THIS IS A WORK IN PROGRESS and was Written for Vyatta VC3
Vyatta OFR Highlights
The Vyatta Linux-based router provides a flexible, high-performance alternative to Cisco routers. It is free, professional, open-source software.
Vyatta OFR runs on standard x86 hardware and supports many types of interfaces. It has a comprehensive command line interface (CLI) implemented as a Linux shell. The Vyatta OFR also has a comprehensive graphical user interface (GUI) accesses via a web browser.
Support
One of the best things about the Vyatta OFR is professional support. Purchasing support from Vyatta helps you and the Vyatta community.
There is also a mailing list and a wiki for free support. Don't expect professional support on the mailing list, but it is fairly active and Vyatta representatives do participate.
Searching List Archives
The mailing list archives are not searchable, however on Google, you can use the "site:" operator:
Internet Access Application
Fix a Bug First (VC3)
There is a bug when configuring state match rules on protocols other than TCP that complicates building a NAT firewall.
Here is a workaround for the VC3 release that removes the error checking that only allows state rules to be configured in conjunction with TCP:
Log in as root and edit: /opt/vyatta/share/perl5/VyattaIpTablesRule.pm and change the following line from:
if (($self->{_protocol} eq "tcp") || ($self->{_protocol} eq "6")) {
to:
if (1) {
Sample Internet Access Configuration
The diagram shows our example network. Your application will no doubt be different. Hopefully, you can use this example to save some time in designing your own application. Note that in this subnetted example the Internet access router needs a route to the subnetted network pointing to the Vyata router.
We'll be implementing the following features:
- 4-Port Ethernet Router
- Internet
- Two Private Internal Networks
- Another Internal Router with Its Own Static IP Address
- Internet Access
- NAT
- Private Networks Using 192.168.x.x Addresses
- Firewall
- Stateful - Allows Only Established Related Traffic In
- Private Networks Protected From Each Other
- Allows Forwarded Port Traffic
- Port Forwarding (Destination NAT)
- SMTP, HTTP, HTTPS and RDP
- Forwarded to Internal Servers on Private Network
- DHCP Server
- Private Networks
- NTP Time Synchronization
- Using Free Public Time Servers (ntp.org)
- Remote Management
- SSH, HTTP and HTTPS
- Using Non-Standard Ports for HTTP and HTTPS
- Allows Standard HTTP and HTTPS to Be Forwarded to Internal Servers
- Subnetting
- Optional
- For Certain Applications
The NTP time server and the DNS servers are free public servers and you can leave them as they are if you wish. There is no need to change them.
The following configuration file can be copied and then edited in place for your configuration.
/opt/vyatta/etc/config/config.boot
/*XORP Configuration File, v1.0*/
protocols {
static {
disable: false
route 0.0.0.0/0 {
next-hop: 123.123.123.1
metric: 1
}
}
}
policy {
}
interfaces {
restore: false
loopback lo {
description: "Loopback"
}
ethernet eth0 {
disable: false
discard: false
description: "Internet"
duplex: "auto"
speed: "auto"
address 123.123.123.2 {
prefix-length: 30
disable: false
}
firewall {
in {
name: "from-external"
}
local {
name: "to-router"
}
}
}
ethernet eth1 {
disable: false
discard: false
description: "Internal Network #1"
duplex: "auto"
speed: "auto"
address 192.168.1.1 {
prefix-length: 24
disable: false
}
firewall {
in {
name: "lan-to-lan"
}
}
}
ethernet eth2 {
disable: false
discard: false
description: "Internal Network #2"
duplex: "auto"
speed: "auto"
address 192.168.2.1 {
prefix-length: 24
disable: false
}
firewall {
in {
name: "lan-to-lan"
}
}
}
ethernet eth3 {
disable: false
discard: false
description: "Internal Subnetted Network"
duplex: "auto"
speed: "auto"
address 123.123.123.5 {
prefix-length: 30
disable: false
}
firewall {
in {
name: "lan-to-lan"
}
}
}
}
service {
dhcp-server {
shared-network-name "eth1_pool" {
subnet 192.168.1.0/24 {
start 192.168.1.65 {
stop: 192.168.1.199
}
client-prefix-length: 24
dns-server 209.218.76.2
dns-server 208.67.220.220
default-router: 192.168.1.1
lease: 86400
authoritative: "disable"
}
}
shared-network-name "eth2_pool" {
subnet 192.168.2.0/24 {
start 192.168.2.65 {
stop: 192.168.2.199
}
client-prefix-length: 24
dns-server 209.218.76.2
dns-server 208.67.220.220
default-router: 192.168.2.1
lease: 86400
authoritative: "disable"
}
}
}
nat {
rule 2 {
type: "destination"
protocols: "tcp"
destination {
address: "123.123.123.2"
port-name smtp
}
inside-address {
address: 192.168.1.2
}
}
rule 4 {
type: "destination"
protocols: "tcp"
destination {
address: "123.123.123.2"
port-name http
}
inside-address {
address: 192.168.1.2
}
}
rule 6 {
type: "destination"
protocols: "tcp"
destination {
address: "123.123.123.2"
port-name https
}
inside-address {
address: 192.168.1.2
}
}
rule 8 {
type: "destination"
protocols: "tcp"
destination {
address: "123.123.123.2"
port-number 3389
}
inside-address {
address: 192.168.1.2
}
}
rule 10 {
type: "masquerade"
outbound-interface: "eth0"
source {
network: "192.168.1.0/24"
}
}
rule 20 {
type: "masquerade"
outbound-interface: "eth0"
source {
network: "192.168.2.0/24"
}
}
}
ssh {
port: 22
protocol-version: "v2"
}
webgui {
http-port: 81
https-port: 444
}
}
firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name "lan-to-lan" {
description: "Block Internal LAN Interaction"
rule 10 {
description: "Block 192.168.x.x Networks"
protocol: "all"
action: "reject"
log: "disable"
source {
network: "192.168.0.0/16"
}
destination {
network: "192.168.0.0/16"
}
}
rule 20 {
description: "Block 172.16.x.x Networks"
protocol: "all"
action: "reject"
log: "disable"
source {
network: "192.168.0.0/16"
}
destination {
network: "172.16.0.0/12"
}
}
rule 30 {
description: "Block 10.x.x.x Networks"
protocol: "all"
action: "reject"
log: "disable"
source {
network: "192.168.0.0/16"
}
destination {
network: "10.0.0.0/8"
}
}
rule 40 {
description: "Allow All Traffic Not Previously Blocked"
protocol: "all"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
network: "0.0.0.0/0"
}
}
}
name "from-external" {
description: "Block Unwanted Internet Traffic"
rule 10 {
description: "Accept Established-Related Connections"
protocol: "all"
state {
established: "enable"
new: "disable"
related: "enable"
invalid: "disable"
}
action: "accept"
log: "disable"
}
rule 20 {
description: "Pass Subnet Traffic"
protocol: "all"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
network: "123.123.123.4/30"
}
}
rule 30 {
description: "Pass SMTP"
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: "0.0.0.0/0"
}
destination {
address: "123.123.123.2"
port-name smtp
}
}
rule 40 {
description: "Pass HTTP"
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
address: "123.123.123.2"
port-name http
}
}
rule 50 {
description: "Pass HTTPS"
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
address: "123.123.123.2"
port-name https
}
}
rule 60 {
description: "Pass RDP"
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
address: "123.123.123.2"
port-number 3389
}
}
}
name "to-router" {
description: "Traffic Destined for Router"
rule 10 {
description: "Accept Established-Related Connections"
protocol: "all"
state {
established: "enable"
new: "disable"
related: "enable"
invalid: "disable"
}
action: "accept"
log: "disable"
}
rule 20 {
description: "SSH Access"
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "200.200.200.0/29"
}
destination {
port-name ssh
}
}
rule 30 {
description: "WebGUI Access"
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "200.200.200.0/29"
}
destination {
port-number 81
}
}
rule 40 {
description: "Secure WebGUI Access"
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "200.200.200.0/29"
}
destination {
port-number 444
}
}
rule 60 {
description: "Accept ICMP Unreachable"
protocol: "icmp"
icmp {
type: "3"
}
action: "accept"
log: "disable"
}
rule 70 {
description: "Accept ICMP Echo Request"
protocol: "icmp"
icmp {
type: "8"
}
action: "accept"
log: "disable"
}
rule 80 {
description: "Accept ICMP Time-Exceeded"
protocol: "icmp"
icmp {
type: "11"
}
action: "accept"
log: "disable"
}
}
}
system {
host-name: "router"
domain-name: "yourdomain.com"
name-server 208.67.222.222
name-server 208.67.220.220
time-zone: "GMT"
ntp-server "pool.ntp.org"
login {
user root {
full-name: ""
authentication {
plaintext-password: "vyatta"
}
}
user vyatta {
full-name: ""
authentication {
plaintext-password: "vyatta"
}
}
}
package {
auto-sync: 1
repository community {
component: "main"
url: "http://archive.vyatta.com/vyatta"
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "firewall@1:webgui@1:serial@1:nat@2:dhcp-server@2:dhcp-relay@1:cluster@1" === */
| < Prev | Next > |
|---|
