juniper配置dnat规则并配置安全策略

2023-08-24 发表者 Venus

# 添加pool用于dnat时匹配要转发到的目的地址及端口
root@juniper1# set security nat destination pool kibana address 10.1.2.5 port 5601    
root@juniper1# set security nat destination pool es description "elasticsearch port" address 10.1.2.5 port 9200    

# 查看pool（用问号?提示时会显示出来所有的pool）
root@juniper1# show security nat destination pool kibana 
address 10.1.2.5/32 port 5601;

# 查看dnat规则集，ssh为规则集名
root@juniper1# show security nat destination rule-set ssh    

# 添加具体的规则到某个规则集，es为规则名
root@juniper1# set security nat destination rule-set ssh rule es description "elasticsearch" match destination-address 174.71.214.155     
root@juniper1# set security nat destination rule-set ssh rule es description "elasticsearch" match protocol tcp destination-port 9200    
root@juniper1# set security nat destination rule-set ssh rule es then destination-nat pool es    
root@juniper1# commit 


# 查看所有服务，也就是安全策略中的 services
root@juniper1# show applications 

# 通过问号可以显示所有的服务名
root@juniper1# show applications application ? 

# 通过指定服务名，可以查看此服务的协议端口信息
root@juniper1# show applications application es 

# 创建用户自定义应用服务，服务名叫es
root@juniper1# set applications application es protocol tcp destination-port 9200 description elasticsearch 

# 删除一条自定义服务
root@juniper1# delete applications application es    

# 查看安全策略
root@juniper1# show security policies from-zone untrust to-zone trust 

# 安全策略，往一个已有的策略中添加一个新服务，已有的策略名为 ping，服务名为 es
root@juniper1# set security policies from-zone untrust to-zone trust policy ping match application es

# 或者创建一个新策略
root@juniper1# set security policies from-zone untrust to-zone trust policy es then permit 
root@juniper1# set security policies from-zone untrust to-zone trust policy es match application es

root@juniper1# commit

原创文章，转载请注明。本文链接地址: https://www.rootop.org/pages/5308.html

作者：Venus

服务器运维与性能优化

一	二	三	四	五	六	日
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31