Configuration de base VyOS Brouillon VyOS est un OS de routeur virtuel à placer dans une VM ou sur une petite 1u Le lien de téléchargement de Vyos :https://downloads.vyos.io/?dir=rolling/current/amd64 Configuration minimale conf set interfaces ethernet eth0 description WAN set interfaces ethernet eth0 address dhcp set interfaces ethernet eth1 description LAN set interfaces ethernet eth1 address 192.168.2.1/24 set service dhcp-server shared-network-name dhcpproc authoritative set service dhcp-server shared-network-name subnet 192.168.2.0/24 default-router 192.168.2.1 set service dhcp-server shared-network-name subnet 192.168.2.0/24 dns-server 192.168.2.1 set service dhcp-server shared-network-name subnet 192.168.2.0/24 range 0 start 192.168.2.10 set service dhcp-server shared-network-name subnet 192.168.2.0/24 range 0 stop 192.168.2.200 set nat source rule 99 description LAN2WAN set nat source rule 99 outbound-interface eth0 set nat source rule 99 source address 192.168.2.0/24 set nat source rule 99 translation address masquerade commit save Configuration simple sudo dpkg-reconfigure keyboard-configuration # Tant qu'a faire, autant mettre le clavier en français... conf set interfaces ethernet eth0 address '192.168.1.253/24' set interfaces ethernet eth0 description 'WAN' set interfaces ethernet eth1 address '192.168.2.1/24' set interfaces ethernet eth1 description 'LAN' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.2.0/24' set nat source rule 100 translation address 'masquerade' set service dhcp-server disabled 'false' set service dhcp-server shared-network-name LAN authoritative 'disable' set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 default-router '192.168.2.1' set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server '192.168.2.1' set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 domain-name 'lan-interne' set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.128 stop '192.168.2.255' set service dns forwarding cache-size '0' set service dns forwarding listen-on 'eth1' set service dns forwarding name-server '9.9.9.9' set service dns forwarding name-server '1.1.1.1' set service snmp community public authorization 'ro' set service snmp community public network '192.168.2.0/24' set service snmp community public network '192.168.1.0/24' set service snmp contact 'Somebody ' set service snmp listen-address 0.0.0.0 port '161' set service snmp location 'Some hypervisor' set service ssh port '22' set system gateway-address '192.168.1.1' set system host-name 'routeur-NAT' set system login user vyos authentication plaintext-password 'un mot de passe, pour changer...' set system login user vyos level 'admin' set system ntp server '0.pool.ntp.org' set system ntp server '1.pool.ntp.org' set system ntp server '2.pool.ntp.org' set system time-zone 'Europe/Paris' set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' # On crée une règle pour autoriser les connexions http https et ssh a arriver depuis le WAN set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 destination port '80' set firewall name OUTSIDE-IN rule 20 protocol 'tcp' set firewall name OUTSIDE-IN rule 20 state new 'enable' set firewall name OUTSIDE-IN rule 21 action 'accept' set firewall name OUTSIDE-IN rule 21 destination port '443' set firewall name OUTSIDE-IN rule 21 protocol 'tcp' set firewall name OUTSIDE-IN rule 21 state new 'enable' set firewall name OUTSIDE-IN rule 22 action 'accept' set firewall name OUTSIDE-IN rule 22 destination port '22' set firewall name OUTSIDE-IN rule 22 protocol 'tcp' set firewall name OUTSIDE-IN rule 22 state new 'enable' # On crée une règle pour autoriser les connexions déjà établies ainsi que ping ntp et ssh a se connecter au routeur set firewall name OUTSIDE-LOCAL default-action 'drop' set firewall name OUTSIDE-LOCAL rule 10 action 'accept' set firewall name OUTSIDE-LOCAL rule 10 state established 'enable' set firewall name OUTSIDE-LOCAL rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL rule 20 action 'accept' set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' set firewall name OUTSIDE-LOCAL rule 30 action 'drop' set firewall name OUTSIDE-LOCAL rule 30 destination port '22' set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 30 recent count '4' set firewall name OUTSIDE-LOCAL rule 30 recent time '60' set firewall name OUTSIDE-LOCAL rule 30 state new 'enable' set firewall name OUTSIDE-LOCAL rule 31 action 'accept' set firewall name OUTSIDE-LOCAL rule 31 destination port '22' set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 31 state new 'enable' set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 destination port '161' set firewall name OUTSIDE-LOCAL rule 40 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 40 state new 'enable' set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' commit save Script de sauvegarde de configuration #!/bin/vbash source /opt/vyatta/etc/functions/script-template run show configuration commands > $HOME/$(date +%Y%m%d)-$(hostname)-vyos.conf.txt