[Vyatta-users] Routing policy based on ports
For the last few years I've used a FreeBSD box as my house net gateway. It has two NICs. The inside NIC has access to the Class-C house network and a DSL router (no firewall). The outside NIC is attached to a cable modem and uses a static IP from the cable company. Using the ipfw tool, I've added a rule that says that anything from the inside net that is destined for port 80 or 443 (http and https) shall be forwarded to the NAT daemon and from there routed out the cable modem. This moves most of the household traffic off the DSL and onto the Cable modem. I'm attempting to figure out how to do the same thing with Vyatta. The goal is to have two inside nets. 192.1.1.0/25 with vyatta as the router at 192.1.1.3 which then forwards firewall approved traffic to 192.1.1.1, the DSL router. This is for my DMZ machines. The second inside net would be 192.1.1.128/25 with vyatta as the router at 192.1.1.129. Here any traffic with destined for port 80 or 443 will be NATted and sent out the cable modem and all other traffic sent to 192.1.1.1, with firewall approval. Any suggestions or pointers will be appreciated Thank you, Chris Johnson PS I'm testing VC4 right now but if somebody can show me how VC3 is fine. Just trying to avoid an upgrade in the near future.. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Routing policy based on ports
Thanks, this was the path I was going to explore next but decided to ask the list first to check if I was just missing something in the documentation. Best, -Chris On Fri, Feb 15, 2008 at 2:00 AM, Robert Bays <[EMAIL PROTECTED]> wrote: > Chris, > > If I correctly understand what you are trying to do, you can probably > accomplish this using a combination of iptables and policy routing. > Vyatta doesn't support the necessary parameters in the Vyatta CLI yet, > but you should be able to configure it from the Linux shell. > > The basic idea would be to do something like this... > > # setup two routing tables each with their own default like so... > # DSL router > ip route add default 192.1.1.1 table 1 > # cable modem > ip route add default CABLE-MODEM-IP table 2 > # Then route all traffic from your DMZ machines to the DSL router > ip rule add from 192.1.1.0/25 table 1 > # Setup iptables rules to mark web traffic from your other interface > iptables -t mangle -A PREROUTING -p tcp -s 192.1.1.128/25 -d 0/0 --dport > 80 -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -p tcp -s 192.1.1.128/25 -d 0/0 --dport > 443 -j MARK --set-mark 2 > # route that marked web traffic out the cable modem > ip rule add fwmark 2 table 2 > # route other traffic from that subnet out DSL modem > ip rule add from 192.1.1.128/25 table 1 > > I haven't verified this exact config, so your mileage may vary. But > that's general idea. You will need to setup any NAT rules separately > and may need to adjust your ip rules above to match the new source > addresses depending on where you NAT. Let us know if you get it to work. > > Cheers, > Robert. > > > Christopher Johnson wrote: > > For the last few years I've used a FreeBSD box as my house net gateway. > > It has two NICs. The inside NIC has access to the Class-C house network > > and a DSL router (no firewall). The outside NIC is attached to a cable > > modem and uses a static IP from the cable company. > > > > Using the ipfw tool, I've added a rule that says that anything from the > > inside net that is destined for port 80 or 443 (http and https) shall be > > forwarded to the NAT daemon and from there routed out the cable modem. > > > > This moves most of the household traffic off the DSL and onto the Cable > > modem. > > > > I'm attempting to figure out how to do the same thing with Vyatta. > > > > The goal is to have two inside nets. 192.1.1.0/25 > > <http://192.1.1.0/25> with vyatta as the router at 192.1.1.3 > > <http://192.1.1.3> which then forwards firewall approved traffic to > > 192.1.1.1 <http://192.1.1.1>, the DSL router. This is for my DMZ > machines. > > > > The second inside net would be 192.1.1.128/25 <http://192.1.1.128/25> > > with vyatta as the router at 192.1.1.129 <http://192.1.1.129>. Here any > > traffic with destined for port 80 or 443 will be NATted and sent out the > > cable modem and all other traffic sent to 192.1.1.1 <http://192.1.1.1>, > > with firewall approval. > > > > Any suggestions or pointers will be appreciated > > > > Thank you, > > Chris Johnson > > PS I'm testing VC4 right now but if somebody can show me how VC3 is > > fine. Just trying to avoid an upgrade in the near future.. > > > > > > > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Graphing bandwidth: how do you do it?
I've got zenoss set up to monitor lots of systems in my network. It includes network graphing capabilities as well. You might want to give it a try. (I've even managed to set up a graphing function of the amount of toner left in a network printer). Best, -Chris On Wed, Feb 20, 2008 at 6:07 PM, Alain Kelder <[EMAIL PROTECTED]> wrote: > Hi Aaron, > > In addition to snmp, there are some linux tools you could use also. I > like vnstat (http://humdi.net/vnstat/) to monitor at the interface > level. It's very easy to install/configure and I haven't had any issues > with it. There's also a very nice PHP front end for it should you like > to be able to view the stats via a web browser > (http://www.sqweek.com/sqweek/index.php?p=1). > > If you want to know which IPs on your network are hogging up the > bandwidth, take a look at nacctd > (http://www.penguin-soft.com/penguin/man/8/nacctd.html). Its variant > netacct-mysql is the one I use as it writes stats to a mysql db which > you can query to your heart's content or even write up some php to > display the info on a web page for you. > > Best Regards, -Alain. > > [EMAIL PROTECTED] wrote: > > All, > > > > I have been trying to get a bandwidth monitoring / graphing utility to > work now and have hit a hard road. I have tried to install the 'real' webmin > because they have a nice easy way to show traffic in / out, but to no avail. > I have started the snmp way via MRTG, but it will take me a while to set up > and configure. Can anyone recommend the easiest way to watch the traffic on > my vyatta box interface(s)? > > > > I'm sure I'll eventually get MRTG to work-- but maybe there is a cleaner > way? > > > > Thanks in advance, > > > > Aaron > > > > p.s. Out of curiosity, has anyone gotten 'Webmin' (the official package) > to install on a vyatta machine? I resolved various dependencies, but still > cannot connect to it. > > > > > > > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Adding Firewall rules remotely
I have my systems set up to monitor authentication failures. I want one system to be able to automatically add a firewall rule to deny a particular IP address. In the best of all worlds, that firewall rule would then expire at some time in the future. I.e. "Failed password for root from 35.8.1.1 port 38876 ssh2" is the logged message. (And no, nobody form MSU tried this, just one of my test IPs from a very long time ago). What I'd like to do is an SSH to the OFR which would then add a firewall rule that would expire in two weeks. ssh vyatta.example.com /usr/local/bin/blockip 35.8.1.1 14 Any suggestions on what "blockip" might look like would be very nice. Thanks, -Chris ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Adding Firewall rules remotely
Wow Lots of good responses in a hurry. Thank you. First, I have many systems and when somebody attacks, I want to close the network off to that IP, not just a single machine. That implies that I can not use IPTABLES directly. Though I did give thought to adding that type of rule to all systems. It turns out that is not a good choice because some of my systems are not Linux. Using Zenoss command, I have no problem parsing the actual syslog message and converting that to a source IP address. So, I'm now in the position that a script is running under vbash on the OFR. I guess that I was looking for was more in line with the CLI commands within the script to actual effect the firewalling. I.e. configure set firewall commit exit Under the webgui of VC3 I remember that there was a way to make a list of addresses to add to a firewall rule, I've not found that under VC4. Sorry if this is a bit disjoint. Best, -Chris ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] MIssing the sysServices.0 OID from the MIB
I'm not sure that is the correct sysServices value. I've always used snmpconf to calculate the sysServices value. I believe a better value is 76 1 = physical (e.g. repeater) 2 = datalink/subnetwork (e.g. bridges) 3 = internet (e.g., supports IP) 4 = end-to-end (e.g., supports TCP) 7 = applications (e.g., supports SMTP) This is from /usr/share/snmp/mibs/SNMPv2-MIB.txt best, -Chris On Fri, Feb 22, 2008 at 6:47 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > Yes, it's not in the SNMP configuration file, but it's easy to fix. > > As root, add to /etc/snmp/snmpd.conf: > > sysServices 4 > > which shows that up to and including the internet layer is supported. > > Then run > > /opt/vyatta/sbin/snmpd.init restart > > These are the commands for Glendale, but it'll either be the same or > very similar for previous releases. > > I'll file a bug on it for you as well. > > Justin > > On Fri, Feb 22, 2008 at 3:11 PM, Philip McDonald > <[EMAIL PROTECTED]> wrote: > > My OSS app is trying to discover a Vyatta NE and is being tripped-up by > the > > lack of a sysServices OID (.1.3.6.1.2.1.1.7.0) in the mib. > > Why does vyatta lack this OID while all other commercial NEs have this > > included in their system mib? > > > > As a work-around I've tried using snmpset to set the sysService OID but > it > > tells me that the OID doesn't exist and it won't add the OID by default. > > > > Should I try snmpconfig? If so, how would I solve this problem. > > > > Thanks, > > P > > > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Adding Firewall rules remotely
Well, I don't like following up on my own postings. What I found was something in "iptables". The "recent" module. Used the CLI to generate a new firewall rule set named "crackers." I added a single source IP to that table just to have something there. Then I used "iptables -I crackers -m recent --name badguys --rcheck -j DROP" to add the extra rule. Now, to add a bad guy to the list, all I do, as root is echo xx.xx.xx.xx >/net/ipt_recent/badguys and they are blocked. I've not made all the things work the way I want, such as having --seconds work so that the table automatically clears after a certain amount of time. Still a work in progress though. Best, -Chris On Fri, Feb 22, 2008 at 5:29 PM, Christopher Johnson <[EMAIL PROTECTED]> wrote: > Wow Lots of good responses in a hurry. > > Thank you. > > First, I have many systems and when somebody attacks, I want to close the > network off to that IP, not just a single machine. That implies that I can > not use IPTABLES directly. Though I did give thought to adding that type of > rule to all systems. It turns out that is not a good choice because some of > my systems are not Linux. > > Using Zenoss command, I have no problem parsing the actual syslog message > and converting that to a source IP address. > > So, I'm now in the position that a script is running under vbash on the > OFR. I guess that I was looking for was more in line with the CLI commands > within the script to actual effect the firewalling. > > I.e. > configure > set firewall > commit > exit > > Under the webgui of VC3 I remember that there was a way to make a list of > addresses to add to a firewall rule, I've not found that under VC4. > > Sorry if this is a bit disjoint. > > Best, > -Chris > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Booting from Live-CD
Is there anyway, other than floppy disk, to have the OFR get a configuration file on boot from CDROM? I'd love for it to be able to read from a USB thumb drive, load it from a TFTP site (use the standard boot methods to do so) or in anyway to get a configuration file into the system with out me being at the console. This is glendale VC4, Alpha 1, soon to be Alpha 2. Best, -Chris P.S. I did try load of an URL, and it died. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Glendale Alpha 1 ERROR!!!
In the course of my normal, hack first, read documentation later, mode of operation, I managed to hang the netopia DSL router. Having done this before I know that the outside access is still good, just the inside network interface is scrod. So I reconfigured vyatta (A1) to route traffic to the Netopia via the outside link set protocols static route 192.1.1.1/32 next-hope 12.1.1.1 Where 192.1.1.1 is the inside IP of the DSL router (fully routable class C address) and 12.1.1.1 is the next hop out the cable modem. Everything seems to work fine. Traceroute works correctly. I'm happy. Then I try the required magic telnet 192.1.1.1. Command not found. What do you mean "command not found"!!! What operating system does not include "telnet?" Either the name changed or a tool is missing. Please make sure that telnet is included in future releases. (The hack I had to put into place required me to set up a NAT rule so that I could telnet from one of the inside machines) Best, -Chris (tongue in cheek) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Glendale Alpha 1 ERROR!!!
You are absolutely correct. Therefore the bug is: telnet is not properly mapped. *GRIN* Thanks for your help Stig. Best, -Chris On Thu, Feb 28, 2008 at 11:30 AM, Stig Thormodsrud <[EMAIL PROTECTED]> wrote: > I'm pretty sure the vyatta cli in alpha 2 has telnet mapped, but even in > alpha 1 you can still get to telnet via linux (by using full path) even if > the vyatta cli hasn't been mapped for it. Try: > > > > /bin/busybox telnet 192.1.1.1 > > > > stig > > > -- > > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *Christopher > Johnson > *Sent:* Thursday, February 28, 2008 8:22 AM > *To:* vyatta-users@mailman.vyatta.com > *Subject:* [Vyatta-users] Glendale Alpha 1 ERROR!!! > > > > In the course of my normal, hack first, read documentation later, mode of > operation, I managed to hang the netopia DSL router. Having done this > before I know that the outside access is still good, just the inside network > interface is scrod. > > So I reconfigured vyatta (A1) to route traffic to the Netopia via the > outside link > set protocols static route 192.1.1.1/32 next-hope 12.1.1.1 > Where 192.1.1.1 is the inside IP of the DSL router (fully routable class C > address) > and 12.1.1.1 is the next hop out the cable modem. > > Everything seems to work fine. Traceroute works correctly. I'm happy. > > Then I try the required magic > > telnet 192.1.1.1. > Command not found. > > What do you mean "command not found"!!! What operating system does not > include "telnet?" > > Either the name changed or a tool is missing. > > Please make sure that telnet is included in future releases. > > (The hack I had to put into place required me to set up a NAT rule so that > I could telnet from one of the inside machines) > > Best, > -Chris (tongue in cheek) > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Booting from Live-CD
Thanks for the pointer to /etc/init.d/vyatta-ofr and /etc/default/vyatta. What I would likely do is have a config file that has the equivalent of a "#include" which tries a sequence of locations. /mnt/usb/config/config.boot, /mnt/flash/config/config.boot, /mnt/floppy/config/config.boot,/opt/vyatta/etc/config/config.boot By adding a simple "Done" or just having the config files overwrite each other in reasonable ways, we end up with a live CDROM that can boot on any machine yet find a configuration file. I'm actually going to have to look into a diskless version of Vyatta at some point. Thanks again for the pointers. Best, -Chris On Fri, Feb 29, 2008 at 6:33 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > That's actually a harder problem - you can do it by changing where the > system > looks for configuration on boot, install to disk and then modify the > files to change > what's mounted and where the system looks for the configuration, or build > from > scratch and create your own LiveCD with the changes in it. > > In VC4, look in /etc/init.d/vyatta-ofr, /etc/default/vyatta, and > /etc/default/vyatta-cfg. > > If you make the changes that let the system find the configuration on > a flash drive, > be sure to submit them back to the hackers list (or should that be > forum??) for inclusion > for others as well :-) > > Best, > Justin > > On Tue, Feb 26, 2008 at 9:23 PM, Christopher Johnson <[EMAIL PROTECTED]> > wrote: > > Is there anyway, other than floppy disk, to have the OFR get a > configuration > > file on boot from CDROM? I'd love for it to be able to read from a USB > > thumb drive, load it from a TFTP site (use the standard boot methods to > do > > so) or in anyway to get a configuration file into the system with out me > > being at the console. > > > > This is glendale VC4, Alpha 1, soon to be Alpha 2. > > > > Best, > > -Chris > > P.S. I did try load of an URL, and it died. > > > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
