27 de noviembre de 2009

Configurar Vyatta ADSL Gateway

Este documento le mostrará una manera de configurar el router Vyatta como un firewall de Internet / puerta de enlace y demostrará la configuración de la tarjeta de interfaz Sangoma S518 ADSL. Además, las interfaces LAN están (opcionalmente) un cortafuegos separados unos de otros.

Image Hosted by ImageShack.us

Configurar las opciones del sistema
set system host-name "your-router-name"
set system domain-name "your.domain.name"
set system time-zone "your-time-zone" (presiona la tecla de tabulación para utilizar las opciones de zona horaria)

set system login user vyatta authentication plaintext-password "your-password"
set system login user root authentication plaintext-password "your-root-password"

Estos son los servidores de OpenDNS:(Opcional)
set system name-server 208.67.222.222
set system name-server 208.67.220.220

Configurar las opciones de interfaz

Configuracion de interface Sangoma S518 DSL WAN supporta PPPOE y PPPOA
set interfaces adsl adsl0 pvc auto pppoe 0 default-route auto
set interfaces adsl adsl0 pvc auto pppoe 0 user-id "your-pppoe-username"
set interfaces adsl adsl0 pvc auto pppoe 0 password "your-pppoe-password"
set interfaces adsl adsl0 pvc auto pppoe 0 firewall in name FROM-EXTERNAL
set interfaces adsl adsl0 pvc auto pppoe 0 firewall local name TO-ROUTER

Configuracion de interface Ethernet 1
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 firewall in name LAN-TO-LAN

Configuracion de interface Ethernet 2
set interfaces ethernet eth1 address 192.168.2.1/24
set interfaces ethernet eth1 firewall in name LAN-TO-LAN

Configurar las opciones de Servicios

Configuracion de DHCP Server

Servicio de DHCP de la LAN 1 de eth0
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 default-router 192.168.1.1

Si se utiliza el almacenamiento en caché del servidor DNS, en vez de los servidores de OpenDNS

set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 authoritative enable

Servicio de DHCP de la LAN 2 de eth1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 start 192.168.2.65 stop 192.168.2.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 default-router 192.168.2.1

Si se utiliza el almacenamiento en caché del servidor DNS, en vez de los servidores de OpenDNS

set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 authoritative enable


Configuracion de NAT
aquí estan los NAT de todas las direcciones 192.168.xx y de todas las direcciones 10.xxx internas por manipulacion de las máscaras de red

set service nat rule 10 source address 192.168.0.0/16
set service nat rule 10 outbound-interface pppoe0
set service nat rule 10 type masquerade

set service nat rule 20 source address 10.0.0.0/8
set service nat rule 20 outbound-interface pppoe0
set service nat rule 20 type masquerade

Configurar las opciones de Firewall
FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Bloquear el trafico no deseado de Internet"

# rule 10
set firewall name FROM-EXTERNAL rule 10 description "Aceptar conexiones relaciones Establecidas"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable

## TO-ROUTER
set firewall name TO-ROUTER description "Trafico Destinado al Router"

# rule 10
set firewall name TO-ROUTER rule 10 description "Aceptar conexiones relaciones Establecidas"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable

# rule 20
set firewall name TO-ROUTER rule 20 description "Acceso SSH"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
Ajustar la direccion de origen a sus necesidades
set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable

# rule 30
set firewall name TO-ROUTER rule 30 description "Aceptar ICMP inalcanzable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable

# rule 32
set firewall name TO-ROUTER rule 32 description "Aceptar ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable

# rule 34
set firewall name TO-ROUTER rule 34 description "Aceptar ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable

## LAN-TO-LAN
set firewall name LAN-TO-LAN description "Bloqueo interno de Interaccion de LAN's"

# rule 10
set firewall name LAN-TO-LAN rule 10 description "Bloqueo de 192.168.2.x a 192.168.1.x"
set firewall name LAN-TO-LAN rule 10 action reject
set firewall name LAN-TO-LAN rule 10 source address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 10 destination address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 10 log disable

# rule 20
set firewall name LAN-TO-LAN rule 20 description "Bloqueo de 192.168.1.x a 192.168.2.x"
set firewall name LAN-TO-LAN rule 20 action reject
set firewall name LAN-TO-LAN rule 20 source address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 20 destination address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 20 log disable

# rule 30
set firewall name LAN-TO-LAN rule 30 description "Bloqueo de 192.168.x.x a 10.x.x.x"
set firewall name LAN-TO-LAN rule 30 action reject
set firewall name LAN-TO-LAN rule 30 source address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 30 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 30 log disable

# rule 40
set firewall name LAN-TO-LAN rule 40 description "Bloqueo de 10.x.x.x a 192.168.x.x"
set firewall name LAN-TO-LAN rule 40 action reject
set firewall name LAN-TO-LAN rule 40 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 40 destination address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 40 log disable

# rule 999
set firewall name LAN-TO-LAN rule 999 description "Permitir todo el tráfico que anteriormente no fue bloqueados"
set firewall name LAN-TO-LAN rule 999 action accept
set firewall name LAN-TO-LAN rule 999 source address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 destination address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 log disable

Para Guardar los Cambios
commit
save

3 comentarios:

  1. Y como le hago para ver si ya funciono la conexión? ya probe con el connect interface eth0 pero me dice Invalid interface: eth0 y no se que ponerle...

    ResponderEliminar
  2. Pero el comando lo realizaste con eht0(cero)
    porque si lo utilizaste como lo escribiste posiblemente alli este el problema

    ResponderEliminar
  3. Como hago en la parte del firewall para instalar listas negras

    ResponderEliminar