Configuración del módulo firewall de Vyatta. Parte 11 – Configuración de firewall en la interfaz vtun10 (VPN STS) de openredesR2
En la configuración de firewall Vyatta para openredesR2 quedan por hacer los grupos de reglas que gestionan las conexiones para la interfaz VPN, concretamente vtun10 (VPN STS), vamos a crear ahora el grupo de reglas de firewall para vtun10 según
la política establecida para nuestra topología ejemplo.
A modo de resumen, la política de firewall establece para la interfaz VPN de openredesR2 que conecta ambas sedes que:
Por vtun10 de openredesR2 permitiremos como tráfico local solo el tráfico OSPF (en caso de haberlo configurado) proveniente del otro extremo de la VPN.
Como tráfico de entrada, permitiremos la respuesta a las conexiones de administración que los departamentos I+D y Desarrollo hagan a los equipos de la DMZ, así como el trafico entrante con destino a los servidores corporativos destinado a servicios permitidos.
-
Comenzamos creando las reglas para tráfico local:
openredes@openredesR2# edit firewall name vpnsts-local rule 2 [edit firewall name vpnsts-local rule 2] openredes@openredesR2# set action reject [edit firewall name vpnsts-local rule 2] openredes@openredesR2# set state invalid enable [edit firewall name vpnsts-local rule 2] openredes@openredesR2# set log enable [edit firewall name vpnsts-local rule 2] openredes@openredesR2# commit [edit firewall name vpnsts-local rule 2] openredes@openredesR2# up [edit firewall name vpnsts-local] openredes@openredesR2# edit rule 4 [edit firewall name vpnsts-local rule 4] openredes@openredesR2# set action accept [edit firewall name vpnsts-local rule 4] openredes@openredesR2# set des description destination [edit firewall name vpnsts-local rule 4] openredes@openredesR2# set destination address 224.0.0.5/30 [edit firewall name vpnsts-local rule 4] openredes@openredesR2# set protocol ospf [edit firewall name vpnsts-local rule 4] openredes@openredesR2# set source address 192.168.2.33/32 [edit firewall name vpnsts-local rule 4] openredes@openredesR2# commit [edit firewall name vpnsts-local rule 4] openredes@openredesR2# up [edit firewall name vpnsts-local] openredes@openredesR2# show rule 2 { action reject log enable state { invalid enable } } rule 4 { action accept destination { address 224.0.0.5/30 } protocol ospf source { address 192.168.2.33/32 } } [edit firewall name vpnsts-local] openredes@openredesR2#
Nota: OSPF usa las direcciones multidifusion 224.0.0.5 y
224.0.0.6 y el protocolo IP 89 según RFC3171 y RFC2328 -
Aplicamos el grupo de reglas creado a la interfaz correspondiente en el sentido correspondiente:
openredes@openredesR2# top [edit] openredes@openredesR2# set interfaces openvpn vtun10 firewall local name vpnsts-local [edit] openredes@openredesR2# commit [edit] openredes@openredesR2# save Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done [edit] openredes@openredesR2# -
Creamos las reglas para tráfico de entrada:
openredes@openredesR2# edit firewall name vpnsts-in rule 2 [edit firewall name vpnsts-in rule 2] openredes@openredesR2# set action reject [edit firewall name vpnsts-in rule 2] openredes@openredesR2# set state invalid enable [edit firewall name vpnsts-in rule 2] openredes@openredesR2# set log enable [edit firewall name vpnsts-in rule 2] openredes@openredesR2# commit [edit firewall name vpnsts-in rule 2] openredes@openredesR2# up [edit firewall name vpnsts-in] openredes@openredesR2# edit rule 10 [edit firewall name vpnsts-in rule 10] openredes@openredesR2# set action accept [edit firewall name vpnsts-in rule 10] openredes@openredesR2# set destination address 192.168.1.0/25 [edit firewall name vpnsts-in rule 10] openredes@openredesR2# set source address 192.168.0.224/28 [edit firewall name vpnsts-in rule 10] openredes@openredesR2# set state established enable [edit firewall name vpnsts-in rule 10] openredes@openredesR2# set state related enable [edit firewall name vpnsts-in rule 10] openredes@openredesR2# commit [edit firewall name vpnsts-in rule 10] openredes@openredesR2# up [edit firewall name vpnsts-in] openredes@openredesR2# edit rule 20 [edit firewall name vpnsts-in rule 20] openredes@openredesR2# set action accept [edit firewall name vpnsts-in rule 20] openredes@openredesR2# set destination address 192.168.1.128/25 [edit firewall name vpnsts-in rule 20] openredes@openredesR2# set source address 192.168.0.224/28 [edit firewall name vpnsts-in rule 20] openredes@openredesR2# set state established enable [edit firewall name vpnsts-in rule 20] openredes@openredesR2# set state related enable [edit firewall name vpnsts-in rule 20] openredes@openredesR2# commit [edit firewall name vpnsts-in rule 20] openredes@openredesR2# up [edit firewall name vpnsts-in] openredes@openredesR2# edit rule 30 [edit firewall name vpnsts-in rule 30] openredes@openredesR2# set action accept [edit firewall name vpnsts-in rule 30] openredes@openredesR2# set des description destination [edit firewall name vpnsts-in rule 30] openredes@openredesR2# set destination address 192.168.1.192/26 [edit firewall name vpnsts-in rule 30] openredes@openredesR2# commit [edit firewall name vpnsts-in rule 30] openredes@openredesR2# show action accept destination { address 192.168.1.192/26 } [edit firewall name vpnsts-in rule 30] openredes@openredesR2# up [edit firewall name vpnsts-in] openredes@openredesR2# show rule 2 { action reject log enable state { invalid enable } } rule 10 { action accept destination { address 192.168.1.0/25 } source { address 192.168.0.224/28 } state { established enable related enable } } rule 20 { action accept destination { address 192.168.1.128/25 } source { address 192.168.0.224/28 } state { established enable related enable } } rule 30 { action accept destination { address 192.168.1.192/26 } } [edit firewall name vpnsts-in] openredes@openredesR2# -
Y las aplicamos a la interfaz correspondiente en el sentido correspondiente:
openredes@openredesR2# top [edit] openredes@openredesR2# set interfaces openvpn vtun10 firewall in name vpnsts-in [edit] openredes@openredesR2# commit [edit] openredes@openredesR2# save Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done [edit] openredes@openredesR2#
Pingback: Vyatta en español | openredes - Networking Open Source
Pingback: Configuración del módulo firewall de Vyatta. Parte 12 – Configuración de firewall en las interfaces VPN de acceso remoto vtun0 y vtun1 (VPN RA) de openredesR1. | openredes - Networking Open Source
Pingback: Bitacoras.com
Pingback: Tutorial, manual de configuracion del modulo firewall en Vyatta | openredes - Networking Open Source