Skip to content

Instantly share code, notes, and snippets.

@akira345

akira345/RTX1200.cfg

Created August 11, 2016 04:59
Show Gist options
  • Save akira345/65371946fb9f4147459f418ac42116b5 to your computer and use it in GitHub Desktop.
Save akira345/65371946fb9f4147459f418ac42116b5 to your computer and use it in GitHub Desktop.
Download ZIP
RTX1200でNAT2つ作る設定サンプルです。
Raw
RTX1200.cfg
# RTX1200 Rev.10.01.65 (Tue Oct 13 12:23:48 2015)
# Memory 128Mbytes, 3LAN, 1BRI
# main: RTX1200 ver=b0 serial=XXXXXXXX MAC-Address=XX:XX:XX:XX:XX:XX MAC-Address=XX:XX:XX:XX:XX:XX MAC-Address=XX:XX:XX:XX:XX:XX
# Reporting Date: Aug 7 17:18:23 2016
# セキュリティクラス 3(シリアルからのみログイン許可)
# Telnet SSHコマンド使用不可
security class 3 on off off
# タイムゾーンはJST
timezone +09:00
# コンソールはASCII
console character ascii
# タイムアウト
login timer 300
# デフォルトゲートウエイアドレス
ip route default gateway xxx.xxx.xxx.xxx
# すべてのNICでステルス機能をONにし、PINGに応答しない
ip stealth all
# 各NICにIPを割り当て
ip lan1 address 192.168.0.1/24
ip lan2 address 192.168.10.1/24
ip lan3 address xxx.xxx.xx.xx/xx # wan
# LAN3にフィルタ定義
ip lan3 secure filter in 10000 10010 10020 10030 10080 10090 10100 10110 10120 10130 10140 10150 19970 19980 19990 19999
ip lan3 secure filter out 20000 20010 20020 20030 20040 20050 20060 20070 20080 20090 20100 20110 20120 20130 30000 dynamic 200 210 220 230 240 250 260 270
# 侵入検知を有効化
ip lan3 intrusion detection in on
ip lan3 intrusion detection in ip on reject=off
ip lan3 intrusion detection in ip-option on reject=off
ip lan3 intrusion detection in fragment on reject=off
ip lan3 intrusion detection in icmp on reject=off
ip lan3 intrusion detection in udp on reject=off
ip lan3 intrusion detection in tcp on reject=off
ip lan3 intrusion detection in default off
ip lan3 intrusion detection out on
ip lan3 intrusion detection out winny on reject=off
ip lan3 intrusion detection out share on reject=off
ip lan3 intrusion detection out default off
# 有効化するNATをセット
ip lan3 nat descriptor 1 2
# IPフィルター
# ip filter フィルタ番号 タイプ 始点IPアドレス[/マスク] [終点IPアドレス[/マスク] [プロトコル [始点ポートリスト [終点ポートリスト]]]]
ip filter 10000 reject 10.0.0.0/8 * * * *
ip filter 10010 reject 172.16.0.0/12 * * * *
ip filter 10020 reject 192.168.0.0/24 * * * *
ip filter 10030 reject 192.168.10.0/24 * * * *
ip filter 10080 reject * * udp,tcp 135 *
ip filter 10090 reject * * udp,tcp * 135
ip filter 10100 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 10110 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 10120 reject * * udp,tcp 445 *
ip filter 10130 reject * * udp,tcp * 445
ip filter 10140 reject * * tcp ident *
ip filter 10150 reject * * tcp * ident
ip filter 19970 pass-log * 192.168.10.0/24 established * *
ip filter 19980 pass-log * 192.168.0.0/24 established * *
ip filter 19990 pass-log xxx.xxx.xxx.xx/xx * * * * # WAN側ネットワークからの通信を許可
ip filter 19999 reject * * * * *
ip filter 20000 reject * 10.0.0.0/8 * * *
ip filter 20010 reject * 172.16.0.0/12 * * *
ip filter 20020 reject * 192.168.0.0/24 * * *
ip filter 20030 reject * 192.168.10.0/24 * * *
ip filter 20040 reject * * udp,tcp 135 *
ip filter 20050 reject * * udp,tcp * 135
ip filter 20060 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 20070 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 20080 reject * * udp,tcp 445 *
ip filter 20090 reject * * udp,tcp * 445
ip filter 20100 reject * * tcp ident *
ip filter 20110 reject * * tcp * ident
ip filter 20120 restrict * * tcpfin * www,21,nntp
ip filter 20130 restrict * * tcprst * www,21,nntp
ip filter 30000 pass * * * * # 中から外は許可
ip filter dynamic 200 * * ftp
ip filter dynamic 210 * * domain
ip filter dynamic 220 * * www
ip filter dynamic 230 * * smtp
ip filter dynamic 240 * * pop3
ip filter dynamic 250 * * submission
ip filter dynamic 260 * * tcp syslog=on
ip filter dynamic 270 * * udp syslog=on
# IPマスカレード
nat descriptor type 1 masquerade
# NATテーブル節約のためNATタイマー有効化
nat descriptor timer 1 tcpfin 10
nat descriptor timer 1 protocol=udp port=domain 30
nat descriptor address outer 1 xxx.xxx.xxx.xx #wan側のIP
# NAT変換対象アドレス
nat descriptor address inner 1 192.168.0.1-192.168.0.254
# NATテーブル節約のため、1ホストで占有できるセッション数に制限をかける
nat descriptor masquerade session limit 1 1 300
nat descriptor type 2 masquerade
# NATテーブル節約のためNATタイマー有効化
nat descriptor timer 2 tcpfin 10
nat descriptor timer 2 protocol=udp port=domain 30
nat descriptor address outer 2 xxx.xxx.xxx.xx #wan側のIP
# NAT変換対象アドレス
nat descriptor address inner 2 192.168.10.1-192.168.10.254
# NATテーブル節約のため、1ホストで占有できるセッション数に制限をかける
nat descriptor masquerade session limit 2 1 300
# syslogは有効化、tftpは無効化
syslog notice on
tftp host none
telnetd service off
# DHCP設定
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.0.100-192.168.0.200/24 gateway 192.168.0.1
dhcp scope 2 192.168.10.100-192.168.10.200/24 gateway 192.168.10.1
# DNS関連設定
dns host lan
dns service recursive
# DNSキャッシュを使用する
dns cache use on
dns cache max entry 256
#dns server 8.8.8.8
# 内部向けドメインは専用のDNSに解決させる
dns server select 1 xxx.xxx.xxx.xx any local 192.168.0.0-192.168.0.255
dns server select 2 xxx.xxx.xxx.xx any local 192.168.10.0-192.168.10.255
dns server select 3 8.8.8.8 any . # それ以外はgoogle DNS
# プライベートアドレスの上位逆引きはしない
dns private address spoof on
# ブラックリストの例
ip host example.com 127.0.0.1
# NTP設定
schedule at 1 */* 01:40 * ntpdate ntp.nicp.jp
# Web設定画面。一通り確認ができたら無効化する
httpd service on
httpd host lan1
# 使わない機能の停止
http revision-up permit off
http upload permit off
operation http revision-up permit off
operation external-memory download permit off
sshd service off
external-memory config filename off
external-memory exec filename off
external-memory boot permit off
usbhost use off
sd use off
statistics cpu on
statistics memory on
statistics traffic on
statistics flow on
statistics route on
statistics nat on
statistics filter on
diagnosis config port max-detect 4000
sntpd service off
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment