vyatta提供了强大的基于iptables的高级防火墙功能。
如果你没有定义防火墙,vyatta默认策略会禁止所有入站端口,放行所有出站。
vyatta的防火墙使用规则是这样的
1、定义好规则模板
2、将规则置于网卡之上生效
比如开放http端口到公网
- set firewall name LAN-IN default-action drop
- set firewall name LAN-IN rule 10 action accept
- set firewall name LAN-IN rule 10 description "allow http access from public"
- set firewall name LAN-IN rule 10 protocol tcp
- set firewall name LAN-IN rule 10 destination port http
- 这样就放行了所有对公网的web访问
再比如要限制公网的ssh访问
- set firewall name LAN-IN rule 20 action accept
- set firewall name LAN-IN rule 20 description "allow ssh access from some IP"
- set firewall name LAN-IN rule 20 protocol tcp
- set firewall name LAN-IN rule 20 destination port ssh
- set firewall name LAN-IN rule 20 source address 202.96.134.133
再比如限制对内某台机器的访问,譬如邮件服务器
- set firewall name LAN-IN rule 30 action accept
- set firewall name LAN-IN rule 30 description "allow smtp access from public to mail server"
- set firewall name LAN-IN rule 30 protocol tcp
- set firewall name LAN-IN rule 30 destination port smtp
- set firewall name LAN-IN rule 30 destination address 10.0.0.8
状态防火墙
- set firewall name STATE-RULE default-action drop
- set firewall name STATE-RULE description "Filter traffic statefully"
- set firewall name STATE-RULE rule 1 action accept
- set firewall name STATE-RULE rule 1 state established enable
- set firewall name STATE-RULE rule 1 state related enable
- set firewall name STATE-RULE rule 2 action drop
- set firewall name STATE-RULE rule 2 state invalid enable
- set firewall name STATE-RULE rule 2 log enable
- commit
将上面的策略放在公网网卡上
- set interfaces ethernet eth1 firewall in name LAN-IN
- set interfaces ethernet eth1 firewall in name STATE-RULE
注意上面的in,
在vyatta的防火墙中有三条通道
in 指的是入站
out 指的是出站
local 指的是防火墙本机
vyatta的防火墙还有基于其他策略的高级规则链,这里略过,详情参考官网文档。
本文转自 紫色葡萄 51CTO博客,原文链接:http://blog.51cto.com/purplegrape/1063709,如需转载请自行联系原作者
