読者です 読者をやめる 読者になる 読者になる

KZKY memo

自分用メモ.

GNS3 + Qemu + Vyatta で閉じたネットワークをつくる

概要

閉じた形式のネットワーク

  • router:1 (192.168.10.1, 192.168.20.1)
  • network:2 (192.168.10.0/24, 192.168.20.0/24)
  • host:4 (dhcp)

f:id:KZKY:20131230152014p:plain

vyatta.6.5での設定

  • ip/mac
set interfaces ethernet eth1 address 192.168.10.1/24
set interfaces ethernet eth2 address 192.168.20.1/24
set interfaces ethernet eth1 hw-id 52:54:01:a6:4c:01
set interfaces ethernet eth2 hw-id 52:54:01:a6:4c:02
#set system gateway-address 192.168.20.1
commit
save config
# eth1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.10.0/24 start 192.168.10.30 stop 192.168.10.249
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.10.0/24 default-router 192.168.10.1
# eth2
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.20.0/24 start 192.168.20.30 stop 192.168.20.249
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.20.0/24 default-router 192.168.20.1
commit 
save
  • firewall
# TO-ROUTER 
set firewall name TO-ROUTER description "Traffic Destined for Router Itself"
set firewall name TO-ROUTER default-action reject

## rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable

## rule 20 (mask=255.255.0.0にして1つのfirewallで対応)
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
set firewall name TO-ROUTER rule 20 source address 192.168.0.0/16
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable

## rule 30 (source filterしない)
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable

## rule 32 (source filterしない)
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable

## rule 34 (source filterしない)
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable

## set firewall on eth1 and eth2
set interfaces ethernet eth1 firewall local name TO-ROUTER
set interfaces ethernet eth2 firewall local name TO-ROUTER

commit
save

tiny-linux 4.7.7の設定 (x 4)

$ route add default gw 192.168.20.1 dev eth1
or (network指定の場合)
$ route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.20.1 dev eth1
  • ping/sshの確認 from any host and the router
$ ping 192.168.10.1
$ ping 192.168.10.xx
$ ping 192.168.10.yy
$ ping 192.168.20.1
$ ping 192.168.20.xx
$ ping 192.168.20.yy
$ ssh -l vyatta 192.168.10.1 ## to router
$ ssh -l vyatta 192.168.20.1 ## to router
$ ssh -l root 192.168.10.xx ## to another host
$ ssh -l root 192.168.20.yy ## to another host