# 添加pool用于dnat时匹配要转发到的目的地址及端口 root@juniper1# set security nat destination pool kibana address 10.1.2.5 port 5601 root@juniper1# set security nat destination pool es description "elasticsearch port" address 10.1.2.5 port 9200 # 查看pool(用问号?提示时会显示出来所有的pool) root@juniper1# show security nat destination pool kibana address 10.1.2.5/32 port 5601; # 查看dnat规则集,ssh为规则集名 root@juniper1# show security nat destination rule-set ssh # 添加具体的规则到某个规则集,es为规则名 root@juniper1# set security nat destination rule-set ssh rule es description "elasticsearch" match destination-address 174.71.214.155 root@juniper1# set security nat destination rule-set ssh rule es description "elasticsearch" match protocol tcp destination-port 9200 root@juniper1# set security nat destination rule-set ssh rule es then destination-nat pool es root@juniper1# commit # 查看所有服务,也就是安全策略中的 services root@juniper1# show applications # 通过问号可以显示所有的服务名 root@juniper1# show applications application ? # 通过指定服务名,可以查看此服务的协议端口信息 root@juniper1# show applications application es # 创建用户自定义应用服务,服务名叫es root@juniper1# set applications application es protocol tcp destination-port 9200 description elasticsearch # 删除一条自定义服务 root@juniper1# delete applications application es # 查看安全策略 root@juniper1# show security policies from-zone untrust to-zone trust # 安全策略,往一个已有的策略中添加一个新服务,已有的策略名为 ping,服务名为 es root@juniper1# set security policies from-zone untrust to-zone trust policy ping match application es # 或者创建一个新策略 root@juniper1# set security policies from-zone untrust to-zone trust policy es then permit root@juniper1# set security policies from-zone untrust to-zone trust policy es match application es root@juniper1# commit
原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/5308.html