Rootop 服务器运维与web架构

juniper配置dnat规则并配置安全策略

# 添加pool用于dnat时匹配要转发到的目的地址及端口
root@juniper1# set security nat destination pool kibana address 10.1.2.5 port 5601    
root@juniper1# set security nat destination pool es description "elasticsearch port" address 10.1.2.5 port 9200    

# 查看pool(用问号?提示时会显示出来所有的pool)
root@juniper1# show security nat destination pool kibana 
address 10.1.2.5/32 port 5601;

# 查看dnat规则集,ssh为规则集名
root@juniper1# show security nat destination rule-set ssh    

# 添加具体的规则到某个规则集,es为规则名
root@juniper1# set security nat destination rule-set ssh rule es description "elasticsearch" match destination-address 174.71.214.155     
root@juniper1# set security nat destination rule-set ssh rule es description "elasticsearch" match protocol tcp destination-port 9200    
root@juniper1# set security nat destination rule-set ssh rule es then destination-nat pool es    
root@juniper1# commit 


# 查看所有服务,也就是安全策略中的 services
root@juniper1# show applications 

# 通过问号可以显示所有的服务名
root@juniper1# show applications application ? 

# 通过指定服务名,可以查看此服务的协议端口信息
root@juniper1# show applications application es 

# 创建用户自定义应用服务,服务名叫es
root@juniper1# set applications application es protocol tcp destination-port 9200 description elasticsearch 

# 删除一条自定义服务
root@juniper1# delete applications application es    

# 查看安全策略
root@juniper1# show security policies from-zone untrust to-zone trust 

# 安全策略,往一个已有的策略中添加一个新服务,已有的策略名为 ping,服务名为 es
root@juniper1# set security policies from-zone untrust to-zone trust policy ping match application es

# 或者创建一个新策略
root@juniper1# set security policies from-zone untrust to-zone trust policy es then permit 
root@juniper1# set security policies from-zone untrust to-zone trust policy es match application es

root@juniper1# commit 

原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/5308.html

作者:Venus

服务器运维与性能优化

评论已关闭。