1. 安全域(zone)和接口
1.1
接口配置
因爲在內網啓用了3個vlan,並且每一個vlan的網關都在防火牆上,因此在內網接口啓用了tagging ,ge-0/0/1爲內網接口,劃分出3個子接口,子接口1對應vlan10(192.68.100.0/24網段),子接口2對應vlan2(192.168.1.0/24網段),子接口3對應vlan3(172.16.1.0/24網段)。 Ge-0/0/0爲外網接口,無須啓用tagging。
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 1 vlan-id 10
set interfaces ge-0/0/1 unit 1 family inet address 192.168.100.1/24
set interfaces ge-0/0/1 unit 2 vlan-id 2
set interfaces ge-0/0/1 unit 2 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 3 vlan-id 3
set interfaces ge-0/0/1 unit 3 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 1 vlan-id 4
set interfaces ge-0/0/3 unit 1 family inet address 192.168.4.1/24
set interfaces ge-0/0/3 unit 2 vlan-id 5
set interfaces ge-0/0/3 unit 2 family inet address 192.168.5.1/24
set interfaces ge-0/0/0 unit 0 family inet address 113.106.95.115/28
1.2
建立安全zone
根據須要,內網劃分了3個zone,trust爲內部員工所在zone(192.168.100.0/24),server爲服務器所在zone(192.168.1.0/24),guest爲外來人員所在zone(172.16.1.0/24)。
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone server host-inbound-traffic system-services all
set security zones security-zone server host-inbound-traffic protocols all
set security zones security-zone guest host-inbound-traffic system-services all
set security zones security-zone guest host-inbound-traffic protocols all
1.3
將相應接口劃入到對應的zone
裏,並
配置接口的管理方式
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services dhcp
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services ping
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services telnet
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services http
set security zones security-zone guest interfaces ge-0/0/1.3 host-inbound-traffic system-services dhcp
2 安全策略設置
每個安全zone包含一個address book。在兩個zone之間創建policys以前必須定義zone’s的address book的地址。而後再在policys裏調用該address book。
2.1
設置地址池(address books)
set security zones security-zone server address-book address server250 192.168.1.250/32
set security zones security-zone server address-book address server249 192.168.1.249/32
set security zones security-zone server address-book address server248 192.168.1.248/32
2.2
設置應用服務(application)
這次實施中,無須新建應用,調用系統默認的SSH應用便可(junos-ssh)
2.3
安全策略(security policy)
目前定義的規則以下:
內網用戶區域(
Trust)、服務器區域(server)、外來人員區域(guest)訪問外網區域(untrust)是容許訪問的;
內網用戶區域(
Trust)和服務器區域(server)之間互相訪問是容許的;
外網區域(
untrust)訪問服務器區域(server)的3臺服務器(192.168.1.248 – 250)的
SSH應用是容許的。
此外,防火牆默認開啓了一條容許
Trust 到 Trust 訪問的策略。
而除此之外的策略防火牆默認是禁止的,也就是說其餘數據流將被阻止訪問。
容許內網用戶區域(
Trust)訪問外網區域(untrust);
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
容許服務器區域(
server)訪問外網區域(untrust);
set security policies from-zone server to-zone untrust policy server-to-untrust match source-address any
set security policies from-zone server to-zone untrust policy server-to-untrust match destination-address any
set security policies from-zone server to-zone untrust policy server-to-untrust match application any
set security policies from-zone server to-zone untrust policy server-to-untrust then permit
容許外來人員區域(
guest)訪問外網區域(untrust);
set security policies from-zone guest to-zone untrust policy guest-to-untrust match source-address any
set security policies from-zone guest to-zone untrust policy guest-to-untrust match destination-address any
set security policies from-zone guest to-zone untrust policy guest-to-untrust match application any
set security policies from-zone guest to-zone untrust policy guest-to-untrust then permit
容許內網用戶區域(
Trust)和服務器區域(server)之間互相訪問
set security policies from-zone trust to-zone server policy trust-to-server match source-address any
set security policies from-zone trust to-zone server policy trust-to-server match destination-address any
set security policies from-zone trust to-zone server policy trust-to-server match application any
set security policies from-zone trust to-zone server policy trust-to-server then permit
set security policies from-zone server to-zone trust policy server-to-trust match source-address any
set security policies from-zone server to-zone trust policy server-to-trust match destination-address any
set security policies from-zone server to-zone trust policy server-to-trust match application any
set security policies from-zone server to-zone trust policy server-to-trust then permit
容許外網區域(
untrust)訪問服務器區域(server)的3臺服務器(192.168.1.248 – 250)的
SSH應用。
set security policies from-zone untrust to-zone server policy untrust-to-server match source-address any
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server250
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server249
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server248
set security policies from-zone untrust to-zone server policy untrust-to-server match application junos-ssh
set security policies from-zone untrust to-zone server policy untrust-to-server then permit
3 NAT設置
3.1源NAT (Source NAT)
當內網服務器訪問外網時,須要將原地址作NAT,通常爲了節省公網地址考慮,這個NAT地址使用外網接口地址,所以也叫作Interface NAT
對於Trust zone(內部員工區域)咱們定義了源NAT的規則trust-to-untrust,使全部來自trust zone (192.168.100.0/24)到 untrust zone(外網區域)的數據包作源NAT,將其源地址映射爲公網接口地址。
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.100.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
對於server zone(服務器區域)咱們定義了源NAT的規則server-to-untrust,使全部來自server zone(服務器區域)到 untrust zone(外網區域)的數據包作源NAT,將其源地址映射爲公網接口地址
set security nat source rule-set server-to-untrust from zone server
set security nat source rule-set server-to-untrust to zone untrust
set security nat source rule-set server-to-untrust rule server-source-nat-rule match source-address 192.168.1.0/24
set security nat source rule-set server-to-untrust rule server-source-nat-rule then source-nat interface
對於guest zone(外來人員區域)咱們定義了源NAT的規則guest-to-untrust,使全部來自guest zone(外來人員區域)到 untrust zone(外網區域)的數據包作源NAT,將其源地址映射爲公網接口地址
set security nat source rule-set guest-to-untrust from zone guest
set security nat source rule-set guest-to-untrust to zone untrust
set security nat source rule-set guest-to-untrust rule guest-source-nat-rule match source-address 172.16.1.0/24
set security nat source rule-set guest-to-untrust rule guest-source-nat-rule then source-nat interface
3.2目的NAT(Destination NAT)
這次項目中,須要在外網訪問內網服務器的SSH應用,因此就使用到了Destination NAT,也就是端口映射。咱們將113.106.95.114的 22端口映射到內網的192.168.1.250 的22端口;將113.106.95.114的 202端口映射到內網的192.168.1.249 的22端口;113.106.95.114的 221端口映射到內網的192.168.1.248 的22端口.
定義地址池(address book)
設置地址池,也就是映射後內網服務器的IP地址和端口,在此項目中,目前設置了3個,分別名爲:250、24九、248.
set security nat destination pool 250 address 192.168.1.250/32
set security nat destination pool 250 address port 22
set security nat destination pool 249 address 192.168.1.249/32
set security nat destination pool 249 address port 22
set security nat destination pool 248 address 192.168.1.248/32
set security nat destination pool 248 address port 22
定義規則(rule)
設置Destination NAT的規則,設置了3個NAT規則,分別名爲250、24九、248:
set security nat destination rule-set 1 from zone untrust
(定義來自哪一個區域)
set security nat destination rule-set 1 rule 250 match source-address 0.0.0.0/0
(匹配原地址段,0.0.0.0/0表示不限制源地址)
set security nat destination rule-set 1 rule 250 match destination-address 113.106.95.114/32
(匹配目的地址,此項目中,咱們使用了地址113.106.95.114)
set security nat destination rule-set 1 rule 250 match destination-port 22
(匹配目標端口爲22)
set security nat destination rule-set 1 rule 250 then destination-nat pool 250
(當匹配了以上條件後,執行Destination NAT規則,將訪問113.106.95.114的22端口的數據包的映射到地址池250, 即將目的地址映射爲192.168.1.250,目標端口映射爲22)
另外2個規則和 規則250同樣
set security nat destination rule-set 1 rule 249 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 249 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 249 match destination-port 220
set security nat destination rule-set 1 rule 249 then destination-nat pool 249
set security nat destination rule-set 1 rule 248 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 248 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 248 match destination-port 221
set security nat destination rule-set 1 rule 248 then destination-nat pool 248
定義ARP 代理(arp-proxy)
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.114/32
爲了使外網訪問113.106.95.114時,可以到達防火牆,必須使用ARP代理,將113.106.95.114綁定在外網接口ge-0/0/0上。
定義外網區域(untrust)到服務器區域(server)的策略
此策略在2.3 節已經設置了,就無須再設置。