ros中firewall设置（翻译用户手册）

ntjxad

Ip 防火墙应用描述在这个部分，我们讨论防火墙的一些的应用和例子。防火墙设置基本原则假定我们有一个本地网通过路由连接到internet，那么基本的防火墙构建原则由以下几部分组成：1、保护路由避免没有认证的访问必须监控那些到路由的连接。只能允许某些特定的主机到路由某些特定的 tcp端口的访问。这项工作可以在input中设置，以便比较匹配通过路由所有连接界面到路由目的地址的数据包。2、保护本地主机必须监控那些到本地网络地址的连接。只有有权到某些主机和服务的连接才能被允许。这项工作可以在forward中设置，以便比较匹配决定通过路由所有连接界面到本地网路目的地址的数据包。3、利用nat将本地的网络隐藏在一个公网的ip后面。所有本地网络的连接被伪装成来自路由本身的公网地址。这项工作可以通过启用伪装行为来实现源地址转换规则。4、强制本地网络连接到公网的访问原则。必须监控那些来自本地网络地址的连接。这项工作可以通过forward中设置，或者通过伪装哪些被允许的连接来实现。数据的过滤会对router的性能造成一定的影响，为了把这个影响降到最低，这些过滤的规则必须放在各个chain的顶部。这个在传输控制协议选项non- syn -only中.

jacky

这也太少了吧，在多翻译一点就好了。

ntjxad

偷空又翻了一点防火墙过滤实例实现目标：目标1、让路由只允许来自10.5.8.0/24网络地址的访问。目标2、保护本地主机（192.168.0.0/24）远离未授权的访问。目标3、让公网可以访问本地主机192.168.0.17的http 和smtp服务。目标4、只允许本地网络中的主机进行icmp ping 操作。强制使用在192.168.0.17主机上的代理服务。假设我的网络设置如下：公网 ip :10.0.0.217/24  网关 ip ：10.0.0.254内网 ip :192.168.0.254/24 内网服务器地址：192.168.0.17/24step1          为了实现第一个目标，我们必须对所有通过路由的数据包进行过滤，只接受哪些我们允许的数据。因为所有通过路由的数据包都要经过input chain进行处理，所以，我们可以在ip->firewall-> rule input 中加入以下规则。[admin@MikroTik] >ip firewall rule input[admin@MikroTik] ip firewall rule input>add protocol=tcp [admin@MikroTik] ip firewall rule input>tcp-options=non-syn-only connection-state=established[admin@MikroTik] ip firewall rule input>add protocol=udp [admin@MikroTik] ip firewall rule input>add protocol=icmp[admin@MikroTik] ip firewall rule input>add src-addr=10.5.8.0/24[admin@MikroTik] ip firewall rule input>add action=reject log=yes通过上述设置，input chain就可以实现只接受10.5.8.0/24地址段的连接，而把其他连接都拒绝并且记录到日志。

ntjxad

继续再翻了一些Step 2         为了保护本地网络，我们必须对通过路由访问本地网络也就是对192.168.0.0/24一段地址的访问的数据包进行比对筛选，这个功能可以在forward chain 中实现。在forward 中，我们可以依靠ip地址对数据包进行匹配，然后跳转到我们自己创建的chain中，比如这里我们创建一个 customer chain 并加入一些规则。[admin@MikroTik] ip firewall> add name=customer[admin@MikroTik] ip firewall> print# NAME POLICY0 input accept1 forward accept2 output accept3 customer none[admin@MikroTik] ip firewall> rule customer[admin@MikroTik] ip firewall rule customer> protocol=tcp tcp-options=non-syn-only connection-state=established  [admin@MikroTik] ip firewall rule customer> add protocol=udp [admin@MikroTik] ip firewall rule customer> add protocol=icmp  [admin@MikroTik] ip firewall rule customer> add protocol=tcp tcp-options=syn-only  dst-address=192.168.0.17/32:80 [admin@MikroTik] ip firewall rule customer> add protocol=tcp tcp-options=syn-only dst-address=192.168.0.17/32:25 [admin@MikroTik] ip firewall rule customer> add action=reject log=yes通过上述规则，我们在customer chain 中设定了对数据包的过滤规则，那么下面我要做的就是在forward chain 中做一个跳转，将所有进入到本地网的数据跳转到customer chain 中处理。[admin@MikroTik] ip firewall rule forward> add out-interface=Local action=jump  jump-target=customer这样，所有通过路由进入到本地网络的数据包都将通过customer chain中的防火墙规则进行过滤。

ntjxad

Step 3为了强制本地网络的主机通过192.168.0.17这台代理服务器访问internet ,我们应该在forward 链中加入以下规则。（这个设置我觉得好像有点多余，是不是这里192.168.0.17起到了一层防火墙的作用，反正我是没有加这个规则）。[admin@MikroTik] ip firewall rule forward> add protocol=icmp out-interface=Public [admin@MikroTik] ip firewall rule forward> add src-address = 192.168.0.17 / 32  out-interface=Public[admin@MikroTik] ip firewall rule forward> add action=reject out-interface=Public

ntjxad

有些地方可能翻译得不好,请各位指正.

soft_route

好样的兄弟！谢谢！

jacky

好样的兄弟！

roczyl

支持！！！感谢！！！

lisidong

不错

luodahua

我补楼主所翻译的ROUTER OS手户手册的防火墙说明图片

luodahua

对SETUP1的补充. admin@MikroTik] ip firewall rule input> printFlags: X - disabled, I - invalid, D - dynamic  0   ;;; Allow established TCP connections      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp      icmp-options=any:any tcp-options=non-syn-only      connection-state=established flow="" connection="" content=""      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0      limit-time=0s action=accept log=no  1   ;;; Allow UDP connections      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  2   ;;; Allow ICMP messages      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  3   ;;; Allow access from 'trusted' network 10.5.8.0/24 of ours      src-address=10.5.8.0/24:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  4   ;;; Reject and log everything else      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=reject log=yes

luodahua

对setup2的补充:[admin@MikroTik] ip firewall rule customer> printFlags: X - disabled, I - invalid  0   ;;; Allow established TCP connections      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp      icmp-options=any:any tcp-options=non-syn-only      connection-state=established flow="" connection="" content=""      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0      limit-time=0s action=accept log=no  1   ;;; Allow UDP connections      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  2   ;;; Allow ICMP messages      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  3   ;;; Allow http connections to the server at 192.168.0.17      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=192.168.0.17/32:80 out-interface=all protocol=tcp      icmp-options=any:any tcp-options=syn-only connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  4   ;;; Allow smtp connections to the server at 192.168.0.17      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=192.168.0.17/32:25 out-interface=all protocol=tcp      icmp-options=any:any tcp-options=syn-only connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  5   ;;; Allow ftp data connections from servers on the Internet      src-address=0.0.0.0/0:20 in-interface=all      dst-address=0.0.0.0/0:1024-65535 out-interface=all protocol=tcp      icmp-options=any:any tcp-options=syn-only connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  6   ;;; Reject and log everything else      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=reject log=yes[admin@MikroTik] ip firewall rule customer>[admin@MikroTik] ip firewall rule forward> add out-interface=Local action=jump \\... jump-target=customer[admin@MikroTik] ip firewall rule forward> printFlags: X - disabled, I - invalid  0   src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=jump jump-target=customer log=no

luodahua

对SETUP3的补充:[admin@MikroTik] ip firewall rule forward> printFlags: X - disabled, I - invalid  0   src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=jump jump-target=customer log=no  1   ;;; Allow ICMP ping packets      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=icmp      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  2   ;;; Allow outgoing connections form the server at 192.168.0.17      src-address=192.168.0.17/32:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=accept log=no  3   ;;; Reject and log everything else      src-address=0.0.0.0/0:0-65535 in-interface=all      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all      icmp-options=any:any tcp-options=any connection-state=any flow=""      connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0      limit-burst=0 limit-time=0s action=reject log=yes

luodahua

强烈支持楼主!!!!!!