Configuración del módulo firewall de Vyatta. Parte 9 – Configuración de firewall en la interfaz publica de openredesR2
En esta parte de configuración de firewall ejemplo de Vyatta crearemos y aplicaremos grupos de reglas para implementar la política de permisos establecida correspondiente a la interfaz publica de openredesR2.
Este proceso es muy similar al del paso anterior llevado a cabo para la interfaz publica de openredesR1.
La política de permisos establecida para la interfaz conectada a internet de openredesR2 a modo de resumen, establece lo siguiente:
-
A nivel local (conexiones destinadas a la propia máquina Vyatta):
-
Solo permitiremos las respuestas a las solicitudes DNS y NTP que la máquina Vyatta haga a los servidores configurados en el sistema para ofrecer dichos servicios.
-
No habrá permiso de administración posible desde la red pública (no ssh, no telnet, no webGUI).
-
Acceso permitido a conexiones VPN STS para que funcione correctamente el enlace privado entre las dos sedes de la empresa, esta VPN se comunica por el puerto 1194 UDP y tendremos que permitir solo conexiones relacionadas y ya establecidas ya que el extremo openredesR2 es el extremo activo y por tanto el cliente.
-
-
A nivel de conexiones entrantes:
-
Permitiremos conexiones ya establecidas provenientes de servicios públicos externos de web y email.
-
Rechazaremos conexiones con estado invalido.
-
-
Nos centramos primero en el grupo de reglas de firewall a crear para las conexiones locales (destinadas a la propia máquina Vyatta):
-
Creamos primero los grupos de puertos necesarios según las reglas a crear:
openredes@openredesR2# set firewall group port-group DNS_NTP port domain [edit] openredes@openredesR2# set firewall group port-group DNS_NTP port ntp [edit] openredes@openredesR2# commit [edit] openredes@openredesR2# edit firewall group port-group vyatta-admin [edit firewall group port-group vyatta-admin] openredes@openredesR2# set port ssh [edit firewall group port-group vyatta-admin] openredes@openredesR2# set port telnet [edit firewall group port-group vyatta-admin] openredes@openredesR2# set port www [edit firewall group port-group vyatta-admin] openredes@openredesR2# set port https [edit firewall group port-group vyatta-admin] openredes@openredesR2# commit [edit firewall group port-group vyatta-admin] -
Y seguidamente creamos las reglas necesarias usando los grupos de puertos creados según los servicios especificados en la política:
openredes@openredesR2# top [edit] openredes@openredesR2# edit firewall name publica-local rule 2 [edit firewall name publica-local rule 2] openredes@openredesR2# set action reject [edit firewall name publica-local rule 2] openredes@openredesR2# set log enable [edit firewall name publica-local rule 2] openredes@openredesR2# set state invalid enable [edit firewall name publica-local rule 2] openredes@openredesR2# commit [edit firewall name publica-local rule 2] openredes@openredesR2# up [edit firewall name publica-local] openredes@openredesR2# edit rule 10 [edit firewall name publica-local rule 10] openredes@openredesR2# set action accept [edit firewall name publica-local rule 10] openredes@openredesR2# set protocol tcp_udp [edit firewall name publica-local rule 10] openredes@openredesR2# set source group port-group DNS_NTP [edit firewall name publica-local rule 10] openredes@openredesR2# set state established enable [edit firewall name publica-local rule 10] openredes@openredesR2# set state related enable [edit firewall name publica-local rule 10] openredes@openredesR2# commit [edit firewall name publica-local rule 10] openredes@openredesR2# up [edit firewall name publica-local] openredes@openredesR2# edit rule 20 [edit firewall name publica-local rule 20] openredes@openredesR2# set action reject [edit firewall name publica-local rule 20] openredes@openredesR2# set de description destination [edit firewall name publica-local rule 20] openredes@openredesR2# set destination group port-group vyatta-admin [edit firewall name publica-local rule 20] openredes@openredesR2# set log enable [edit firewall name publica-local rule 20] openredes@openredesR2# set protocol tcp_udp [edit firewall name publica-local rule 20] openredes@openredesR2# commit [edit firewall name publica-local rule 20] openredes@openredesR2# up [edit firewall name publica-local] openredes@openredesR2# edit rule 30 [edit firewall name publica-local rule 30] openredes@openredesR2# set action accept [edit firewall name publica-local rule 30] openredes@openredesR2# set destination port 1194 [edit firewall name publica-local rule 30] openredes@openredesR2# set protocol udp [edit firewall name publica-local rule 30] openredes@openredesR2# commit [edit firewall name publica-local rule 30] openredes@openredesR2# save Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done [edit] -
Por ultimo aplicamos el grupo de reglas creado a la interfaz conectada a Internet y en sentido local:
openredes@openredesR2# set interfaces ethernet eth2 firewall local name publica-local [edit] openredes@openredesR2# commit [edit] openredes@openredesR2# save Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done [edit] openredes@openredesR2#
-
-
Vamos ahora a crear el grupo de reglas de firewall que reflejara la política establecida para las conexiones entrantes en la interfaz conectada a Internet.
-
Primero creamos los grupos de puertos necesarios:
openredes@openredesR2# edit firewall group port-group servicios-publicos [edit firewall group port-group servicios-publicos] openredes@openredesR2# set port www [edit firewall group port-group servicios-publicos] openredes@openredesR2# set port https [edit firewall group port-group servicios-publicos] openredes@openredesR2# set port ssmtp [edit firewall group port-group servicios-publicos] openredes@openredesR2# set port imaps [edit firewall group port-group servicios-publicos] openredes@openredesR2# set port pop3s [edit firewall group port-group servicios-publicos] openredes@openredesR2# commit [edit firewall group port-group servicios-publicos] openredes@openredesR2# -
Creamos las reglas necesarias:
[edit firewall group port-group servicios-publicos] openredes@openredesR2# top [edit] openredes@openredesR2# edit firewall name publica-in [edit firewall name publica-in] openredes@openredesR2# edit rule 1 [edit firewall name publica-in rule 1] openredes@openredesR2# set action accept [edit firewall name publica-in rule 1] openredes@openredesR2# set destination group port-group servicios-publicos [edit firewall name publica-in rule 1] openredes@openredesR2# set state established enable [edit firewall name publica-in rule 1] openredes@openredesR2# set state related enable [edit firewall name publica-in rule 1] openredes@openredesR2# commit [edit firewall name publica-in rule 1] openredes@openredesR2# up [edit firewall name publica-in] openredes@openredesR2# edit rule 2 [edit firewall name publica-in rule 2] openredes@openredesR2# set action reject [edit firewall name publica-in rule 2] openredes@openredesR2# set log enable [edit firewall name publica-in rule 2] openredes@openredesR2# set state invalid enable [edit firewall name publica-in rule 2] openredes@openredesR2# commit [edit firewall name publica-in rule 2] openredes@openredesR2# save Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done [edit] openredes@openredesR2# -
Y aplicamos el grupo de reglas a la interfaz conectada a Internet en sentido entrante (in):
openredes@openredesR2# set interfaces ethernet eth2 firewall in name publica-in [edit] openredes@openredesR2# commit [edit] openredes@openredesR2# save Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done [edit] openredes@openredesR2#
-
Pingback: Tutorial, manual de configuracion del modulo firewall en Vyatta | openredes - Networking Open Source
Pingback: Vyatta en español | openredes - Networking Open Source