読者です 読者をやめる 読者になる 読者になる

KZKY memo

自分用メモ.

GNS3 + Qemu + Vyatta で開いたネットワーク(Internetへつながる)をつくる

overview

開いたネットワーク(internetへ接続可能)

  • bridgingをすればethernet/ieee802.11でもインターネット接続できそうだが未検証
  • qemuのuser-mode networkを利用してinternetへでる(ping to Internetはできない)
  • router:1(10.0.2.15/24, 192.168.10.1/24, 192.168.20.1/24)
  • network:3(10.0.2.0/24, 192.168.10.0/24, 192.168.20.0/24)
  • host:2

f:id:KZKY:20131230160245p:plain

qemuのuser-mode network

  • default
    • dhcp: 10.0.2.2
    • dhcp-ip-range: 10.0.2.15 -
    • dns: 10.0.2.3
    • host: 10.0.2.2

qemu option追加

  • gns3 -> preferences -> qemu -> qemu guest -> vyatta選択 (qemu option=-net user追加)
  • 参考: "-net user,vlan=0,net=10.2.0.0/81,host=10.2.0.2,dhcpstart=10.2.0.203"

vyattaの設定

set system gateway-address 10.0.2.2 # qemuのdefalut dhcp server/router (user-mode)
set system name-server 10.0.2.3 # qemuのdefalut dns server (user-mode)
set interfaces ethernet eth0 dhcp # 確認 show interfaces (not in configuratoin mode)
set interfaces ethernet eth0 hw-id 52:54:01:a6:4c:00
set interfaces ethernet eth1 address 192.168.10.1/24
set interfaces ethernet eth2 address 192.168.20.1/24
set interfaces ethernet eth1 hw-id 52:54:01:a6:4c:01
set interfaces ethernet eth2 hw-id 52:54:01:a6:4c:02
commit
save config
#eth1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.10.0/24 start 192.168.10.30 stop 192.168.10.249
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.10.0/24 default-router 192.168.10.1
#eth2
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.20.0/24 start 192.168.20.30 stop 192.168.20.249
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.20.0/24 default-router 192.168.20.1
commit 
save
  • NAT (一応)
set nat source rule 10 description "NAT on eth0"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.0.0/16
set nat source rule 10 protocol tcp
set nat source rule 10 translation address masquerade
set nat source rule 20 description "NAT on eth0"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 192.168.0.0/16
set nat source rule 20 protocol icmp
set nat source rule 20 translation address masquerade
  • firewall
# TO-FROM-HOST
set firewall name TO-FROM-HOST description "Traffic to/from Host"
set firewall name TO-FROM-HOST default-action accept
set interfaces ethernet eth0 firewall in name TO-FROM-HOST

# TO-ROUTER 
set firewall name TO-ROUTER description "Traffic Destined for Router Itself"
set firewall name TO-ROUTER default-action reject

## rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable

## rule 20 (mask=255.255.0.0にして1つのfirewallで対応)
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
set firewall name TO-ROUTER rule 20 source address 192.168.0.0/16
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable

## rule 30 (source filterしない)
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable

## rule 32 (source filterしない)
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable

## rule 34 (source filterしない)
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable

## set firewall on eth1 and eth2
set interfaces ethernet eth1 firewall local name TO-ROUTER
set interfaces ethernet eth2 firewall local name TO-ROUTER

commit
save

# tiny-linux 4.7.7の設定 * 4

$ sudo route add default gw 192.168.10.1 dev eth0
or (network指定の場合)
$ sudo route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1 dev eth0
$ sudo route add default gw 192.168.20.1 dev eth0
or (network指定の場合)
$ sudo route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.20.1 dev eth0
  • ping/sshの確認 from any host and the router
$ ping 192.168.10.1
$ ping 192.168.10.xx
$ ping 192.168.10.yy
$ ping 192.168.20.1
$ ping 192.168.20.xx
$ ping 192.168.20.yy
$ ssh -l vyatta 192.168.10.1 ## to router
$ ssh -l vyatta 192.168.20.1 ## to router
$ ssh -l root 192.168.10.xx ## to another host
$ ssh -l root 192.168.20.yy ## to another host
$ wget "http://yahoo.co.jp"
$ ssh -l host your.external.server