Sunday, December 26, 2010

Vyatta PPPOE VPN and NAT with firewall protect wan

PPPOE interface WAN to internet


set interfaces ethernet eth0 address '192.168.1.100/24'

set interfaces ethernet eth0 duplex 'auto'

set interfaces ethernet eth0 hw-id '00:1c:23:00:69:4b'

set interfaces ethernet eth0 pppoe 0 default-route 'auto'

set interfaces ethernet eth0 pppoe 0 mtu '1492'

set interfaces ethernet eth0 pppoe 0 name-server 'auto'

set interfaces ethernet eth0 pppoe 0 password 'admintest'

set interfaces ethernet eth0 pppoe 0 user-id 'testpppoe@truehisp'




ruamit@vyatta# show interfaces

ethernet eth0 {

address 192.168.1.100/24

hw-id 00:1c:23:00:69:4b

pppoe 0 {

default-route auto

password admintest

user-id testpppoe@truehisp

}



NAT


set service nat rule 2 outbound-interface 'pppoe0'

set service nat rule 2 source address '172.16.0.0/24'

set service nat rule 2 type 'masquerade'

set service nat rule 20 description 'Port-Forword-PPTP_1723'

set service nat rule 20 destination port '1723'

set service nat rule 20 inbound-interface 'pppoe0'

set service nat rule 20 inside-address address '172.16.0.1'

set service nat rule 20 inside-address port '1723'

set service nat rule 20 protocol 'tcp_udp'

set service nat rule 20 type 'destination'


ruamit@vyatta# show service nat

nat {

rule 2 {

description NAT_POOL

outbound-interface pppoe0

source {

address 172.16.0.0/24

}

type masquerade

}

rule 20 {

description Port-Forword-PPTP_1723

destination {

port 1723

}

inbound-interface pppoe0

inside-address {

address 172.16.0.1

port 1723

}

protocol tcp_udp

type destination

}

}




Limit Bandwidth

set traffic-policy shaper 10m default bandwidth 10mbit

set traffic-policy limiter 5m default bandwidth 5mbit

set interfaces ethernet eth1 traffic-policy out 10m

set interfaces ethernet eth1 traffic-policy in 5m

ruamit@vyatta# show traffic-policy

limiter 5m {

default {

bandwidth 5mbit

}

}

shaper 10m {

default {

bandwidth 10mbit

}

}

[edit]


ruamit@vyatta# show interfaces ethernet eth1

address 172.16.0.1/24

description internal_network

hw-id 00:0c:29:00:9e:07

traffic-policy {

in 5m

out 10m

}

[edit]

ruamit@vyatta#





VPN PPTP


set vpn pptp remote-access authentication local-users username vyattaadmin password 'cisco123'

set vpn pptp remote-access authentication mode 'local'

set vpn pptp remote-access client-ip-pool start '172.16.0.100'

set vpn pptp remote-access client-ip-pool stop '172.16.0.110'

set vpn pptp remote-access dns-servers server-1 '203.144.207.49'

set vpn pptp remote-access outside-address '172.16.0.1'


ruamit@vyatta# show vpn

pptp {

remote-access {

authentication {

local-users {

username vyattaadmin {

password cisco123

}

}

mode local

}

client-ip-pool {

start 172.16.0.100

stop 172.16.0.110

}

dns-servers {

server-1 203.144.207.49

}

outside-address 172.16.0.1

}

}

}



set snmp


set service snmp community public authorization 'ro'

set service snmp community public client 172.16.0.100


ruamit@vyatta# show service snmp

snmp {

community public {

authorization ro

client 172.16.0.100

}




telnet ssh

ruamit@vyatta# set service telnet

ruamit@vyatta# set service ssh



login


set system login user nmc authentication plaintext-password nmc1234

set system login user nmc level 'operator'

set system login user ruamit authentication plaintext-password admin1234

set system login user ruamit level 'admin'



ruamit@vyatta# show system login

user nmc {

authentication {

encrypted-password $1$uaLO3jod$Dnzwb7CeYPvviNnjZTNgV0

plaintext-password ""

}

level operator

}

user ruamit {

authentication {

encrypted-password $1$KeWhiX1f$s2bnIdWba6bYDT8X8eVEa0

plaintext-password ""

}

}




NTP & timezone


set system time-zone 'Asia/Bangkok'

set system ntp-server 'time.navy.mi.th'

set system name-server '8.8.8.8'

set system name-server '8.8.4.4'



webproxy (only cache no filter)


set service webproxy cache-size '200'

set service webproxy default-port '8080'

set service webproxy 'disable-access-log'

set service webproxy listen-address '172.16.0.1'


ruamit@vyatta# show service webproxy

cache-size 200

default-port 8080

disable-access-log

listen-address 172.16.0.1 {

}




dynamic dns

set service dns dynamic interface pppoe0 service dyndns host-name 'ssl-vpn.dyndns-ip.com'

set service dns dynamic interface pppoe0 service dyndns login 'abcsd'

set service dns dynamic interface pppoe0 service dyndns password 'xxxxxx'


ruamit@vyatta# show service dns

dynamic {

interface pppoe0 {

service dyndns {

host-name ssl-vpn.dyndns-ip.com

login adscd

password xxxxx

}

}

}




firewall filter on wan PPPOE


set firewall name to-external default-action 'accept'

set firewall name to-external rule 1 action 'drop'

set firewall name to-external rule 1 destination port '600-65535'

set firewall name to-external rule 1 protocol 'udp'

set firewall name to-external rule 1 source address '0.0.0.0/0'

set firewall name to-external rule 2 action 'drop'

set firewall name to-external rule 2 destination port '135,137-139,445'

set firewall name to-external rule 2 protocol 'tcp_udp'

set firewall name to-router default-action 'drop'

set firewall name to-router rule 1 action 'accept'

set firewall name to-router rule 1 destination port '22'

set firewall name to-router rule 1 protocol 'tcp'

set firewall name to-router rule 1 source address '117.121.208.0/24'

set firewall name to-router rule 2 action 'accept'

set firewall name to-router rule 2 description 'SSH'

set firewall name to-router rule 2 destination address '0.0.0.0/0'

set firewall name to-router rule 2 protocol 'icmp'

set firewall name to-router rule 2 source address '0.0.0.0/0'

set firewall name to-router rule 3 action 'accept'

set firewall name to-router rule 3 log 'disable'

set firewall name to-router rule 3 protocol 'all'

set firewall name to-router rule 3 state established 'enable'

set firewall name to-router rule 3 state invalid 'disable'

set firewall name to-router rule 3 state new 'disable'

set firewall name to-router rule 3 state related 'enable'

set firewall name to-router rule 4 action 'accept'

set firewall name to-router rule 4 description 'SNMP'

set firewall name to-router rule 4 destination port '161-162'

set firewall name to-router rule 4 protocol 'udp'

set firewall name to-router rule 4 source address '0.0.0.0/0'

set firewall name to-router rule 5 action 'accept'

set firewall name to-router rule 5 description 'PPTP'

set firewall name to-router rule 5 destination port '1723'

set firewall name to-router rule 5 protocol 'tcp_udp'

set interfaces ethernet eth0 pppoe 0 firewall local name 'to-router'

set interfaces ethernet eth0 pppoe 0 firewall out name 'to-external'


ruamit@vyatta# show firewall

name to-external {

default-action accept

rule 1 {

action drop

destination {

port 600-65535

}

protocol udp

source {

address 0.0.0.0/0

}

}

rule 2 {

action drop

destination {

port 135,137-139,445

}

protocol tcp_udp

}

}

name to-router {

rule 1 {

action accept

destination {

port 22

}

protocol tcp

source {

address 117.121.208.0/24

}

}

rule 2 {

action accept

description SSH

destination {

address 0.0.0.0/0

}

protocol icmp

source {

address 0.0.0.0/0

}

}

rule 3 {

action accept

log disable

protocol all

state {

established enable

invalid disable

new disable

related enable

}

}

rule 4 {

action accept

description SNMP

destination {

port 161-162

}

protocol udp

source {

address 0.0.0.0/0

}

}

rule 5 {

action accept

description PPTP

destination {

port 1723

}

protocol tcp_udp

}

}

send-redirects disable

syn-cookies disable

}


ruamit@vyatta# show interfaces ethernet eth0

address 192.168.1.100/24

hw-id 00:1c:23:00:69:4b

pppoe 0 {

default-route auto

firewall {

local {

name to-router

}

out {

name to-external

}

}

password admintest

user-id testpppoe@truehisp

}




เขียนโดย ที่

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)