Last active
December 10, 2021 16:37
-
-
Save jbrodriguez/cc0b1d9f72f66e555ad7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/vbash | |
# CONFIG | |
wan=dhcp | |
lan=192.168.1.1 | |
lan_segment=192.168.1.0 | |
vpn_segment=192.168.5.0 | |
domain=apertoire.org | |
lease_start=192.168.1.200 | |
lease_stop=192.168.1.245 | |
source /opt/vyatta/etc/functions/script-template | |
configure | |
# Fix for error "INIT: Id "TO" respawning too fast: disabled for 5 minutes" | |
delete system console device ttyS0 | |
# System Configuration | |
## Hostname | |
set system host-name <hostname> | |
## Timezone | |
set system time-zone <timezone> | |
# NTP servers | |
set system ntp server <zone>.pool.ntp.org | |
set system ntp server 1.<zone>.pool.ntp.org | |
set system ntp server 2.pool.ntp.org | |
# Basic firewall | |
set firewall all-ping enable | |
set firewall broadcast-ping disable | |
set firewall ipv6-receive-redirects disable | |
set firewall ipv6-src-route disable | |
set firewall ip-src-route disable | |
set firewall log-martians enable | |
set firewall receive-redirects disable | |
set firewall send-redirects disable | |
set firewall source-validation disable | |
set firewall syn-cookies enable | |
# Configure network interfaces | |
set interfaces ethernet eth0 address $wan | |
set interfaces ethernet eth0 description WAN | |
set interfaces ethernet eth1 address $lan/24 | |
set interfaces ethernet eth1 description LAN | |
# OpenVPN | |
set interfaces openvpn vtun0 mode server | |
set interfaces openvpn vtun0 server subnet $vpn_segment/24 | |
set interfaces openvpn vtun0 server name-server $lan | |
set interfaces openvpn vtun0 server domain-name $domain | |
set interfaces openvpn vtun0 server push-route $lan_segment/24 | |
set interfaces openvpn vtun0 tls cert-file /config/auth/<router>.cert.pem | |
set interfaces openvpn vtun0 tls key-file /config/auth/<router>.key.pem | |
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca-chain.cert.pem | |
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem | |
set interfaces openvpn vtun0 openvpn-option 'comp-lzo' | |
# Enable SSH for remote management: | |
set service ssh port 22 | |
# Configure Source NAT for our "LAN" network. | |
set nat source rule 100 outbound-interface eth0 | |
set nat source rule 100 source address $lan_segment/24 | |
set nat source rule 100 translation address masquerade | |
# Configure a DHCP Server: | |
set service dhcp-server disabled 'false' | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 default-router $lan | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 dns-server $lan | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 domain-name $domain | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 lease 604800 | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 start $lease_start stop $lease_stop | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 static-mapping <some-workstation> ip-address 192.168.1.10 | |
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 static-mapping <some-workstation> mac-address <some-workstation mac address> | |
# set up system name servers | |
set system name-server '8.8.4.4' | |
set system name-server '8.8.8.8' | |
# And a DNS forwarder: | |
set service dns forwarding cache-size '2048' | |
set service dns forwarding listen-on 'eth1' | |
set service dns forwarding name-server '8.8.4.4' | |
set service dns forwarding name-server '8.8.8.8' | |
# listen on vtun0 to provide dns resolution to openvpn clients | |
set service dns forwarding listen-on vtun0 | |
# Static DNS mappings | |
set system static-host-mapping host-name <some-workstation.local> | |
set system static-host-mapping host-name <some-workstation.local> alias some-workstation | |
set system static-host-mapping host-name <some-workstation.local> inet 192.168.1.10 | |
# Firewall rulesets | |
# From the web (inbound) | |
set firewall name FROM-EXTERNAL default-action drop | |
set firewall name FROM-EXTERNAL rule 10 action accept | |
set firewall name FROM-EXTERNAL rule 10 state established enable | |
set firewall name FROM-EXTERNAL rule 10 state related enable | |
# Traffic destined to router | |
set firewall name TO-ROUTER default-action drop | |
set firewall name TO-ROUTER rule 10 action accept | |
set firewall name TO-ROUTER rule 10 state established enable | |
set firewall name TO-ROUTER rule 10 state related enable | |
set firewall name TO-ROUTER rule 20 action accept | |
set firewall name TO-ROUTER rule 20 icmp type-name 'echo-request' | |
set firewall name TO-ROUTER rule 20 protocol 'icmp' | |
set firewall name TO-ROUTER rule 20 state new 'enable' | |
#open firewall for openvpn | |
set firewall name TO-ROUTER rule 30 action accept | |
set firewall name TO-ROUTER rule 30 destination port 1194 | |
set firewall name TO-ROUTER rule 30 protocol udp | |
# set firewall name TO-ROUTER rule 30 log enable | |
# Traffic within the LAN | |
set firewall name LAN-TO-LAN default-action 'accept' | |
# Apply the firewall rulesets | |
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL | |
set interfaces ethernet eth0 firewall local name TO-ROUTER | |
set interfaces ethernet eth1 firewall in name LAN-TO-LAN | |
# # QOS | |
set traffic-policy shaper EGRESS_QOS bandwidth '20Mbit' | |
# default download priority | |
set traffic-policy shaper EGRESS_QOS default bandwidth '70%' | |
set traffic-policy shaper EGRESS_QOS default burst '2kb' | |
set traffic-policy shaper EGRESS_QOS default ceiling '100%' | |
set traffic-policy shaper EGRESS_QOS default priority 3 | |
set traffic-policy shaper EGRESS_QOS default queue-type 'fq-codel' | |
# megasuper priority dns and ssh and icmp | |
set traffic-policy shaper EGRESS_QOS class 10 bandwidth 10% | |
set traffic-policy shaper EGRESS_QOS class 10 burst '2kb' | |
set traffic-policy shaper EGRESS_QOS class 10 ceiling 100% | |
set traffic-policy shaper EGRESS_QOS class 10 priority 5 | |
set traffic-policy shaper EGRESS_QOS class 10 queue-type 'fq-codel' | |
set traffic-policy shaper EGRESS_QOS class 10 match icmp ip protocol icmp | |
# set traffic-policy shaper EGRESS_QOS class 10 match ssh ip source port 22 | |
set traffic-policy shaper EGRESS_QOS class 10 match dns ip source port 53 | |
# usenet traffic | |
set traffic-policy shaper EGRESS_QOS class 20 bandwidth '20%' | |
set traffic-policy shaper EGRESS_QOS class 20 burst '2kb' | |
set traffic-policy shaper EGRESS_QOS class 20 ceiling '100%' | |
set traffic-policy shaper EGRESS_QOS class 20 priority 1 | |
# these rules restrict the policy to a given ip/port destination. change cidr notation as appropriate | |
# note that 22.22.22.22 is just an example | |
set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source address 22.22.22.22/32 | |
set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source port 443 | |
set traffic-policy shaper EGRESS_QOS class 20 queue-type 'fq-codel' | |
set interfaces ethernet eth1 traffic-policy out EGRESS_QOS | |
# set service ssh disable‐password‐authentication | |
# Dynamic DNS | |
set service dns dynamic interface eth0 service duckdns protocol dyndns2 | |
set service dns dynamic interface eth0 service duckdns server www.duckdns.org | |
set service dns dynamic interface eth0 service duckdns login dummy | |
set service dns dynamic interface eth0 service duckdns password <duckdns api code> | |
set service dns dynamic interface eth0 service duckdns host-name <registered hostname> | |
commit | |
save |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a sample vyos firewall configuration.
Features
ping <your-workstation>
)