Jump to content
Калькуляторы

Ограничения доступа по IP к порту на Juniper SRX Ограничения доступа к порту на Juniper SRX

Приветствую. Подскажите, имеем следующее:

SRX-100.

3 точки подключения в выделенной сети, в общем порядка 100 клиентов

в 1 точке объединили с интернетом и гоним трафик на все компы, сейчас хотелось бы дать доступ к инету (PPoE) хотелось бы ограничить доступ к интернету только разрешенным пользователям по IP.

 

Возможно ли?

## Last changed: 2014-04-14 11:58:33 MSK
version 12.1X46-D10.2;
system {
   host-name jun-pol;
   time-zone Europe/Moscow;
   root-authentication {
       encrypted-password "password";
   }
   services {
       ssh;
       telnet;
       web-management {
           http;
       }
   }
   ntp {
       server 91.226.136.136;
       server 88.147.254.232;
   }
}
interfaces {
   fe-0/0/0 {
       unit 0 {
           family inet {
               address 10.69.130.50/29;
           }
       }
   }
   gr-0/0/0 {
       unit 0 {
           tunnel {
               source 10.69.130.50;
               destination 10.69.130.242;
           }
           family inet {
               address 172.16.0.1/30;
           }
       }
       unit 1 {
           tunnel {
               source 10.69.130.50;
               destination 10.69.130.58;
           }
           family inet {
               address 172.16.1.1/30;
           }
       }
   }
   fe-0/0/1 {
       unit 0 {
           description trust;
           family inet {
               address 10.69.76.1/24;
           }
       }
   }
   fe-0/0/2 {
       disable;
   }
   fe-0/0/3 {
       disable;
   }
   fe-0/0/4 {
       disable;
   }
   fe-0/0/5 {
       disable;
   }
   fe-0/0/6 {
       disable;
   }
   fe-0/0/7 {
       unit 0 {
           encapsulation ppp-over-ether;
       }
   }
   pp0 {
       unit 0 {
           description FTTx;
           ppp-options {
               chap {
                   default-chap-secret "password1";
                   local-name "user_ppoe";
                   no-rfc2486;
                   passive;
               }
           }
           pppoe-options {
               underlying-interface fe-0/0/7.0;
           }
           family inet {
               negotiate-address;
           }
       }
   }
}
routing-options {
   static {
       route 10.62.1.0/24 next-hop 10.69.130.49;
       route 10.62.2.0/24 next-hop 10.69.130.49;
       route 10.62.13.0/24 next-hop 10.69.130.49;
       route 10.62.224.129/32 next-hop 10.69.130.49;
       route 10.63.10.0/24 next-hop 10.69.130.49;
       route 10.69.77.0/24 next-hop gr-0/0/0.1;
       route 10.69.100.0/24 next-hop gr-0/0/0.0;
       route 10.69.129.0/24 next-hop 10.69.130.49;
       route 10.69.130.0/24 next-hop 10.69.130.49;
       route 10.69.131.0/24 next-hop 10.69.130.49;
       route 0.0.0.0/0 next-hop pp0.0;
   }
}
security {
   address-book {
       global {
           address web_server 10.69.76.192/32;
       }
   }
   flow {
       allow-dns-reply;
       route-change-timeout 62;
       syn-flood-protection-mode syn-proxy;
       tcp-mss {
           all-tcp {
               mss 1400;
           }
           ipsec-vpn {
               mss 1400;
           }
           gre-in {
               mss 1364;
           }
           gre-out {
               mss 1364;
           }
       }
   }
   nat {
       source {
           rule-set nat {
               from zone trust;
               to zone untrust;
               rule all {
                   match {
                       source-address 0.0.0.0/0;
                       destination-address 0.0.0.0/0;
                   }
                   then {
                       source-nat {
                           interface;
                       }
                   }
               }
           }
       }
       destination {
           pool web-server {
               address ip_ppoe/32 port 80;
           }
           rule-set DNAT {
               from zone untrust;
               rule dnat_for_web {
                   match {
                       destination-address ip_ppoe/32;
                       destination-port 80;
                   }
                   then {
                       destination-nat {
                           pool {
                               web-server;
                           }
                       }
                   }
               }
           }
       }
   }
   policies {
       from-zone trust to-zone untrust {
           policy any {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
       from-zone trust to-zone trust {
           policy trust-to-trust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
       from-zone untrust to-zone trust {
           policy untrust-to-trust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
           policy web_access {
               match {
                   source-address any;
                   destination-address web_server;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
   }
   zones {
       security-zone trust {
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               gr-0/0/0.0;
               gr-0/0/0.1;
               fe-0/0/1.0;
           }
       }
       security-zone untrust {
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               fe-0/0/0.0;
               pp0.0;
           }
       }
       security-zone junos-host;
   }
}

Share this post


Link to post
Share on other sites

Возможно ли?

 

Естественно возможно.

 

Очень порадовало.

 

  security-zone untrust {
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               fe-0/0/0.0;
               pp0.0;
           }
       }

 

И это тоже.

 

  from-zone untrust to-zone trust {
           policy untrust-to-trust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }

 

Может начать с http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694 , а не с "мастера установки" ?

Share this post


Link to post
Share on other sites

я понял, что доступ разделять через фильтры, но что с правилами заплутал, что то не до понял.... ткните носом плиз

## Last changed: 2014-04-17 15:06:50 MSK
version 12.1X46-D10.2;
system {
   host-name jun-pol;
   time-zone Europe/Moscow;
   root-authentication {
       encrypted-password "$passwd/";
   }
   name-server {
       10.69.76.2;
   }
   services {
       ssh;
       web-management {
           http {
               port 8080;
           }
       }
   }
   syslog {
       archive size 100k files 3;
       user * {
           any emergency;
       }
       file messages {
           any critical;
           authorization info;
       }
       file interactive-commands {
           interactive-commands error;
       }
   }
   max-configurations-on-flash 5;
   max-configuration-rollbacks 49;
   license {
       autoupdate {
           url https://ae1.juniper.net/junos/key_retrieval;
       }
   }
   ntp {
       server 91.226.136.136;
       server 88.147.254.232;
   }
}
interfaces {
   fe-0/0/0 {
       unit 0 {
           family inet {
               address 10.69.130.50/29;
           }
       }
   }
   gr-0/0/0 {
       unit 0 {
           tunnel {
               source 10.69.130.50;
               destination 10.69.130.242;
           }
           family inet {
               address 172.16.0.1/30;
           }
       }
       unit 1 {
           tunnel {
               source 10.69.130.50;
               destination 10.69.130.58;
           }
           family inet {
               address 172.16.1.1/30;
           }
       }
   }
   fe-0/0/1 {
       unit 0 {
           description trust;
           family inet {
               address 10.69.76.1/24;
           }
       }
   }
   fe-0/0/2 {
       disable;
   }
   fe-0/0/3 {
       disable;
   }
   fe-0/0/4 {
       disable;
   }
   fe-0/0/5 {
       disable;
   }
   fe-0/0/6 {
       disable;
   }
   fe-0/0/7 {
       unit 0 {
           encapsulation ppp-over-ether;
       }
   }
   pp0 {
       unit 0 {
           description FTTx;
           ppp-options {
               chap {
                   default-chap-secret "$password";
                   local-name "login";
                   no-rfc2486;
                   passive;
               }
           }
           pppoe-options {
               underlying-interface fe-0/0/7.0;
               idle-timeout 0;
               auto-reconnect 10;
               client;
           }
           family inet {
               filter {
                   input inet-in;
                   output inet-out;
               }
               mtu 1492;
               negotiate-address;
           }
       }
   }
}
routing-options {
   static {
       route 10.62.1.0/24 next-hop 10.69.130.49;
       route 10.62.2.0/24 next-hop 10.69.130.49;
       route 10.62.13.0/24 next-hop 10.69.130.49;
       route 10.62.224.129/32 next-hop 10.69.130.49;
       route 10.63.10.0/24 next-hop 10.69.130.49;
       route 10.69.77.0/24 next-hop gr-0/0/0.1;
       route 10.69.100.0/24 next-hop gr-0/0/0.0;
       route 10.69.129.0/24 next-hop 10.69.130.49;
       route 10.69.130.0/24 next-hop 10.69.130.49;
       route 10.69.131.0/24 next-hop 10.69.130.49;
       route 0.0.0.0/0 next-hop pp0.0;
   }
}
security {
   address-book {
       global {
           address web_server 10.69.76.192/32;
       }
       inet {
           address test {
               wildcard-address 10.69.76.83/32;
           }
       }
       block {
           address odnoklassniki.ru 217.20.147.94/32;
           attach {
               zone untrust;
           }
       }
   }
   flow {
       allow-dns-reply;
       route-change-timeout 62;
       syn-flood-protection-mode syn-proxy;
       tcp-mss {
           all-tcp {
               mss 1400;
           }
           ipsec-vpn {
               mss 1400;
           }
           gre-in {
               mss 1364;
           }
           gre-out {
               mss 1364;
           }
       }
   }
   nat {
       source {
           rule-set nat {
               from zone trust;
               to zone untrust;
               rule all {
                   match {
                       source-address 0.0.0.0/0;
                       destination-address 0.0.0.0/0;
                   }
                   then {
                       source-nat {
                           interface;
                       }
                   }
               }
           }
       }
       destination {
           pool web-server {
               address 10.69.76.192/32 port 80;
           }
           rule-set DNAT {
               from zone untrust;
               rule dnat_for_web {
                   match {
                       destination-address 1.1.1.1/32;
                       destination-port 80;
                   }
                   then {
                       destination-nat {
                           pool {
                               web-server;
                           }
                       }
                   }
               }
           }
       }
   }
   policies {
       from-zone trust to-zone untrust {
           inactive: policy block {
               match {
                   source-address any-ipv4;
                   destination-address [ odnoklassniki.ru ];
                   application any;
               }
               then {
                   reject;
               }
           }
           policy all {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
       from-zone trust to-zone trust {
           policy trust-to-trust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
       from-zone untrust to-zone trust {
           policy web_access {
               match {
                   source-address any;
                   destination-address web_server;
                   application any;
               }
               then {
                   permit;
               }
           }
       }
   }
   zones {
       security-zone trust {
           host-inbound-traffic {
               system-services {
                   all;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               gr-0/0/0.0;
               gr-0/0/0.1;
               fe-0/0/1.0;
           }
       }
       security-zone untrust {
           host-inbound-traffic {
               system-services {
                   ping;
                   http;
                   ssh;
                   traceroute;
                   dns;
               }
           }
           interfaces {
               fe-0/0/0.0;
               pp0.0;
           }
       }
       security-zone junos-host;
   }
}
firewall {
   family inet {
       filter inet-in {
           term pppoe {
               from {
                   source-address {
                       10.69.76.83/32;
                   }
               }
               then accept;
           }
       }
       filter inet-out {
           term pppoe {
               from {
                   destination-address {
                       10.69.76.83/32;
                   }
               }
               then accept;
           }
       }
   }
}

Edited by aDemid

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this