10.03.2010 · Самуил Арсов · Uncategorized, Vyatta

Vyatta – Firewall Group – network, ip, port Vyatta 6

set firewall group network-group ALOW-NETWORK network 93.155.130.0/24
set firewall group network-group ALOW-NETWORK network 93.155.131.0/24
set firewall group network-group ALOW-NETWORK network 93.155.162.0/24
set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 source group network-group ALOW-NETWORK
 
set firewall group address-group ALOW-IP address 213.91.213.195
set firewall group address-group ALOW-IP address 10.18.5.55
set firewall group address-group ALOW-IP address 192.168.100.25
set firewall name eth0local rule 20 action accept
set firewall name eth0local rule 20 source group address-group ALOW-IP
 
set firewall group port-group ALOW-PORT port 22
set firewall group port-group ALOW-PORT port 443
set firewall name eth0local rule 30 action accept
set firewall name eth0local rule 30 destination group port-group ALOW-PORT
set firewall name eth0local rule 30 source address 212.233.128.0/17
 
set interfaces ethernet eth0 firewall local name eth0local
 
vyatta@core2# show firewall
 group {
     address-group ALOW-IP {
         address 213.91.213.195
         address 10.18.5.55
         address 192.168.100.25
     }
     network-group ALOW-NETWORK {
         network 93.155.130.0/24
         network 93.155.131.0/24
         network 93.155.162.0/24
     }
     port-group ALOW-PORT {
         port 22
         port 443
     }
 }
 name eth0local {
     rule 10 {
         action accept
         source {
             group {
                 network-group ALOW-NETWORK
             }
         }
     }
     rule 20 {
         action accept
         source {
             group {
                 address-group ALOW-IP
             }
         }
     }
     rule 30 {
         action accept
         destination {
             group {
                 port-group ALOW-PORT
             }
         }
         source {
             address 212.233.128.0/17
         }
     }
 }
[edit]
 
vyatta@core2# sudo su
core2:/home/vyatta# iptables -nvL
Chain eth0local (1 references)
 pkts bytes target     prot opt in     out     source               destination
  458 34638 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* eth0local-10 */ match-set ALOW-NETWORK src
   19  1596 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* eth0local-20 */ match-set ALOW-IP src
   17  2012 RETURN     all  --  *      *       212.233.128.0/17     0.0.0.0/0           /* eth0local-30 */ match-set ALOW-PORT dst
  804 71243 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* eth0local-10000 default-action drop */

set firewall group network-group ALOW-NETWORK network 93.155.130.0/24 set firewall group network-group ALOW-NETWORK network 93.155.131.0/24 set firewall group network-group ALOW-NETWORK network 93.155.162.0/24 set firewall name eth0local rule 10 action accept set firewall name eth0local rule 10 source group network-group ALOW-NETWORK set firewall group address-group ALOW-IP address 213.91.213.195 set firewall group address-group ALOW-IP address 10.18.5.55 set firewall group address-group ALOW-IP address 192.168.100.25 set firewall name eth0local rule 20 action accept set firewall name eth0local rule 20 source group address-group ALOW-IP set firewall group port-group ALOW-PORT port 22 set firewall group port-group ALOW-PORT port 443 set firewall name eth0local rule 30 action accept set firewall name eth0local rule 30 destination group port-group ALOW-PORT set firewall name eth0local rule 30 source address 212.233.128.0/17 set interfaces ethernet eth0 firewall local name eth0local vyatta@core2# show firewall group { address-group ALOW-IP { address 213.91.213.195 address 10.18.5.55 address 192.168.100.25 } network-group ALOW-NETWORK { network 93.155.130.0/24 network 93.155.131.0/24 network 93.155.162.0/24 } port-group ALOW-PORT { port 22 port 443 } } name eth0local { rule 10 { action accept source { group { network-group ALOW-NETWORK } } } rule 20 { action accept source { group { address-group ALOW-IP } } } rule 30 { action accept destination { group { port-group ALOW-PORT } } source { address 212.233.128.0/17 } } } [edit] vyatta@core2# sudo su core2:/home/vyatta# iptables -nvL Chain eth0local (1 references) pkts bytes target prot opt in out source destination 458 34638 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* eth0local-10 */ match-set ALOW-NETWORK src 19 1596 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* eth0local-20 */ match-set ALOW-IP src 17 2012 RETURN all -- * * 212.233.128.0/17 0.0.0.0/0 /* eth0local-30 */ match-set ALOW-PORT dst 804 71243 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* eth0local-10000 default-action drop */