Bootstrap 4 Blog Template For Developers

Настройка juniper srx220

Настроим интернет и dmz

Настройки провайдера

1. ext_ip - 82.200.66.186/29
2. ext_gw - 82.200.66.185
3. ext_dns_1 - 80.89.128.5
4. dmz - 81.1.197.195/27
5. zone trust - dmz; zone untrust - internet

Загрузим настройки по умолчанию и зададим пароль


#sbros
load factory-default
set system root-authentication plain-text-password
commit

Удалим не нужные правила, которые прилетели по умолчанию


#delete
delete system name-server 208.67.222.222
delete system name-server 208.67.220.220
delete system services dhcp router 192.168.1.1
delete system services dhcp propagate-settings ge-0/0/0.0
delete system services dhcp pool 192.168.1.0/24
delete system services telnet
delete system services web-management
delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
delete security nat source
delete interfaces vlan unit 0 family inet address 192.168.1.1/24

Добавим разное


#raznoe
set system host-name rejik
set system time-zone GMT+7
set system ntp server ru.pool.ntp.org
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh

Добавим vlan для dmz, займем порты 1 - 7


#vlan
set interfaces interface-range interfaces-trust member-range ge-0/0/1 to ge-0/0/7
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set interfaces vlan unit 0 family inet address 	81.1.197.195/27

Настроим сеть


#network_inet
set interfaces ge-0/0/0 unit 0 family inet address 82.200.66.186/29
set routing-options static route 0/0 next-hop 82.200.66.185
set system name-server 80.89.128.5
set system name-server 81.1.192.5

Откроем пинг , закроем ssh. Разрешим трафик из trust в trust и из trust в untrust


#security
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit

Можно использовать для теста , если надо разрешить из unstrust в trust


#set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
#set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
#set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
#set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit

Добавим правила от flood, которые рекомендовал производитель


#flood
set security zones security-zone untrust screen untrust-screen
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

Добавим в зону trust, ip из dmz


#policy
set security zones security-zone trust address-book address mx_srv 81.1.197.192/27
set security zones security-zone trust address-book address-set 81.1.197.200 address mx_srv
set security zones security-zone trust address-book address-set 81.1.197.201 address mx_srv
set security zones security-zone trust address-book address-set 81.1.197.202 address mx_srv
set security zones security-zone trust address-book address-set 81.1.197.203 address mx_srv
set security zones security-zone trust address-book address-set 81.1.197.211 address mx_srv
set security zones security-zone trust address-book address-set 81.1.197.198 address mx_srv
set security zones security-zone trust address-book address-set 81.1.197.199 address mx_srv

Добавим в applications наши порты , до которых будет разрешен доступ


#policy
set applications application nodports protocol tcp
set applications application nodports destination-port 8095
set applications application sshports protocol tcp
set applications application sshports destination-port 27
set applications application sshports_2 protocol tcp
set applications application sshports_2 destination-port 2727
set applications application ftpports_1 protocol tcp
set applications application ftpports_1 destination-port 7777,50000-51000
set applications application ftpports_2 protocol tcp
set applications application ftpports_2 destination-port 50000-51000
set applications application vpn_1 protocol gre
set applications application vpn_2 protocol tcp
set applications application vpn_2 destination-port 1723
set applications application voice_1 protocol tcp
set applications application voice_1 destination-port 23
set applications application voice_2 protocol tcp
set applications application voice_2 destination-port 1720
set applications application voice_3 protocol udp
set applications application voice_3 destination-port 23000-23003
set applications application probros protocol tcp
set applications application probros destination-port 6001-6010
set applications application miranda_1 protocol tcp
set applications application miranda_1 destination-port 5393

Дадим доступ из зоны untrust до dmz по нашим портам


#policy
set security policies from-zone untrust to-zone trust policy policy_mailsrv match source-address any
set security policies from-zone untrust to-zone trust policy policy_mailsrv match destination-address 81.1.197.200
set security policies from-zone untrust to-zone trust policy policy_mailsrv match application junos-smtp
set security policies from-zone untrust to-zone trust policy policy_mailsrv match application junos-pop3
set security policies from-zone untrust to-zone trust policy policy_mailsrv match application junos-ping
set security policies from-zone untrust to-zone trust policy policy_mailsrv match application sshports_2
set security policies from-zone untrust to-zone trust policy policy_mailsrv match application probros
set security policies from-zone untrust to-zone trust policy policy_mailsrv then permit

set security policies from-zone untrust to-zone trust policy policy_nodsrv match source-address any
set security policies from-zone untrust to-zone trust policy policy_nodsrv match destination-address 81.1.197.203
set security policies from-zone untrust to-zone trust policy policy_nodsrv match application nodports
set security policies from-zone untrust to-zone trust policy policy_nodsrv match application junos-ping
set security policies from-zone untrust to-zone trust policy policy_nodsrv then permit

set security policies from-zone untrust to-zone trust policy policy_cloud match source-address any
set security policies from-zone untrust to-zone trust policy policy_cloud match destination-address 81.1.197.202
set security policies from-zone untrust to-zone trust policy policy_cloud match application junos-http
set security policies from-zone untrust to-zone trust policy policy_cloud match application junos-ping
set security policies from-zone untrust to-zone trust policy policy_cloud match application sshports
set security policies from-zone untrust to-zone trust policy policy_cloud then permit

set security policies from-zone untrust to-zone trust policy policy_ftp match source-address any
set security policies from-zone untrust to-zone trust policy policy_ftp match destination-address 81.1.197.211
set security policies from-zone untrust to-zone trust policy policy_ftp match application ftpports_1
set security policies from-zone untrust to-zone trust policy policy_ftp match application ftpports_2
set security policies from-zone untrust to-zone trust policy policy_ftp match application sshports
set security policies from-zone untrust to-zone trust policy policy_ftp match application junos-ping
set security policies from-zone untrust to-zone trust policy policy_ftp match application miranda_1
set security policies from-zone untrust to-zone trust policy policy_ftp then permit

set security policies from-zone untrust to-zone trust policy policy_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_vpn match destination-address 81.1.197.201
set security policies from-zone untrust to-zone trust policy policy_vpn match application vpn_1
set security policies from-zone untrust to-zone trust policy policy_vpn match application vpn_2
set security policies from-zone untrust to-zone trust policy policy_vpn match application junos-ping
set security policies from-zone untrust to-zone trust policy policy_vpn then permit

set security policies from-zone untrust to-zone trust policy policy_voice match source-address any
set security policies from-zone untrust to-zone trust policy policy_voice match destination-address 81.1.197.198
set security policies from-zone untrust to-zone trust policy policy_voice match destination-address 81.1.197.199
set security policies from-zone untrust to-zone trust policy policy_voice match application voice_1
set security policies from-zone untrust to-zone trust policy policy_voice match application voice_2
set security policies from-zone untrust to-zone trust policy policy_voice match application voice_3
set security policies from-zone untrust to-zone trust policy policy_voice match application junos-ping
set security policies from-zone untrust to-zone trust policy policy_voice then permit