1. 安全域(zone)和接口
1.1
接口配置
由于在内网启用了3个vlan,而且每个vlan的网关都在防火墙上,所以在内网接口启用了tagging ,ge-0/0/1为内网接口,划分出3个子接口,子接口1对应vlan10(192.68.100.0/24网段),子接口2对应vlan2(192.168.1.0/24网段),子接口3对应vlan3(172.16.1.0/24网段)。 Ge-0/0/0为外网接口,无须启用tagging。
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 1 vlan-id 10
set interfaces ge-0/0/1 unit 1 family inet address 192.168.100.1/24
set interfaces ge-0/0/1 unit 2 vlan-id 2
set interfaces ge-0/0/1 unit 2 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 3 vlan-id 3
set interfaces ge-0/0/1 unit 3 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 1 vlan-id 4
set interfaces ge-0/0/3 unit 1 family inet address 192.168.4.1/24
set interfaces ge-0/0/3 unit 2 vlan-id 5
set interfaces ge-0/0/3 unit 2 family inet address 192.168.5.1/24
set interfaces ge-0/0/0 unit 0 family inet address 113.106.95.115/28
1.2
创建安全zone
根据需要,内网划分了3个zone,trust为内部员工所在zone(192.168.100.0/24),server为服务器所在zone(192.168.1.0/24),guest为外来人员所在zone(172.16.1.0/24)。
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone server host-inbound-traffic system-services all
set security zones security-zone server host-inbound-traffic protocols all
set security zones security-zone guest host-inbound-traffic system-services all
set security zones security-zone guest host-inbound-traffic protocols all
1.3
将相应接口划入到对应的zone
里,并
配置接口的管理方式
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services dhcp
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services ping
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services telnet
set security zones security-zone server interfaces ge-0/0/1.2 host-inbound-traffic system-services http
set security zones security-zone guest interfaces ge-0/0/1.3 host-inbound-traffic system-services dhcp
2 安全策略设置
每一个安全zone包含一个address book。在两个zone之间建立policys之前必须定义zone’s的address book的地址。然后再在policys里调用该address book。
2.1
设置地址池(address books)
set security zones security-zone server address-book address server250 192.168.1.250/32
set security zones security-zone server address-book address server249 192.168.1.249/32
set security zones security-zone server address-book address server248 192.168.1.248/32
2.2
设置应用服务(application)
此次实施中,无须新建应用,调用系统默认的SSH应用即可(junos-ssh)
2.3
安全策略(security policy)
目前定义的规则如下:
内网用户区域(
Trust)、服务器区域(server)、外来人员区域(guest)访问外网区域(untrust)是允许访问的;
内网用户区域(
Trust)和服务器区域(server)之间互相访问是允许的;
外网区域(
untrust)访问服务器区域(server)的3台服务器(192.168.1.248 – 250)的
SSH应用是允许的。
此外,防火墙默认开启了一条允许
Trust 到 Trust 访问的策略。
而除此以外的策略防火墙默认是禁止的,也就是说其他数据流将被阻止访问。
允许内网用户区域(
Trust)访问外网区域(untrust);
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
允许服务器区域(
server)访问外网区域(untrust);
set security policies from-zone server to-zone untrust policy server-to-untrust match source-address any
set security policies from-zone server to-zone untrust policy server-to-untrust match destination-address any
set security policies from-zone server to-zone untrust policy server-to-untrust match application any
set security policies from-zone server to-zone untrust policy server-to-untrust then permit
允许外来人员区域(
guest)访问外网区域(untrust);
set security policies from-zone guest to-zone untrust policy guest-to-untrust match source-address any
set security policies from-zone guest to-zone untrust policy guest-to-untrust match destination-address any
set security policies from-zone guest to-zone untrust policy guest-to-untrust match application any
set security policies from-zone guest to-zone untrust policy guest-to-untrust then permit
允许内网用户区域(
Trust)和服务器区域(server)之间互相访问
set security policies from-zone trust to-zone server policy trust-to-server match source-address any
set security policies from-zone trust to-zone server policy trust-to-server match destination-address any
set security policies from-zone trust to-zone server policy trust-to-server match application any
set security policies from-zone trust to-zone server policy trust-to-server then permit
set security policies from-zone server to-zone trust policy server-to-trust match source-address any
set security policies from-zone server to-zone trust policy server-to-trust match destination-address any
set security policies from-zone server to-zone trust policy server-to-trust match application any
set security policies from-zone server to-zone trust policy server-to-trust then permit
允许外网区域(
untrust)访问服务器区域(server)的3台服务器(192.168.1.248 – 250)的
SSH应用。
set security policies from-zone untrust to-zone server policy untrust-to-server match source-address any
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server250
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server249
set security policies from-zone untrust to-zone server policy untrust-to-server match destination-address server248
set security policies from-zone untrust to-zone server policy untrust-to-server match application junos-ssh
set security policies from-zone untrust to-zone server policy untrust-to-server then permit
3 NAT设置
3.1源NAT (Source NAT)
当内网服务器访问外网时,需要将原地址做NAT,一般为了节省公网地址考虑,这个NAT地址使用外网接口地址,因此也叫做Interface NAT
对于Trust zone(内部员工区域)我们定义了源NAT的规则trust-to-untrust,使所有来自trust zone (192.168.100.0/24)到 untrust zone(外网区域)的数据包做源NAT,将其源地址映射为公网接口地址。
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.100.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
对于server zone(服务器区域)我们定义了源NAT的规则server-to-untrust,使所有来自server zone(服务器区域)到 untrust zone(外网区域)的数据包做源NAT,将其源地址映射为公网接口地址
set security nat source rule-set server-to-untrust from zone server
set security nat source rule-set server-to-untrust to zone untrust
set security nat source rule-set server-to-untrust rule server-source-nat-rule match source-address 192.168.1.0/24
set security nat source rule-set server-to-untrust rule server-source-nat-rule then source-nat interface
对于guest zone(外来人员区域)我们定义了源NAT的规则guest-to-untrust,使所有来自guest zone(外来人员区域)到 untrust zone(外网区域)的数据包做源NAT,将其源地址映射为公网接口地址
set security nat source rule-set guest-to-untrust from zone guest
set security nat source rule-set guest-to-untrust to zone untrust
set security nat source rule-set guest-to-untrust rule guest-source-nat-rule match source-address 172.16.1.0/24
set security nat source rule-set guest-to-untrust rule guest-source-nat-rule then source-nat interface
3.2目的NAT(Destination NAT)
此次项目中,需要在外网访问内网服务器的SSH应用,所以就使用到了Destination NAT,也就是端口映射。我们将113.106.95.114的 22端口映射到内网的192.168.1.250 的22端口;将113.106.95.114的 202端口映射到内网的192.168.1.249 的22端口;113.106.95.114的 221端口映射到内网的192.168.1.248 的22端口.
定义地址池(address book)
设置地址池,也就是映射后内网服务器的IP地址和端口,在此项目中,目前设置了3个,分别名为:250、249、248.
set security nat destination pool 250 address 192.168.1.250/32
set security nat destination pool 250 address port 22
set security nat destination pool 249 address 192.168.1.249/32
set security nat destination pool 249 address port 22
set security nat destination pool 248 address 192.168.1.248/32
set security nat destination pool 248 address port 22
定义规则(rule)
设置Destination NAT的规则,设置了3个NAT规则,分别名为250、249、248:
set security nat destination rule-set 1 from zone untrust
(定义来自哪个区域)
set security nat destination rule-set 1 rule 250 match source-address 0.0.0.0/0
(匹配原地址段,0.0.0.0/0表示不限制源地址)
set security nat destination rule-set 1 rule 250 match destination-address 113.106.95.114/32
(匹配目的地址,此项目中,我们使用了地址113.106.95.114)
set security nat destination rule-set 1 rule 250 match destination-port 22
(匹配目标端口为22)
set security nat destination rule-set 1 rule 250 then destination-nat pool 250
(当匹配了以上条件后,执行Destination NAT规则,将访问113.106.95.114的22端口的数据包的映射到地址池250, 即将目的地址映射为192.168.1.250,目标端口映射为22)
另外2个规则和 规则250一样
set security nat destination rule-set 1 rule 249 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 249 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 249 match destination-port 220
set security nat destination rule-set 1 rule 249 then destination-nat pool 249
set security nat destination rule-set 1 rule 248 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 248 match destination-address 113.106.95.114/32
set security nat destination rule-set 1 rule 248 match destination-port 221
set security nat destination rule-set 1 rule 248 then destination-nat pool 248
定义ARP 代理(arp-proxy)
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.114/32
为了使外网访问113.106.95.114时,能够到达防火墙,必须使用ARP代理,将113.106.95.114绑定在外网接口ge-0/0/0上。
定义外网区域(untrust)到服务器区域(server)的策略
此策略在2.3 节已经设置了,就无须再设置。