@xdev-asia/xdev-knowledge-mcp 1.0.54 → 1.0.56
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/01-bai-1-gioi-thieu-vyos-va-cai-dat.md +333 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/02-bai-2-cau-hinh-interface-va-ip-co-ban.md +325 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/03-bai-3-nat-source-nat-destination-nat-va-masquerade.md +322 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/04-bai-4-firewall-co-ban-rules-chains-va-groups.md +386 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/05-bai-5-zone-based-firewall.md +451 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/06-bai-6-dhcp-server-dns-forwarding-va-ntp.md +108 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/07-bai-7-vlans-bonding-va-bridge.md +96 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/08-bai-8-static-routing-va-policy-based-routing.md +85 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/09-bai-9-dynamic-routing-ospf.md +81 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/10-bai-10-dynamic-routing-bgp.md +84 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/11-bai-11-vpn-wireguard-va-openvpn.md +87 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/12-bai-12-vpn-ipsec-site-to-site.md +89 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/13-bai-13-high-availability-vrrp-va-conntrack-sync.md +63 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/14-bai-14-wan-load-balancing-qos-va-monitoring.md +64 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/chapters/01-vyos-tu-co-ban-den-nang-cao/lessons/15-bai-15-containers-automation-va-production-best-practices.md +82 -0
- package/content/series/devsecops/vyos-tu-co-ban-den-nang-cao/index.md +410 -0
- package/package.json +1 -1
|
@@ -0,0 +1,386 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: 019d65ef-d36f-773e-bf0a-9e3277a273b3
|
|
3
|
+
title: 'Bài 4: Firewall cơ bản — Rules, Chains và Groups'
|
|
4
|
+
slug: bai-4-firewall-co-ban-rules-chains-va-groups
|
|
5
|
+
description: >-
|
|
6
|
+
Kiến trúc firewall VyOS (nftables), input/output/forward chains, rules
|
|
7
|
+
accept/drop/reject, address/network/port groups, state policy và troubleshooting.
|
|
8
|
+
duration_minutes: 180
|
|
9
|
+
is_free: true
|
|
10
|
+
video_url: null
|
|
11
|
+
sort_order: 4
|
|
12
|
+
section_title: "VyOS từ Cơ bản đến Nâng cao"
|
|
13
|
+
course:
|
|
14
|
+
id: 019d65ef-d36f-773e-bf0a-9e2efc5e19df
|
|
15
|
+
title: VyOS từ Cơ bản đến Nâng cao
|
|
16
|
+
slug: vyos-tu-co-ban-den-nang-cao
|
|
17
|
+
---
|
|
18
|
+
<img src="/storage/uploads/2026/04/vyos-04-firewall.png" alt="Firewall cơ bản — Rules, Chains và Groups" style="display:block;margin:24px auto 32px auto;max-width:700px;width:100%;border-radius:18px;box-shadow:0 4px 32px #0002" loading="lazy" />
|
|
19
|
+
<h2>Kiến trúc Firewall trên VyOS</h2>
|
|
20
|
+
|
|
21
|
+
<p>VyOS sử dụng <strong>nftables</strong> làm backend firewall (thay thế iptables từ phiên bản 1.4+). Tuy nhiên, bạn không cần viết nftables rules trực tiếp — VyOS CLI trừu tượng hóa toàn bộ qua configuration tree.</p>
|
|
22
|
+
|
|
23
|
+
<p>Firewall trên VyOS hoạt động dựa trên 3 loại traffic flow:</p>
|
|
24
|
+
|
|
25
|
+
<pre><code class="language-bash"> ┌─────────────────┐
|
|
26
|
+
Incoming ──────→ │ INPUT chain │ ──→ VyOS Router (local processes)
|
|
27
|
+
Traffic └─────────────────┘
|
|
28
|
+
┌─────────────────┐
|
|
29
|
+
Through ──────→ │ FORWARD chain │ ──→ Out another interface
|
|
30
|
+
Traffic └─────────────────┘
|
|
31
|
+
┌─────────────────┐
|
|
32
|
+
From VyOS ─────→ │ OUTPUT chain │ ──→ Outgoing Traffic
|
|
33
|
+
Router └─────────────────┘</code></pre>
|
|
34
|
+
|
|
35
|
+
<ul>
|
|
36
|
+
<li><strong>input</strong>: Traffic đến chính VyOS router (SSH, DNS queries đến router, etc.)</li>
|
|
37
|
+
<li><strong>forward</strong>: Traffic đi qua router từ interface này sang interface khác</li>
|
|
38
|
+
<li><strong>output</strong>: Traffic xuất phát từ chính router (router ping ra ngoài, NTP sync, etc.)</li>
|
|
39
|
+
</ul>
|
|
40
|
+
|
|
41
|
+
<h2>Tạo Firewall Rules cơ bản</h2>
|
|
42
|
+
|
|
43
|
+
<h3>Cấu trúc firewall rule</h3>
|
|
44
|
+
|
|
45
|
+
<p>Trong VyOS 1.4+, firewall được cấu hình theo cấu trúc:</p>
|
|
46
|
+
|
|
47
|
+
<pre><code class="language-bash">set firewall ipv4 <chain> filter rule <number> ...
|
|
48
|
+
|
|
49
|
+
# chain: input, forward, output
|
|
50
|
+
# number: 1-999999 (xử lý từ nhỏ đến lớn)</code></pre>
|
|
51
|
+
|
|
52
|
+
<h3>Default Action</h3>
|
|
53
|
+
|
|
54
|
+
<p>Luôn đặt <strong>default-action</strong> cho mỗi chain. Best practice: <code>drop</code> (deny by default).</p>
|
|
55
|
+
|
|
56
|
+
<pre><code class="language-bash">configure
|
|
57
|
+
|
|
58
|
+
# Default drop cho input — chỉ cho phép traffic được khai báo rõ
|
|
59
|
+
set firewall ipv4 input filter default-action 'drop'
|
|
60
|
+
|
|
61
|
+
# Default drop cho forward
|
|
62
|
+
set firewall ipv4 forward filter default-action 'drop'
|
|
63
|
+
|
|
64
|
+
# Output thường để accept (router cần giao tiếp với bên ngoài)
|
|
65
|
+
set firewall ipv4 output filter default-action 'accept'</code></pre>
|
|
66
|
+
|
|
67
|
+
<h3>Rule Actions</h3>
|
|
68
|
+
|
|
69
|
+
<ul>
|
|
70
|
+
<li><code>accept</code>: Cho phép packet đi qua</li>
|
|
71
|
+
<li><code>drop</code>: Loại bỏ packet không thông báo (silent drop)</li>
|
|
72
|
+
<li><code>reject</code>: Loại bỏ và gửi ICMP error về nguồn</li>
|
|
73
|
+
<li><code>jump</code>: Nhảy sang chain khác để xử lý</li>
|
|
74
|
+
</ul>
|
|
75
|
+
|
|
76
|
+
<h2>State Policy — Established / Related</h2>
|
|
77
|
+
|
|
78
|
+
<p>Đây là rule <strong>quan trọng nhất</strong> trong mọi firewall configuration. Cho phép return traffic của các kết nối đã được thiết lập:</p>
|
|
79
|
+
|
|
80
|
+
<pre><code class="language-bash">configure
|
|
81
|
+
|
|
82
|
+
# Cho phép established/related traffic (INPUT)
|
|
83
|
+
set firewall ipv4 input filter rule 10 action 'accept'
|
|
84
|
+
set firewall ipv4 input filter rule 10 state 'established'
|
|
85
|
+
set firewall ipv4 input filter rule 10 state 'related'
|
|
86
|
+
set firewall ipv4 input filter rule 10 description 'Allow established/related input'
|
|
87
|
+
|
|
88
|
+
# Drop invalid state
|
|
89
|
+
set firewall ipv4 input filter rule 20 action 'drop'
|
|
90
|
+
set firewall ipv4 input filter rule 20 state 'invalid'
|
|
91
|
+
set firewall ipv4 input filter rule 20 description 'Drop invalid input'
|
|
92
|
+
|
|
93
|
+
# Tương tự cho FORWARD chain
|
|
94
|
+
set firewall ipv4 forward filter rule 10 action 'accept'
|
|
95
|
+
set firewall ipv4 forward filter rule 10 state 'established'
|
|
96
|
+
set firewall ipv4 forward filter rule 10 state 'related'
|
|
97
|
+
set firewall ipv4 forward filter rule 10 description 'Allow established/related forward'
|
|
98
|
+
|
|
99
|
+
set firewall ipv4 forward filter rule 20 action 'drop'
|
|
100
|
+
set firewall ipv4 forward filter rule 20 state 'invalid'
|
|
101
|
+
set firewall ipv4 forward filter rule 20 description 'Drop invalid forward'
|
|
102
|
+
|
|
103
|
+
commit</code></pre>
|
|
104
|
+
|
|
105
|
+
<blockquote>
|
|
106
|
+
<p><strong>Tại sao cần state policy?</strong> Khi default-action là drop, nếu không có rule established/related, response traffic (ví dụ: reply từ web server khi bạn browse) sẽ bị drop. State policy cho phép return traffic mà không cần tạo rule riêng cho mỗi kết nối.</p>
|
|
107
|
+
</blockquote>
|
|
108
|
+
|
|
109
|
+
<h2>Firewall Rules theo Interface</h2>
|
|
110
|
+
|
|
111
|
+
<h3>Cho phép SSH đến router từ LAN</h3>
|
|
112
|
+
|
|
113
|
+
<pre><code class="language-bash"># Cho phép SSH (port 22) vào router chỉ từ LAN
|
|
114
|
+
set firewall ipv4 input filter rule 100 action 'accept'
|
|
115
|
+
set firewall ipv4 input filter rule 100 protocol 'tcp'
|
|
116
|
+
set firewall ipv4 input filter rule 100 destination port '22'
|
|
117
|
+
set firewall ipv4 input filter rule 100 inbound-interface name 'eth1'
|
|
118
|
+
set firewall ipv4 input filter rule 100 description 'Allow SSH from LAN'
|
|
119
|
+
|
|
120
|
+
commit</code></pre>
|
|
121
|
+
|
|
122
|
+
<h3>Cho phép ICMP (ping) đến router</h3>
|
|
123
|
+
|
|
124
|
+
<pre><code class="language-bash">set firewall ipv4 input filter rule 110 action 'accept'
|
|
125
|
+
set firewall ipv4 input filter rule 110 protocol 'icmp'
|
|
126
|
+
set firewall ipv4 input filter rule 110 description 'Allow ICMP to router'
|
|
127
|
+
|
|
128
|
+
commit</code></pre>
|
|
129
|
+
|
|
130
|
+
<h3>Cho phép LAN forward ra Internet</h3>
|
|
131
|
+
|
|
132
|
+
<pre><code class="language-bash"># LAN (eth1) → WAN (eth0): cho phép tất cả
|
|
133
|
+
set firewall ipv4 forward filter rule 100 action 'accept'
|
|
134
|
+
set firewall ipv4 forward filter rule 100 inbound-interface name 'eth1'
|
|
135
|
+
set firewall ipv4 forward filter rule 100 outbound-interface name 'eth0'
|
|
136
|
+
set firewall ipv4 forward filter rule 100 description 'Allow LAN to WAN'
|
|
137
|
+
|
|
138
|
+
commit</code></pre>
|
|
139
|
+
|
|
140
|
+
<h3>Cho phép port forwarding traffic</h3>
|
|
141
|
+
|
|
142
|
+
<pre><code class="language-bash"># WAN → LAN: chỉ cho phép HTTP/HTTPS đến web server
|
|
143
|
+
set firewall ipv4 forward filter rule 200 action 'accept'
|
|
144
|
+
set firewall ipv4 forward filter rule 200 inbound-interface name 'eth0'
|
|
145
|
+
set firewall ipv4 forward filter rule 200 protocol 'tcp'
|
|
146
|
+
set firewall ipv4 forward filter rule 200 destination port '80,443'
|
|
147
|
+
set firewall ipv4 forward filter rule 200 destination address '192.168.100.100'
|
|
148
|
+
set firewall ipv4 forward filter rule 200 description 'Allow HTTP/HTTPS to web server'
|
|
149
|
+
|
|
150
|
+
commit</code></pre>
|
|
151
|
+
|
|
152
|
+
<h2>Firewall Groups</h2>
|
|
153
|
+
|
|
154
|
+
<p>Firewall groups giúp tổ chức và tái sử dụng các tập hợp addresses, networks, ports trong nhiều rules:</p>
|
|
155
|
+
|
|
156
|
+
<h3>Address Group</h3>
|
|
157
|
+
|
|
158
|
+
<pre><code class="language-bash"># Tạo group chứa các IP của admin
|
|
159
|
+
set firewall group address-group ADMIN-IPS address '192.168.100.10'
|
|
160
|
+
set firewall group address-group ADMIN-IPS address '192.168.100.11'
|
|
161
|
+
set firewall group address-group ADMIN-IPS description 'Administrator IPs'
|
|
162
|
+
|
|
163
|
+
# Sử dụng trong rule
|
|
164
|
+
set firewall ipv4 input filter rule 100 source group address-group 'ADMIN-IPS'</code></pre>
|
|
165
|
+
|
|
166
|
+
<h3>Network Group</h3>
|
|
167
|
+
|
|
168
|
+
<pre><code class="language-bash"># Group các mạng nội bộ
|
|
169
|
+
set firewall group network-group INTERNAL-NETS network '192.168.1.0/24'
|
|
170
|
+
set firewall group network-group INTERNAL-NETS network '192.168.2.0/24'
|
|
171
|
+
set firewall group network-group INTERNAL-NETS network '10.0.0.0/8'
|
|
172
|
+
set firewall group network-group INTERNAL-NETS description 'Internal Networks'
|
|
173
|
+
|
|
174
|
+
# Sử dụng trong rule
|
|
175
|
+
set firewall ipv4 forward filter rule 100 source group network-group 'INTERNAL-NETS'</code></pre>
|
|
176
|
+
|
|
177
|
+
<h3>Port Group</h3>
|
|
178
|
+
|
|
179
|
+
<pre><code class="language-bash"># Group các ports web
|
|
180
|
+
set firewall group port-group WEB-PORTS port '80'
|
|
181
|
+
set firewall group port-group WEB-PORTS port '443'
|
|
182
|
+
set firewall group port-group WEB-PORTS port '8080'
|
|
183
|
+
set firewall group port-group WEB-PORTS description 'Web Service Ports'
|
|
184
|
+
|
|
185
|
+
# Sử dụng trong rule
|
|
186
|
+
set firewall ipv4 forward filter rule 200 destination group port-group 'WEB-PORTS'</code></pre>
|
|
187
|
+
|
|
188
|
+
<h2>Logging Firewall</h2>
|
|
189
|
+
|
|
190
|
+
<p>Bật logging để theo dõi traffic bị drop hoặc accept:</p>
|
|
191
|
+
|
|
192
|
+
<pre><code class="language-bash"># Log tất cả traffic bị drop bởi default-action
|
|
193
|
+
set firewall ipv4 input filter default-log
|
|
194
|
+
|
|
195
|
+
# Log cho rule cụ thể
|
|
196
|
+
set firewall ipv4 input filter rule 999 action 'drop'
|
|
197
|
+
set firewall ipv4 input filter rule 999 log
|
|
198
|
+
set firewall ipv4 input filter rule 999 description 'Log and drop all other input'
|
|
199
|
+
|
|
200
|
+
commit
|
|
201
|
+
save</code></pre>
|
|
202
|
+
|
|
203
|
+
<p>Xem logs:</p>
|
|
204
|
+
|
|
205
|
+
<pre><code class="language-bash"># Xem firewall logs real-time
|
|
206
|
+
monitor log | match firewall
|
|
207
|
+
|
|
208
|
+
# Hoặc xem từ syslog
|
|
209
|
+
show log | match firewall</code></pre>
|
|
210
|
+
|
|
211
|
+
<h2>Xem và quản lý Firewall Rules</h2>
|
|
212
|
+
|
|
213
|
+
<pre><code class="language-bash"># Xem tất cả firewall rules
|
|
214
|
+
show firewall
|
|
215
|
+
|
|
216
|
+
# Xem rules cho chain cụ thể
|
|
217
|
+
show firewall ipv4 input filter
|
|
218
|
+
|
|
219
|
+
# Xem firewall statistics (packet/byte counters)
|
|
220
|
+
show firewall ipv4 input filter rule 100
|
|
221
|
+
|
|
222
|
+
# Xem firewall groups
|
|
223
|
+
show firewall group</code></pre>
|
|
224
|
+
|
|
225
|
+
<h2>Troubleshooting Firewall</h2>
|
|
226
|
+
|
|
227
|
+
<h3>Các lỗi thường gặp</h3>
|
|
228
|
+
|
|
229
|
+
<ul>
|
|
230
|
+
<li><strong>Bị lock khỏi SSH</strong>: Quên tạo rule cho phép SSH trước khi set default-action drop</li>
|
|
231
|
+
<li><strong>LAN không ra Internet</strong>: Thiếu forward rule từ LAN sang WAN, hoặc thiếu state established/related</li>
|
|
232
|
+
<li><strong>Port forward không hoạt động</strong>: Có DNAT nhưng thiếu firewall forward rule cho traffic đó</li>
|
|
233
|
+
</ul>
|
|
234
|
+
|
|
235
|
+
<blockquote>
|
|
236
|
+
<p><strong>Mẹo an toàn</strong>: Khi thay đổi firewall rules qua SSH, luôn dùng <code>commit-confirm</code> thay vì <code>commit</code>. Lệnh này sẽ tự rollback sau 10 phút nếu bạn không confirm — tránh bị lock out.</p>
|
|
237
|
+
</blockquote>
|
|
238
|
+
|
|
239
|
+
<pre><code class="language-bash"># Commit với auto-rollback sau 10 phút
|
|
240
|
+
commit-confirm
|
|
241
|
+
|
|
242
|
+
# Nếu mọi thứ OK, confirm để giữ changes
|
|
243
|
+
confirm</code></pre>
|
|
244
|
+
|
|
245
|
+
<h3>Debug checklist</h3>
|
|
246
|
+
|
|
247
|
+
<pre><code class="language-bash"># 1. Kiểm tra interfaces
|
|
248
|
+
show interfaces
|
|
249
|
+
|
|
250
|
+
# 2. Kiểm tra routing table
|
|
251
|
+
show ip route
|
|
252
|
+
|
|
253
|
+
# 3. Kiểm tra NAT
|
|
254
|
+
show nat source rules
|
|
255
|
+
show nat destination rules
|
|
256
|
+
|
|
257
|
+
# 4. Kiểm tra firewall rules
|
|
258
|
+
show firewall ipv4 input filter
|
|
259
|
+
show firewall ipv4 forward filter
|
|
260
|
+
|
|
261
|
+
# 5. Kiểm tra conntrack
|
|
262
|
+
show conntrack table ipv4
|
|
263
|
+
|
|
264
|
+
# 6. Xem logs
|
|
265
|
+
show log | tail 50</code></pre>
|
|
266
|
+
|
|
267
|
+
<h2>Lab thực hành: Firewall hoàn chỉnh cho Home Router</h2>
|
|
268
|
+
|
|
269
|
+
<p>Tiếp tục từ lab NAT bài trước, thêm firewall rules:</p>
|
|
270
|
+
|
|
271
|
+
<pre><code class="language-bash">Internet
|
|
272
|
+
|
|
|
273
|
+
[eth0: DHCP] VyOS Router [eth1: 192.168.100.1/24]
|
|
274
|
+
| |
|
|
275
|
+
| +-----------+-----------+
|
|
276
|
+
| | |
|
|
277
|
+
| PC Client Web Server
|
|
278
|
+
| 192.168.100.10 192.168.100.100</code></pre>
|
|
279
|
+
|
|
280
|
+
<h3>Bước 1: Firewall groups</h3>
|
|
281
|
+
|
|
282
|
+
<pre><code class="language-bash">configure
|
|
283
|
+
|
|
284
|
+
# Tạo groups
|
|
285
|
+
set firewall group address-group WEB-SERVER address '192.168.100.100'
|
|
286
|
+
set firewall group port-group WEB-PORTS port '80'
|
|
287
|
+
set firewall group port-group WEB-PORTS port '443'
|
|
288
|
+
|
|
289
|
+
commit</code></pre>
|
|
290
|
+
|
|
291
|
+
<h3>Bước 2: Input chain (traffic đến router)</h3>
|
|
292
|
+
|
|
293
|
+
<pre><code class="language-bash"># Default drop
|
|
294
|
+
set firewall ipv4 input filter default-action 'drop'
|
|
295
|
+
|
|
296
|
+
# State policy
|
|
297
|
+
set firewall ipv4 input filter rule 10 action 'accept'
|
|
298
|
+
set firewall ipv4 input filter rule 10 state 'established'
|
|
299
|
+
set firewall ipv4 input filter rule 10 state 'related'
|
|
300
|
+
|
|
301
|
+
set firewall ipv4 input filter rule 20 action 'drop'
|
|
302
|
+
set firewall ipv4 input filter rule 20 state 'invalid'
|
|
303
|
+
|
|
304
|
+
# Allow ICMP
|
|
305
|
+
set firewall ipv4 input filter rule 30 action 'accept'
|
|
306
|
+
set firewall ipv4 input filter rule 30 protocol 'icmp'
|
|
307
|
+
|
|
308
|
+
# Allow SSH from LAN only
|
|
309
|
+
set firewall ipv4 input filter rule 100 action 'accept'
|
|
310
|
+
set firewall ipv4 input filter rule 100 protocol 'tcp'
|
|
311
|
+
set firewall ipv4 input filter rule 100 destination port '22'
|
|
312
|
+
set firewall ipv4 input filter rule 100 inbound-interface name 'eth1'
|
|
313
|
+
|
|
314
|
+
# Allow DHCP (nếu VyOS làm DHCP server)
|
|
315
|
+
set firewall ipv4 input filter rule 110 action 'accept'
|
|
316
|
+
set firewall ipv4 input filter rule 110 protocol 'udp'
|
|
317
|
+
set firewall ipv4 input filter rule 110 destination port '67,68'
|
|
318
|
+
set firewall ipv4 input filter rule 110 inbound-interface name 'eth1'
|
|
319
|
+
|
|
320
|
+
# Allow DNS (nếu VyOS làm DNS forwarder)
|
|
321
|
+
set firewall ipv4 input filter rule 120 action 'accept'
|
|
322
|
+
set firewall ipv4 input filter rule 120 protocol 'tcp_udp'
|
|
323
|
+
set firewall ipv4 input filter rule 120 destination port '53'
|
|
324
|
+
set firewall ipv4 input filter rule 120 inbound-interface name 'eth1'
|
|
325
|
+
|
|
326
|
+
commit</code></pre>
|
|
327
|
+
|
|
328
|
+
<h3>Bước 3: Forward chain</h3>
|
|
329
|
+
|
|
330
|
+
<pre><code class="language-bash"># Default drop
|
|
331
|
+
set firewall ipv4 forward filter default-action 'drop'
|
|
332
|
+
|
|
333
|
+
# State policy
|
|
334
|
+
set firewall ipv4 forward filter rule 10 action 'accept'
|
|
335
|
+
set firewall ipv4 forward filter rule 10 state 'established'
|
|
336
|
+
set firewall ipv4 forward filter rule 10 state 'related'
|
|
337
|
+
|
|
338
|
+
set firewall ipv4 forward filter rule 20 action 'drop'
|
|
339
|
+
set firewall ipv4 forward filter rule 20 state 'invalid'
|
|
340
|
+
|
|
341
|
+
# LAN → WAN: allow all
|
|
342
|
+
set firewall ipv4 forward filter rule 100 action 'accept'
|
|
343
|
+
set firewall ipv4 forward filter rule 100 inbound-interface name 'eth1'
|
|
344
|
+
set firewall ipv4 forward filter rule 100 outbound-interface name 'eth0'
|
|
345
|
+
|
|
346
|
+
# WAN → LAN: only allow web traffic to web server (port forward)
|
|
347
|
+
set firewall ipv4 forward filter rule 200 action 'accept'
|
|
348
|
+
set firewall ipv4 forward filter rule 200 inbound-interface name 'eth0'
|
|
349
|
+
set firewall ipv4 forward filter rule 200 protocol 'tcp'
|
|
350
|
+
set firewall ipv4 forward filter rule 200 destination group address-group 'WEB-SERVER'
|
|
351
|
+
set firewall ipv4 forward filter rule 200 destination group port-group 'WEB-PORTS'
|
|
352
|
+
|
|
353
|
+
commit
|
|
354
|
+
save</code></pre>
|
|
355
|
+
|
|
356
|
+
<h3>Bước 4: Kiểm tra</h3>
|
|
357
|
+
|
|
358
|
+
<pre><code class="language-bash">exit
|
|
359
|
+
|
|
360
|
+
# Xem firewall rules
|
|
361
|
+
show firewall ipv4 input filter
|
|
362
|
+
show firewall ipv4 forward filter
|
|
363
|
+
|
|
364
|
+
# Xem groups
|
|
365
|
+
show firewall group
|
|
366
|
+
|
|
367
|
+
# Test: SSH vào router từ LAN → OK
|
|
368
|
+
# Test: Ping 8.8.8.8 từ LAN client → OK
|
|
369
|
+
# Test: Truy cập web server từ Internet → OK
|
|
370
|
+
# Test: SSH vào router từ WAN → Blocked</code></pre>
|
|
371
|
+
|
|
372
|
+
<h2>Tổng kết</h2>
|
|
373
|
+
|
|
374
|
+
<p>Trong bài này, bạn đã nắm được:</p>
|
|
375
|
+
|
|
376
|
+
<ul>
|
|
377
|
+
<li>Kiến trúc firewall VyOS với nftables backend và 3 chains: input, forward, output</li>
|
|
378
|
+
<li>State policy (established/related) — rule quan trọng nhất</li>
|
|
379
|
+
<li>Tạo firewall rules: action, protocol, port, interface, address matching</li>
|
|
380
|
+
<li>Firewall groups: address-group, network-group, port-group — giúp quản lý dễ dàng</li>
|
|
381
|
+
<li>Logging firewall events để monitoring</li>
|
|
382
|
+
<li>Sử dụng <code>commit-confirm</code> để tránh bị lock out</li>
|
|
383
|
+
<li>Troubleshooting checklist cho firewall</li>
|
|
384
|
+
</ul>
|
|
385
|
+
|
|
386
|
+
<p>Bài tiếp theo sẽ nâng cấp lên <strong>Zone-based Firewall</strong> — phương pháp quản lý firewall chuyên nghiệp hơn cho mạng nhiều zones.</p>
|