Re: [Vyatta-users] firewall help
I also would change rules 20 and 21 such that it's SOURCE port 22, and
not destination port 22. This would apply if you are trying to permit
inbound ssh requests from those specific hosts.
John
Robyn Orosz wrote:
Hi Alain,
Take a look at this post:
http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html
It looks like you're running into bug 2502, which has been fixed in our
most recent set of updates and will no longer be an issue in the next
release.
The link above has more information on the bug and an easy workaround so
you can specify all in rule 10.
Thank you,
Robyn
Alain Kelder wrote:
Wondering if someone could help me with my firewall rules. At this
point, I'm just firewalling local traffic. My objective is drop
everything other than SSH and even then only allow SSH from for a
handful of hosts.
So for eth0 (my WAN interface), I added:
firewall {
local {
name: WAN-to-LOCAL
}
}
}
And then the following firewall rules:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name WAN-to-LOCAL {
description: Inbound traffic to router
rule 10 {
description: Accept established and related
protocol: tcp
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 20 {
description: Accept SSH
protocol: tcp
state {
established: enable
related: enable
new: enable
invalid: disable
}
action: accept
log: enable
source {
address: XXX.XXX.XXX.XXX
}
destination {
port-number 22
}
}
rule 21 {
description: Accept SSH
protocol: tcp
state {
established: enable
related: enable
new: enable
invalid: disable
}
action: accept
log: enable
source {
network: XXX.XXX.XXX.XXX/28
}
destination {
port-number 22
}
}
}
}
I'm pretty sure something isn't right with my rule 10 (established and
related). For one thing, Vyatta complains if I set protocol to all.
Says only tcp is allowed when packet state is defined. So what should
I do about UDP? I do need to allow related and established, right?
I don't need to limit outgoing traffic, but is it a good idea to have
rules for inbound traffic if I'm doing NAT?
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] (no subject)
Greg, From your description, the router appears to be performing its job properly. You shouldn't need to perform any additional configuration changes. I suggest focusing on the host's configuration. What does route -an appear like? Also, arp -a should yield a MAC address for 10.3.231.1 that matches the router's MAC address. Cheers, John Greg Richardson wrote: Hello, I’ve been using vyatta successfully for about a year on several machines (all having basically the same configuration). Here’s a simplified diagram: [vyatta router] | | | | (eth0) (eth1)---[switch]—[10.11.0.0/255.255.0.0 -- workstations] | | [switch]---[10.3.1.1 - router]—[INTERNET] | | [10.3.0.0/255.255.0.0 -- workstations] eth0: 10.3.231.1/255.255.0.0 eth1: 10.11.230.1/255.255.0.0 default gateway: 10.3.1.1 Traffic originating from workstations connected to the switch serving eth1 can connect to the internet as well as other devices existing on other subnets. For example workstation with IP 10.11.230.10 can ping, telnet, etc. to a server with IP 10.3.1.5. However, using the same example, traffic originating from server with IP 10.3.1.5 cannot even ping workstations and devices existing on subnet 10.11.0.0/255.255.0.0. NAT is not turned on with only simple routing running (only static routes, no routing protocols). Is there something obvious I’m missing? Thanks, GregR ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] NAT:Almost Done
GW, If you're trying to access the web server from the 192.168.1.x network, your client's browser should simply point to http://192.168.1.244. It should not point to the 192.168.10.45:81 location because the traffic never reaches the router. John Go Wow wrote: Yeah I can view my inside internal webserver through my router using NAT, what I cant do is to view the same webserver from internal lan. If I want to view it I have to issue its internal ip and I cant go through the router. My eth0 192.168.10.45 http://192.168.10.45 (acting as WAN) My eth1 192.168.1.1 http://192.168.1.1 (My Internal Network) My Webserver 192.168.1.244 http://192.168.1.244 From any system which is not a part of my vyatta router if I put in the address 192.168.10.45:81 http://192.168.10.45:81 I'm getting redirected to 192.168.1.244:80 http://192.168.1.244:80 which is my webserver, so far so good. But when I type in the address 192.168.10.45:81 http://192.168.10.45:81 from one of my internal LAN system it throws back the unable to connect error error how do I get it fixed? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall question.
Nathan, The keyword is all instead of any. Cheers, John - Original Message - From: Nathan McBride [EMAIL PROTECTED] To: Vyatta-users@mailman.vyatta.com Sent: Monday, January 28, 2008 9:12:41 AM (GMT-0800) America/Los_Angeles Subject: Re: [Vyatta-users] Firewall question. Also, when I try any it doesn't work... [EMAIL PROTECTED] commit [edit] Commit Failed invalid protocol any [EMAIL PROTECTED] set firewall name eth0-in rule 1 protocol ANY [edit] [EMAIL PROTECTED] commit [edit] Commit Failed invalid protocol ANY What am I doing wrong? Nate On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote: You shouldn't need the out rule; until a firewall is applied, everything is accepted. However, the simple rule is protocol any action accept. That should do it if you want to be thorough :-) Justin On Jan 28, 2008 7:28 AM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I just installed Vyatta and have it working. (big step for me) But I'm having some trouble. I first wanted to know if I should make the firewall using Vyatta's commands or just iptables? I tried iptables and it didn't seem to work. I added a rule to allow ssh but ssh couldn'g go through. So then I made one in Vyatta. Denied ping, enabled ssh, then applied it to the wan interface. Well that killed all network traffic so looking through the manual I saw that when I applied the IN rule for the interface I guess the out rule automatically got a deny everything since I didn't apply a rule to it. So, I needed to add a related and established rule to the in for the wan interface. I did (this is from memory): set firewall name eth0-in rule 1 action accept set firewall name eth0-in rule 1 state established enable set firewall name eth0-in rule 1 state related enable Then I was going to commit this but commit gave an error saying that protocol needed to be icmp. Once I had set that it errored saying protocol needed to be tcp... I'm really confused but I need to get a firewall up. Once this is done I was going make a rule for out on the wan interface to allow everything to go out. Is there a simple rule for this? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- John Gong, Systems Engineer (650) 350-3147 www.vyatta.com Welcome To the Dawn of Open Source Networking ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] NAT: Website Access
Nathan,
You're halfway there. With NAT, you need to build a second rule so that
the reply packets get NAT'ed as well. At this time, the web server is
likely sending replies to your client, but the client doesn't know why
packets from 192.168.1.77 are hitting it :-).
You'll want to make a NAT rule 30 such that the type is masquerade,
source is address 192.168.1.77, destination is network 0.0.0.0/0,
outbound-interface is eth0.
The Configuration Guide at:
http://www.vyatta.com/documentation/index.php will provide a good
reference for you.
Best Regards,
John
Go Wow wrote:
Hi
I have setup a website in my internal lan which is 192.168.1.0/24
http://192.168.1.0/24 (192.168.1.1 http://192.168.1.1 -
192.168.1.255 http://192.168.1.255) and my website is hosted on the
system 192.168.1.77 http://192.168.1.77 on port 80 my eth0 is
192.168.10.45 http://192.168.10.45 and eth1 is 192.168.1.1
http://192.168.1.1 I want to access the website whenever I visit
192.168.1.1 http://192.168.1.1 on default port 80 and this is what I
have added in NAT Rule
service {
nat {
rule 20{
destination {
address: 192.168.1.1 http://192.168.1.1
port-number {
80
}
}
inbound-interface: eth1
inside-address {
address: 192.168.1.77 http://192.168.1.77
port-number: 80
}
protocols: tcp
type: destination
}
}
}
But I'm not able to access the website, the firewall is turned off on
local machine and in vyatta I didn't configure the firewall yet and I
can access the website on other machines using local ip. What changes
I need to make in NAT rule, would be kind of you if you provide some
pointers.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Possible to use Vyatta in Virtualize environment?
Daren, In the case of VMWare ESX, it is the foundation (host) operating system as well as the hypervisor. It's installed before any client operating systems and applications, such as Vyatta. In the case of VMWare Server (the free version), a host operating system is installed first, such as Linux or MS Windows. The VMWare Server is installed as a hypervisor application. After that, you build the virtual machines using the VMWare Server application and load Vyatta or other applications above it. In both instances, Vyatta and other virtual machines sit above the kernel. Regards, John Gong, Systems Engineer Vyatta Daren Tay wrote: Hi guys, pardon me for these continuous stew of questions... but for a virtualized environment.. the idea is to install the Virtualizer (VMware, XEN) first, then the Linux/Vyatta OS itself? It seats below the kernel? Or do I need to install a distro first, then the Virtualize software, then the vyatta (and whatever I want to virtualize) Thanks Daren -Original Message- From: Dave Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, 28 August 2007 02:41 To: 'Daren Tay'; 'Allan Leinwand' Cc: vyatta-users@mailman.vyatta.com Subject: RE: [Vyatta-users] Possible to use Vyatta in Virtualize environment? so in a nutshell, I will need application like VMWare to do virtualization? Yes, but I would point out that there are free versions of VMware Server which work quite well with Vyatta. See the VMware website for details (http://www.vmware.com/products/server/). XenSource also makes XenExpress, which is free and support up to 4 VMs per machine (http://www.xensource.com/products/Pages/XenExpress.aspx). We use VMware Server here at Vyatta for some of our QA testing. We do things like connect virtual adapters from multiple VMs together to form virtual topologies to test routing protocols, etc. It works quite well, though it can be memory intensive if your routing tables are large. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
