Descripción de la Implementación de la Nueva Topología de Red de la Empresa KARAS Project (Parte II)

Saludos nuevamente.

Esta es la segunda parte de una pequeña serie de artículos que pondré acá abordando el tema del uso de la distro VyOS como IOS de un PC-Router. Esta distro es una de las tantas que existen para este fin (Monowall, pfSense, Endian, etc.), pero quizás para muchos sea muy incómoda de utilizar porque toda la configuración se realiza en la Interfaz de Línea de Comandos (CLI). No obstante, para los que están acostumbrados a trabajar con routers y switches Cisco a través de la consola no es un problema, solamente hay que adaptarse al set de instrucciones, y una vez que la dominan es muy fácil hacer los ajustes necesarios.

En la primera parte di una panorámica de la red de la empresa en la que vamos a configurar nuestro PC-Router en modo Router-On-Stick utilizando de manera óptima los pocos recursos de que dispone el administrador, y como se planteó anteriormente, no es 100% segura, pero se le saca provecho al poco hardware disponible. Por lo tanto, el monitoreo constante del sistema completo es fundamental.

Bien, continuemos con la secuencia de comandos para la configuración del PC-Router.

Código completo de los comandos a ejecutar en el PC-Router

A partir de aquí se mostrará los comandos que se ejecutarán en el CLI de VyOS. Muchos de estos comandos son comunes para los dos PC-Routers, pero los que son diferentes se pondrán según el PC-Router específico.

 

Interfaces de Red

set interfaces ethernet eth0 vif 1 address 10.0.1.1/28

set interfaces ethernet eth0 vif 1 description “VLAN de los Equipos de Internetworking”

 

set interfaces ethernet eth0 vif 2 address 10.0.1.17/28

set interfaces ethernet eth0 vif 2 description “VLAN de Gestion de los Hipervisores”

 

set interfaces ethernet eth0 vif 10 address 10.0.1.33/28

set interfaces ethernet eth0 vif 10 description “VLAN de los Administradores de Red de KARAS Project”

 

set interfaces ethernet eth0 vif 11 address 10.0.1.65/27

set interfaces ethernet eth0 vif 11 description “VLAN de los Servidores de Red Internos de KARAS Project”

 

set interfaces ethernet eth0 vif 12 address 10.0.1.97/28

set interfaces ethernet eth0 vif 12 description “VLAN de los Servidores de Red Externos (DMZ) de KARAS Project”

 

set interfaces ethernet eth0 vif 13 address 10.0.1.129/25

set interfaces ethernet eth0 vif 13 description “VLAN de la Red LAN de KARAS Project”

 

set interfaces ethernet eth0 vif 14 address 190.6.YYY.122/29

set interfaces ethernet eth0 vif 14 address 190.6.YYY.123/29

set interfaces ethernet eth0 vif 14 address 190.6.YYY.124/29

set interfaces ethernet eth0 vif 14 address 190.6.YYY.125/29

set interfaces ethernet eth0 vif 14 address 190.6.YYY.126/29

set interfaces ethernet eth0 vif 14 description “VLAN de la Red WAN – Internet/Red-CUBA (ETECSA)”

 

set interfaces ethernet eth0 vif 15 address 10.0.3.2/30

set interfaces ethernet eth0 vif 15 description “VLAN de las Sucursales de KARAS Project (VPN Local IP/MPLS contratada a ETECSA)”

 

Configuraciones generales del sistema

set system domain-name karas.co.cu

set system gateway-address 190.6.YYY.121

set system host-name n-c-rt-1.red.karas.co.cu

 

set system login user vyos authentication plaintext-password “<Contraseña>”

set system login user vyos level admin

 

set system login user admin authentication plaintext-password “<Contraseña>”

set system login user admin level admin

 

set system login user oper authentication plaintext-password “<Contraseña>”

set system login user oper level operator

 

set system name-server 10.0.0.67

set system name-server 200.55.128.10

set system name-server 200.55.128.11

set system name-server 8.8.8.8

set system name-server 8.8.4.4

 

set system package auto-sync 1

 

set system package repository community components “main”

set system package repository community description “Repositorio Local de VyOS”

set system package repository community distribution stable

set system package repository community url http://ftp.karas.co.cu/linux/distros/vyos/

 

set system syslog global facility all level notice

set system syslog global facility protocols level debug

 

set system time-zone EST

 

Exportación de Flows

set system flow-accounting interface eth0.1

set system flow-accounting interface eth0.2

set system flow-accounting interface eth0.10

set system flow-accounting interface eth0.11

set system flow-accounting interface eth0.12

set system flow-accounting interface eth0.13

set system flow-accounting interface eth0.14

set system flow-accounting interface eth0.15

set system flow-accounting netflow sampling-rate 1

set system flow-accounting netflow server 10.0.1.71 port 9996

set system flow-accounting netflow timeout expiry-interval 60

set system flow-accounting netflow timeout flow-generic 3600

set system flow-accounting netflow timeout icmp 300

set system flow-accounting netflow timeout max-active-life 604800

set system flow-accounting netflow timeout tcp-fin 300

set system flow-accounting netflow timeout tcp-generic 3600

set system flow-accounting netflow timeout tcp-rst 120

set system flow-accounting netflow timeout udp 300

set system flow-accounting netflow version 9

set system flow-accounting syslog-facility all

 

Servicios del sistema

set service ssh port 40497

set service snmp community PRVaT.kARas.cO.Cu authorization ro

set service snmp community PRVaT.kARas.cO.Cu client 10.0.1.71

set service snmp contact “Sr. Administrador de Red”

set service snmp listen-address 10.0.1.65 port 161

 

Configuración del NATing

set nat source rule 10 description “Enmascaramiento del Servidor de Correo Externo de Trafico Entrante 1 – MX 1  (SNAT)”

set nat source rule 10 outbound-interface eth0.14

set nat source rule 10 source address 10.0.1.98

set nat source rule 10 translation address 190.6.YYY.122

 

set nat source rule 11 description “Enmascaramiento del Servidor de Correo Externo de Trafico Entrante 2 – MX 2  (SNAT)”

set nat source rule 11 outbound-interface eth0.14

set nat source rule 11 source address 10.0.1.99

set nat source rule 11 translation address 190.6.YYY.123

 

set nat source rule 12 description “Enmascaramiento del Servidor de Correo Externo de Trafico Saliente – SMTP Saliente (SNAT)”

set nat source rule 12 outbound-interface eth0.14

set nat source rule 12 source address 10.0.1.100

set nat source rule 12 translation address 190.6.YYY.124

 

set nat source rule 13 description “Enmascaramiento del Servidor WEB Externo (SNAT)”

set nat source rule 13 outbound-interface eth0.14

set nat source rule 13 source address 10.0.1.101

set nat source rule 13 translation address 190.6.YYY.125

 

set nat source rule 14 description “Enmascaramiento del Servidor Proxy de Internet/Intranet-CUBA (SNAT)”

set nat source rule 14 outbound-interface eth0.14

set nat source rule 14 source address 10.0.1.102

set nat source rule 14 translation address 190.6.YYY.126

 

set nat destination rule 30 description “Enmascaramiento del Servidor DNS 1 (DNAT/PAT)”

set nat destination rule 30 destination address 190.6.YYY.122

set nat destination rule 30 destination port domain

set nat destination rule 30 inbound-interface eth0.14

set nat destination rule 30 protocol tcp_udp

set nat destination rule 30 translation address 10.0.1.98

 

set nat destination rule 31 description “Enmascaramiento del Servidor DNS 2 (DNAT/PAT)”

set nat destination rule 31 destination address 190.6.YYY.123

set nat destination rule 31 destination port domain

set nat destination rule 31 inbound-interface eth0.14

set nat destination rule 31 protocol tcp_udp

set nat destination rule 31 translation address 10.0.1.99

 

set nat destination rule 32 description “Enmascaramiento del Servidor de Correo de trafico entrante 1 – MX 1 (DNAT/PAT)”

set nat destination rule 32 destination address 190.6.YYY.122

set nat destination rule 32 destination port smtp

set nat destination rule 32 inbound-interface eth0.14

set nat destination rule 32 protocol tcp

set nat destination rule 32 translation address 10.0.1.98

 

set nat destination rule 33 description “Enmascaramiento del Servidor de Correo de trafico entrante 2 – MX 2 (DNAT/PAT)”

set nat destination rule 33 destination address 190.6.YYY.123

set nat destination rule 33 destination port smtp

set nat destination rule 33 inbound-interface eth0.14

set nat destination rule 33 protocol tcp

set nat destination rule 33 translation address 10.0.1.99

 

set nat destination rule 34 description “Enmascaramiento del Servidor WEB Externo (DNAT/PAT)”

set nat destination rule 34 destination address 190.6.YYY.125

set nat destination rule 34 destination port http,https

set nat destination rule 34 inbound-interface eth0.14

set nat destination rule 34 protocol tcp

set nat destination rule 34 translation address 10.0.1.101

 

Configuración del cortafuegos

 

Valores iniciales

set firewall all-ping enable

set firewall broadcast-ping disable

set firewall receive-redirects disable

set firewall send-redirects enable

set firewall source-validation disable

set firewall syn-cookies enable

 

Grupos de direcciones IP

set firewall group address-group equipos_admines address 10.0.1.34

set firewall group address-group equipos_admines address 10.0.1.35

 

set firewall group address-group equipos_gestion_routers address 10.0.1.34

set firewall group address-group equipos_gestion_routers address 10.0.1.35

 

set firewall group address-group equipos_gestion_internos address 10.0.1.34

set firewall group address-group equipos_gestion_internos address 10.0.1.35

 

set firewall group address-group equipos_gestion_hiperv address 10.0.1.34

set firewall group address-group equipos_gestion_hiperv address 10.0.1.35

 

set firewall group address-group svrs_internos_karas address 10.0.1.66

set firewall group address-group svrs_internos_karas address 10.0.1.67

set firewall group address-group svrs_internos_karas address 10.0.1.68

set firewall group address-group svrs_internos_karas address 10.0.1.69

set firewall group address-group svrs_internos_karas address 10.0.1.71

 

set firewall group address-group svrs_externos_karas address 10.0.1.98

set firewall group address-group svrs_externos_karas address 10.0.1.99

set firewall group address-group svrs_externos_karas address 10.0.1.100

set firewall group address-group svrs_externos_karas address 10.0.1.101

set firewall group address-group svrs_externos_karas address 10.0.1.102

 

set firewall group address-group svrs_dns_internos address 10.0.1.66

set firewall group address-group svrs_dns_internos address 10.0.1.67

 

set firewall group address-group svrs_pdc_internos address 10.0.1.66

 

set firewall group address-group svrs_pdc_lan address 10.0.1.130

 

set firewall group address-group svrs_correo_internos address 10.0.1.67

set firewall group address-group svrs_hora_internos address 10.0.1.67

set firewall group address-group svr_jabber_interno address 10.0.1.67

set firewall group address-group svr_web_interno address 10.0.1.68

set firewall group address-group svr_ftp_interno address 10.0.1.68

set firewall group address-group svr_proxy_interno address 10.0.1.69

set firewall group address-group svrs_monitoreo_internos address 10.0.1.71

 

set firewall group address-group svr_correo_smtp_in address 10.0.1.98

set firewall group address-group svr_correo_smtp_in address 10.0.1.99

set firewall group address-group svr_correo_mx1 address 10.0.1.98

set firewall group address-group svr_correo_mx2 address 10.0.1.99

set firewall group address-group svr_correo_smtp_out address 10.0.1.100

set firewall group address-group svr_web_externo address 10.0.1.101

set firewall group address-group svr_proxy_externo address 10.0.1.102

 

set firewall group network-group redes_internas_karas network 10.0.1.0/28

set firewall group network-group redes_internas_karas network 10.0.1.16/28

set firewall group network-group redes_internas_karas network 10.0.1.32/28

set firewall group network-group redes_internas_karas network 10.0.1.64/27

set firewall group network-group redes_internas_karas network 10.0.1.96/28

set firewall group network-group redes_internas_karas network 10.0.1.128/25

set firewall group network-group redes_internas_karas network 10.0.3.0/30

 

set firewall group address-group red_externa_karas address 190.6.YYY.122

set firewall group address-group red_externa_karas address 190.6.YYY.123

set firewall group address-group red_externa_karas address 190.6.YYY.124

set firewall group address-group red_externa_karas address 190.6.YYY.125

set firewall group address-group red_externa_karas address 190.6.YYY.126

 

set firewall group network-group red_equiposred network 10.0.1.0/28

set firewall group network-group red_hipervisores network 10.0.1.16/28

set firewall group network-group red_admines network 10.0.1.32/28

set firewall group network-group red_servidores_internos network 10.0.1.64/27

set firewall group network-group red_servidores_externos network 10.0.1.96/28

set firewall group network-group red_lan network 10.0.1.128/25

set firewall group network-group redes_sucursales_karas network 10.0.2.128/29

set firewall group network-group redes_sucursales_karas network 10.0.2.136/29

set firewall group network-group redes_sucursales_karas network 10.0.2.144/29

set firewall group network-group redes_sucursales_karas network 10.0.2.152/29

set firewall group network-group redes_sucursales_karas network 10.0.2.160/29

set firewall group network-group redes_sucursales_karas network 10.0.2.168/29

 

Hasta aquí la parte de la definición de los valores que serán utilizados posteriormente en los conjuntos de reglas del cortafuegos. Tema que veremos en la tercera parte.

Antes de concluir con esta parte, quiero decir que no pondré todos los conjuntos de reglas, sino la mayoría, esto para incentivar al que esté interesado a añadir los conjuntos que faltan. No es dífícil, solamente hay que “cogerle la vuelta”, como decirmos en buen cubano.

😀

Acerca de Hector Suarez Planas

Es Licenciado en Ciencia de la Computación (3 de julio de 2002). Ha sido Administrador de Red en varias organizaciones, Programador y Analista de Sistemas. Actualmente se desempeña como Administrador de Red del Telecentro Tele Turquino de Santiago de Cuba. Tiene experiencia con sistemas Windows y GNU/Linux, Infraestructura de Redes (Cisco, AlliedTelesis, Netgear y HP ProCurve, Vyatta/VyOS), Servidores tanto físicos como virtuales (plataformas VMWare, Proxmox VE y Xen), Sistemas de Seguridad Informática (Snort/Suricata IDS, appliances AlienVault OSSIM), programador (Delphi, C++ Builder, Perl [poco], Python [algo]), entre otras cosas. Actualmente estoy incursionando en todo lo que tiene relación con Cloud Computing (OpenStack) y Centros de Datos. :-)
Esta entrada fue publicada en Cortafuegos, Debian, Firewall, IOS, Routing, Seguridad, VLAN, Vyatta/VyOS/EdgeOS. Guarda el enlace permanente.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *