[Vyatta-users] Packets Wrongly forwarding
Hi My vyatta architecture is Now my eth0 is forwarding packets from eth0 to vlans by masquerading for internet access. Now some of the packets are getting wrongly forwarded to other vlans, for example look at this log *Quote:* Mar 6 23:59:47 localhost kernel: [vLAN20_Inbound 20 accept] IN= eth1.20 OUT=eth0 SRC=192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29130 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=36353 Mar 6 23:59:47 localhost kernel: [OUTBOUND 1 accept] IN=eth0 OUT=eth1.20SRC= 69.67.52.37 DST=192.168.20.47 LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=9007 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=36353 Mar 6 23:59:48 localhost kernel: [vLAN30_Inbound 100 drop] IN=eth1.30OUT=eth0 SRC= 192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29132 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=36609 Mar 6 23:59:53 localhost kernel: [vLAN40_InBound 100 drop] IN=eth1.40OUT=eth0 SRC= 192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29138 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=36865 Mar 6 23:59:58 localhost kernel: [vLAN20_Inbound 20 accept] IN=eth1.20OUT=eth0 SRC= 192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29183 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=37121 Mar 6 23:59:59 localhost kernel: [OUTBOUND 1 accept] IN=eth0 OUT=eth1.20SRC= 69.67.52.37 DST=192.168.20.47 LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=9069 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=37121 and again here *Quote:* Mar 7 00:00:20 localhost kernel: [vLAN20_Inbound 20 accept] IN= eth1.20 OUT=eth0 SRC=192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29318 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=42753 Mar 7 00:00:21 localhost kernel: [OUTBOUND 1 accept] IN=eth0 OUT=eth1.20SRC= 69.67.52.37 DST=192.168.20.47 LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=9207 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=42753 Mar 7 00:00:21 localhost kernel: [vLAN30_Inbound 100 drop] IN=eth1.30OUT=eth0 SRC= 192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29322 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43009 Mar 7 00:00:27 localhost kernel: [vLAN20_Inbound 20 accept] IN=eth1.20OUT=eth0 SRC= 192.168.20.47 DST=69.67.52.37 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29325 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43265 Mar 7 00:00:27 localhost kernel: [OUTBOUND 1 accept] IN=eth0 OUT=eth1.20SRC= 69.67.52.37 DST=192.168.20.47 LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=9240 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=43265 The packets are arriving at vLAN40 vLAN30 which indeed should have arrived to vLAN 20. So I think there is some sort of forwarding problem from eth0 to vLANs. Can someone tell me how to debug more into vyatta to find why is it happening or give me some pointers please. a new find when I issued arp -a from vyatta system bash prompt it gave me this output *Quote:* vyatta:~# arp -a ? (192.168.40.41) at 00:13:20:26:0B:C3 [ether] on eth1.20 ? (192.168.20.47) at 00:13:20:22:6A:43 [ether] on eth1.20 ? (192.168.40.41) at 00:13:20:26:0B:C3 [ether] on eth1.30 ? (202.xxx.yyy.zzz) at 00:A0:12:17:8F:00 [ether] on eth0 ? (192.168.40.41) at 00:13:20:26:0B:C3 [ether] on eth1.40 where 202.xxx.yyy.zzz is my public ip. Now I went to vyatta webgui and typed show arp it gave me this output *Quote:* MAC Address IP Address State Interface --- -- - - 00:13:20:22:6A:43 192.168.20.47 reach eth1.20 00:A0:12:17:8F:00 202.53.13.73 reach eth0 00:13:20:26:0B:C3 192.168.40.41 reach eth1.40 Now again i went back to vyatta bash prompt to check arp -a and this was the output *Quote:* vyatta:~# arp -a ? (192.168.20.47) at 00:13:20:22:6A:43 [ether] on eth1.20 ? (202.xxx.yyy.zzz) at 00:A0:12:17:8F:00 [ether] on eth0 ? (192.168.40.41) at 00:13:20:26:0B:C3 [ether] on eth1.40 so its kind of clear that a routing problem exist isn't it? and there is no /etc/ethers file ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vLAN Switch
Can someone help with with this, I have a switch withvLAN enabled from D-link DES-1226. I have my eth0 as 192.168.10.45 eth1 192.168.1.1 eth1.20 192.168.20.1 eth1.30 192.168.30.1 Now i want to access these 2 vLANs, what settings do i need to make in my switch, should i assign the gateway of my switch as 192.168.1.1 (eth1) or it doesnt matter. what should be VID and PVID. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] help: how to configure ssh login only one ip
Enable the ssh from command line for webgui and then add firewall settings to allow ssh from only one ip that you desire, rest all will be blocked automatically. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] vLAN Switch
Hey I Have configured vlan in vyatta and bought a vlan enabled switch its D-link DES-1226. I want to know when configuring the switch whether I need to give the VID in switch the same as the vLAN ID is created in vyatta? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Problem with vyatta installation
Hi I have just install vyatta from livecd using the command install-system and everything went fine I got the message Done. But now when I removed my livecd and boot from HDD it doesnt read the partition table, its a brand new computer with Intel Dual Core, 1gb, RAM 80 GB SATA and Intel Motherboard. Can someone tell what i may be doing wrong or whats the problem? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
okay thanks for replies. People help with this please, how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx On 30/01/2008, Beau Walker [EMAIL PROTECTED] wrote: You'll want to ask the List that. I could only answer your last question because the answer wasn't specific to Vyatta. Beau Walker - CCNA, Linux+ -- *From:* Go Wow [mailto:[EMAIL PROTECTED] *Sent:* Tuesday, January 29, 2008 3:10 PM *To:* Beau Walker *Subject:* Re: [Vyatta-users] Firewall: block internal telnet Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] NAT:Almost Done
Yeah I can view my inside internal webserver through my router using NAT, what I cant do is to view the same webserver from internal lan. If I want to view it I have to issue its internal ip and I cant go through the router. My eth0 192.168.10.45 (acting as WAN) My eth1 192.168.1.1 (My Internal Network) My Webserver 192.168.1.244 From any system which is not a part of my vyatta router if I put in the address 192.168.10.45:81 I'm getting redirected to 192.168.1.244:80 which is my webserver, so far so good. But when I type in the address 192.168.10.45:81 from one of my internal LAN system it throws back the unable to connect error error how do I get it fixed? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Firewall: block internal telnet
Hi I want to configure my firewall so that it blocks the internal systems from telnet'ing each other. My config is eth0 192.168.10.45 (acting as WAN) eth1 192.168.1.1 (Internal Lan) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
This is my firewall config, look in rule 2 192.168.10.2 is my gateway, I added thinking that my internal LAN users would still have access to internet but there arent having can someone tell me why? or give me some pointers please. firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name Rule-1 { rule 1 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-name ssh } } rule 2 { protocol: all action: accept log: disable source { address: 192.168.10.2 } } rule 3 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-number 81 port-name http port-name https } } } } On 30/01/2008, Go Wow [EMAIL PROTECTED] wrote: How do I do this, my eth0 is WAN and eth1 is Internal LAN I want to unblock Internet for internal users and also i should have ssh and webgui interfaces rest all should be blocked how do i do this? -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
And I have added it to eth0 for in and local traffic only. On 30/01/2008, Go Wow [EMAIL PROTECTED] wrote: This is my firewall config, look in rule 2 192.168.10.2 is my gateway, I added thinking that my internal LAN users would still have access to internet but there arent having can someone tell me why? or give me some pointers please. firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name Rule-1 { rule 1 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-name ssh } } rule 2 { protocol: all action: accept log: disable source { address: 192.168.10.2 } } rule 3 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-number 81 port-name http port-name https } } } } On 30/01/2008, Go Wow [EMAIL PROTECTED] wrote: How do I do this, my eth0 is WAN and eth1 is Internal LAN I want to unblock Internet for internal users and also i should have ssh and webgui interfaces rest all should be blocked how do i do this? -- Those that make the rule don't play the game!! -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Squid Vyatta
I was searching the internet and found this script which can be used to get a complete url log using squid. http://www.benking.me.uk/2007/10/24/vyatta-forwarding-traffic-to-squid/ #!/bin/sh -e # # rc.local # # Modified to forward to squid cache # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will exit 0″ on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # IPTABLES=/sbin/iptables IP=/sbin/ip SQUID=10.1.1.1″ # Internal address of our squid box # Webcache jump to cache echo Setting up jump to webcache # clear any existing entries $IPTABLES -t mangle -F $IPTABLES -t mangle -X # Don't mark webcache traffic $IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -s $SQUID # Internal subnets to exclude $IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -d 10.0.0.0/8 #Don't cache internal # External sites to exclude $IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -d 1.2.3.4 #IP address of site you want to exclude from going to the cache # Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren't using vifs simply use eth1 or whatever you are using $IPTABLES -t mangle -A PREROUTING -j MARK �Cset-mark 3 -i eth3.102 -p tcp �Cdport 80 $IPTABLES -t mangle -A PREROUTING -j MARK �Cset-mark 3 -i eth3.103 -p tcp �Cdport 80 # Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on. $IP rule add fwmark 3 table 2 # set the default route for table 2, change eth2 for the interface you are on $IP route add default via $SQUID dev eth2 table 2 # Make sure we exit exit 0 I Just wanted someone to explain me this a little more Ben did explain it on his site but still i would like someone to explain this please. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Yeah I was about to say the same thing as Aubrey said, I had the same issue when i was trying to access the NATt'ed ip from inside the LAN, try to access it from outside any ip. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Another way would be to have these kind of servers (which needs to be access from LAN ) on another subnet. Looks feasible to me. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] help me with firewall
This is my complete configuration, I want to add firewall such that all the internal LAN should be able to access internet as there are having access now without firewall, I want only port 80 443 to be open to all (yes it should be accessible from anywhere) and lastly I have a webserver nat'ted on port 81 of eth0 I want to access that too rest all should be blocked, can someone please define the rules for this. protocols { rip { interface eth0 { address 192.168.10.45 { metric: 1 horizon: split-horizon-poison-reverse disable: false passive: false accept-non-rip-requests: true accept-default-route: true advertise-default-route: true route-timeout: 180 deletion-delay: 120 triggered-delay: 3 triggered-jitter: 66 update-interval: 30 update-jitter: 16 request-interval: 30 interpacket-delay: 50 } } interface eth1 { address 192.168.1.1 { metric: 1 horizon: split-horizon-poison-reverse disable: false passive: false accept-non-rip-requests: true accept-default-route: true advertise-default-route: true route-timeout: 180 deletion-delay: 120 triggered-delay: 3 triggered-jitter: 66 update-interval: 30 update-jitter: 16 request-interval: 30 interpacket-delay: 50 } } } } policy { } interfaces { restore: false loopback lo { description: address 192.168.2.1 { prefix-length: 32 disable: false } } ethernet eth0 { disable: false discard: false description: hw-id: 00:1c:c0:0d:0c:85 duplex: auto speed: auto address 192.168.10.45 { prefix-length: 24 disable: false } } ethernet eth1 { disable: false discard: false description: hw-id: 00:08:a1:83:b7:1e duplex: auto speed: auto address 192.168.1.1 { prefix-length: 24 disable: false } } } service { nat { rule 10 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 192.168.10.45 port-number 81 } inside-address { address: 192.168.1.244 port-number: 80 } } rule 1000 { type: masquerade outbound-interface: eth0 source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } } ssh { port: 22 protocol-version: v2 } webgui { http-port: 80 https-port: 443 } } system { host-name: vyatta domain-name: name-server 202.56.250.6 time-zone: GMT ntp-server 69.59.150.135 gateway-address: 192.168.10.2 login { user root { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } user vyatta { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } } package { auto-sync: 1 repository community { component: main url: http://archive.vyatta.com/vyatta; } } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] NAT: Website Access
Hi I have setup a website in my internal lan which is 192.168.1.0/24 ( 192.168.1.1 - 192.168.1.255) and my website is hosted on the system 192.168.1.77 on port 80 my eth0 is 192.168.10.45 and eth1 is 192.168.1.1 I want to access the website whenever I visit 192.168.1.1 on default port 80 and this is what I have added in NAT Rule service { nat { rule 20{ destination { address: 192.168.1.1 port-number { 80 } } inbound-interface: eth1 inside-address { address: 192.168.1.77 port-number: 80 } protocols: tcp type: destination } } } But I'm not able to access the website, the firewall is turned off on local machine and in vyatta I didn't configure the firewall yet and I can access the website on other machines using local ip. What changes I need to make in NAT rule, would be kind of you if you provide some pointers. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] NAT: Website Access
I forgot to mention it throw the error as Connection has timed out in mozilla, the system is up and running I can ping 192.168.1.77 from vyatta router. On 29/01/2008, Go Wow [EMAIL PROTECTED] wrote: Hi I have setup a website in my internal lan which is 192.168.1.0/24 ( 192.168.1.1 - 192.168.1.255) and my website is hosted on the system 192.168.1.77 on port 80 my eth0 is 192.168.10.45 and eth1 is 192.168.1.1 I want to access the website whenever I visit 192.168.1.1 on default port 80 and this is what I have added in NAT Rule service { nat { rule 20{ destination { address: 192.168.1.1 port-number { 80 } } inbound-interface: eth1 inside-address { address: 192.168.1.77 port-number: 80 } protocols: tcp type: destination } } } But I'm not able to access the website, the firewall is turned off on local machine and in vyatta I didn't configure the firewall yet and I can access the website on other machines using local ip. What changes I need to make in NAT rule, would be kind of you if you provide some pointers. -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users