Vyos configuration

set firewall state-policy established action 'accept'
set firewall state-policy related action 'accept'

set interfaces ethernet eth0 address 'XXX.XXX.XXX.XXX/22'

set protocols static route 0.0.0.0/0 next-hop 147.156.XXX.1
set service ssh access-control allow user 'vyos'
set interfaces ethernet eth2 address '198.18.0.22/24'
set interfaces ethernet eth3 vif 4001 description 'receiver'
set interfaces ethernet eth3 vif 4001 address '198.19.0.22/24'
set protocols static arp 198.18.0.110 hwaddr '90:1b:0e:43:c6:3b'
set protocols static arp 198.19.0.110 hwaddr '90:1b:0e:43:c6:3c'
set protocols static route 198.18.0.0/16 next-hop 198.18.0.110
set protocols static route 198.19.0.0/16 next-hop 198.19.0.110
set system conntrack hash-size '1000000'
set system conntrack table-size '10000000'

# ethtool -l eth2
Channel parameters for eth2:/eth3
Pre-set maximums:
RX:		0
TX:		0
Other:		0
Combined:	24
Current hardware settings:
RX:		0
TX:		0
Other:		0
Combined:	24


# ethtool --show-priv-flags eth2 / eth3
Private flags for eth2:
rx_cqe_moder       : on
tx_cqe_moder       : off
rx_cqe_compress    : off
rx_striding_rq     : off
rx_no_csum_complete: off

SMP affinity 
for i in `cat /proc/interrupts  | grep mlx | cut -d ":" -f 1`
 do 
 cat /proc/irq/$i/smp_affinity
done



ffffff
ffffff
ffffff
000001
000002
000004
000008
000010
000020
000040
000080
000100
000200
000400
000800
001000
002000
004000
008000
010000
020000
040000
080000
100000
200000
400000
800000
ffffff
ffffff
ffffff
000001
000002
000004
000008
000010
000020
000040
000080
000100
000200
000400
000800
001000
002000
004000
008000
010000
020000
040000
080000
100000
200000
400000
800000

RULES

Clean all iptables rules

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

flush ruleset
table ip lume_filter {
        chain forward {
                type filter hook forward priority -10; policy drop;
                ct state established counter packets 0 bytes 0
		# HERE comes the XXX rules /tmp/ruleset_body.nft
                ip saddr 198.18.10.0/24 ip daddr 198.19.10.0/24 counter accept

        }
}

RULE GENERATOR

rm /tmp/ruleset_body.nft
for j in `seq 30 30`
do 
for i in `seq 1 250`
do 
echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i tcp dport $j$i accept" >> /tmp/ruleset_body.nft
echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i tcp dport $i$j accept" >> /tmp/ruleset_body.nft
echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i udp dport $j$i accept" >> /tmp/ruleset_body.nft
echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i udp dport $i$j accept" >> /tmp/ruleset_body.nft

done 
done

cat /tmp/ruleset_header.nft /tmp/ruleset_body.nft /tmp/ruleset_tail.nft > /tmp/ruleset_500.nft && nft -f /tmp/ruleset_500.nft && nft -f /tmp/ruleset_500.nft

	Servicio de la Universitat de València	Mapa Web Entorno de usuario Valencià English
	Servicio de la Universitat de València	vyos_configuration

	@ > vyos_bsdrp > vyos_configuration Vyos configuration set firewall state-policy established action 'accept' set firewall state-policy related action 'accept' set interfaces ethernet eth0 address 'XXX.XXX.XXX.XXX/22' set protocols static route 0.0.0.0/0 next-hop 147.156.XXX.1 set service ssh access-control allow user 'vyos' set interfaces ethernet eth2 address '198.18.0.22/24' set interfaces ethernet eth3 vif 4001 description 'receiver' set interfaces ethernet eth3 vif 4001 address '198.19.0.22/24' set protocols static arp 198.18.0.110 hwaddr '90:1b:0e:43:c6:3b' set protocols static arp 198.19.0.110 hwaddr '90:1b:0e:43:c6:3c' set protocols static route 198.18.0.0/16 next-hop 198.18.0.110 set protocols static route 198.19.0.0/16 next-hop 198.19.0.110 set system conntrack hash-size '1000000' set system conntrack table-size '10000000' # ethtool -l eth2 Channel parameters for eth2:/eth3 Pre-set maximums: RX: 0 TX: 0 Other: 0 Combined: 24 Current hardware settings: RX: 0 TX: 0 Other: 0 Combined: 24 # ethtool --show-priv-flags eth2 / eth3 Private flags for eth2: rx_cqe_moder : on tx_cqe_moder : off rx_cqe_compress : off rx_striding_rq : off rx_no_csum_complete: off SMP affinity for i in `cat /proc/interrupts \| grep mlx \| cut -d ":" -f 1` do cat /proc/irq/$i/smp_affinity done ffffff ffffff ffffff 000001 000002 000004 000008 000010 000020 000040 000080 000100 000200 000400 000800 001000 002000 004000 008000 010000 020000 040000 080000 100000 200000 400000 800000 ffffff ffffff ffffff 000001 000002 000004 000008 000010 000020 000040 000080 000100 000200 000400 000800 001000 002000 004000 008000 010000 020000 040000 080000 100000 200000 400000 800000 RULES Clean all iptables rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X flush ruleset table ip lume_filter { chain forward { type filter hook forward priority -10; policy drop; ct state established counter packets 0 bytes 0 # HERE comes the XXX rules /tmp/ruleset_body.nft ip saddr 198.18.10.0/24 ip daddr 198.19.10.0/24 counter accept } } RULE GENERATOR rm /tmp/ruleset_body.nft for j in `seq 30 30` do for i in `seq 1 250` do echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i tcp dport $j$i accept" >> /tmp/ruleset_body.nft echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i tcp dport $i$j accept" >> /tmp/ruleset_body.nft echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i udp dport $j$i accept" >> /tmp/ruleset_body.nft echo "ip saddr 198.18.$j.$i ip daddr 198.19.$j.$i udp dport $i$j accept" >> /tmp/ruleset_body.nft done done cat /tmp/ruleset_header.nft /tmp/ruleset_body.nft /tmp/ruleset_tail.nft > /tmp/ruleset_500.nft && nft -f /tmp/ruleset_500.nft && nft -f /tmp/ruleset_500.nft
	© El Autor WIKI, Universitat de València - Buzón UV Modificado: 09 diciembre 2019 10:49 wiki / traza / editar