[ interfaces ethernet eth2 duplex auto ]
Cannot get current device settings: Operation not supported
not setting autoneg
[edit]
7. host-connection 해제
꼼수 해제
8. zone description 설정
vyos@vyos# set int eth eth0 description public
[edit]
vyos@vyos# set int eth eth1 description private
[edit]
vyos@vyos# set int eth eth2 description dmz
[edit]
vyos@vyos# commit
[edit]
9. mint ➡️ 외부 접속 ❌
10. PAT 설정
내부(private) PAT 설정
# private에 대한 PAT
vyos@vyos# set nat source rule 10 source address 10.10.3.0/24
[edit]
vyos@vyos# set nat source rule 10 outbound-interface eth0
[edit]
vyos@vyos# set nat source rule 10 translation address 211.183.3.252
[edit]
vyos@vyos# commit
[edit]
내부(dmz) PAT 설정
# dmz에 대한 PAT
vyos@vyos# set nat source rule 20 source address 10.10.4.0/24
[edit]
vyos@vyos# set nat source rule 20 outbound-interface eth0
[edit]
vyos@vyos# set nat source rule 20 translation address 211.183.3.252
[edit]
vyos@vyos# commit
[edit]
PAT 설정 확인
mint ➡️ 외부(public) 통신 가능
web ➡️ 외부(public) 통신 가능
11. Mint 서버 설정
root 권한 설정
user1@mint : ~$sudo passwd root
[sudo] password for user1:
New Password : # test123
Retype new password : # test123
passwd: password updated successfully
ssh 서비스 다운로드
root@mint# apt install -y openssh-server
12. DNAT
2개만 해주면 됨❗
public ➡️ private : SSH
vyos@vyos# set nat destination rule 100 inbound-interface eth0
[edit]
vyos@vyos# set nat destination rule 100 destination port 222
[edit]
vyos@vyos# set nat destination rule 100 protocol tcp
[edit]
vyos@vyos# set nat destination rule 100 translation address 10.10.3.100
[edit]
vyos@vyos# set nat destination rule 100 translation port 22
[edit]
vyos@vyos# commit
[edit]
public ➡️ dmz : ftp
vyos@vyos# set nat destination rule 200 inbound-interface eth0
[edit]
vyos@vyos# set nat destination rule 200 protocol tcp
[edit]
vyos@vyos# set nat destination rule 200 translation address 10.10.4.80
[edit]
vyos@vyos# set nat destination rule 200 translation port 21
[edit]
vyos@vyos# set nat destination rule 200 destination port 21
[edit]
vyos@vyos# commit
[edit]
public ➡️ private : mint SSH 접근 확인
private ➡️ dmz : http & telnet 확인
public ➡️ dmz : ftp 확인
telnet 확인
13. Zone 설정
vyos@vyos# set zone-policy zone public interface eth0
[edit]
vyos@vyos# set zone-policy zone private interface eth1
[edit]
vyos@vyos# set zone-policy zone dmz interface eth2
[edit]
vyos@vyos# commit
[edit]
모든 통신 끊김
14. 1번 설정 & 반영
설정
vyos@vyos# set firewall name PUBLIC_TO_PRIVATE rule 10 action accept
[edit]
vyos@vyos# set firewall name PUBLIC_TO_PRIVATE rule 10 protocol tcp
[edit]
vyos@vyos# set firewall name PUBLIC_TO_PRIVATE rule 10 destination port 222
[edit]
반영
vyos@vyos# set zone-policy zone private from public firewall name PUBLIC_TO_PRIVATE
[edit]
15. 2번 정책
설정
vyos@vyos# set firewall name PRIVATE_TO_PUBLIC rule 20 action accept
[edit]
vyos@vyos# set firewall name PRIVATE_TO_PUBLIC rule 20 protocol all
[edit]
vyos@vyos# set firewall name PRIVATE_TO_PUBLIC rule 20 state established enable
[edit]
vyos@vyos# set firewall name PRIVATE_TO_PUBLIC rule 20 state related enable
[edit]
반영
vyos@vyos# set zone-policy zone public from private firewall name PRIVATE_TO_PUBLIC
[edit]
16. public ➡️private : SSH 접속 확인 ⭕
17. 3번 정책 설정 & 반영
설정
vyos@vyos# set firewall name PRIVATE_TO_DMZ rule 30 action accept
[edit]
vyos@vyos# set firewall name PRIVATE_TO_DMZ rule 30 protocol tcp
[edit]
vyos@vyos# set firewall name PRIVATE_TO_DMZ rule 30 de
description destination
[edit]
vyos@vyos# set firewall name PRIVATE_TO_DMZ rule 30 destination port 80,23
[edit]
반영
vyos@vyos# set zone-policy zone dmz from private firewall name PRIVATE_TO_DMZ
[edit]
18. 4번 정책 설정 & 반영
설정
vyos@vyos# set firewall name DMZ_TO_PRIVATE rule 40 action accept
[edit]
vyos@vyos# set firewall name DMZ_TO_PRIVATE rule 40 state established enable
[edit]
vyos@vyos# set firewall name DMZ_TO_PRIVATE rule 40 state related enable
[edit]
vyos@vyos# set firewall name DMZ_TO_PRIVATE rule 40 protocol all
[edit]
반영
vyos@vyos# set zone-policy zone private from dmz firewall name DMZ_TO_PRIVATE
[edit]
vyos@vyos# commit
[edit]
19. private ➡️ dmz : 접속 확인
httpd 접속 확인
telnet 접속 확인
20. 5번 정책
vyos@vyos# set firewall name DMZ_TO_PUBLIC rule 50 action accept
[edit]
vyos@vyos# set zone-policy zone public from dmz firewall name DMZ_TO_PUBLIC
[edit]
21. 6번 정책
설정
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 60 action accept
[edit]
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 60 protocol tcp
[edit]
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 60 destination port 20,21
[edit]
# 돌아오는 정책 필요
# public에서 dmz로 가는 ftp 트래픽을 위한 설정
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 70 action accept
[edit]
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 70 state established enable
[edit]
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 70 state related enable
[edit]
vyos@vyos# set firewall name PUBLIC_TO_DMZ rule 70 protocol all
[edit]
반영
vyos@vyos# set zone-policy zone dmz from public firewall name PUBLIC_TO_DMZ
[edit]
vyos@vyos# commit
[edit]
