Вы находитесь на странице: 1из 3

Vyatta Internet Gateway Router Sample Configuration

Written by Gene Cooper Saturday, 24 November 2007 04:24 - Last Updated Tuesday, 15 December 2009 18:11

THIS IS A WORK IN PROGRESS and was Written for Vyatta VC3

Vyatta OFR Highlights

The Vyatta Linux-based router provides a flexible, high-performance alternative to Cisco routers. It is free, professional, open-source software.

Vyatta OFR runs on standard x86 hardware and supports many types of interfaces. It has a comprehensive command line interface (CLI) implemented as a Linux shell. The Vyatta OFR also has a comprehensive graphical user interface (GUI) accesses via a web browser.

Support

One of the best things about the Vyatta OFR is professional support. Purchasing support from Vyatta helps you and the Vyatta community.

There is also a mailing list and a wiki for free support. Don't expect professional support on the mailing list, but it is fairly active and Vyatta representatives do participate.

Searching List Archives

The mailing list archives are not searchable, however on Google, you can use the "site:" operator:

<search terms> site:mailman.vyatta.com

Internet Access Application

Fix a Bug First (VC3)

Other Resources

There is a bug when configuring state match rules on protocols other than TCP that complicates building a NAT firewall.

Vyatta Internet Gateway Router Sample Configuration

Written by Gene Cooper Saturday, 24 November 2007 04:24 - Last Updated Tuesday, 15 December 2009 18:11

Here is a workaround for the VC3 release that removes the error checking that only allows state rules to be configured in conjunction with TCP:

Log in as root and edit: /opt/vyatta/share/perl5/VyattaIpTablesRule.pm and change the following line from:

if (($self->{_protocol} eq &quot;tcp&quot;) || ($self->{_protocol} eq &quot;6&quot;)) {

to:

if (1) {

Sample Internet Access Configuration

Vyatta Internet Gateway Router Sample Configuration

Written by Gene Cooper Saturday, 24 November 2007 04:24 - Last Updated Tuesday, 15 December 2009 18:11

TheHopefully,thatnetworkWe'llindiagrambethispointingimplementingyousubnettedshowscanto
TheHopefully,thatnetworkWe'llindiagrambethispointingimplementingyousubnettedshowscanto usetheourexampletheVyatathisexamplefollowingexamplerouter.thenetwork.Internetfeatures:to saveaccessYoursomeapplicationroutertime inneedsdesigningwill anoroutedoubtyourtobeownthedifferent.subnettedapplication. Note
---
TwoAnotherInternetPrivateAccessInternalInternalRouterNetworkswith Its Own Static IP Address
4-PortInternetEthernet Router
--
--
NAT
--- -
AllowsPortSMTP,ForwardingForwardedHTTP, HTTPS(DestinationPortandTrafficRDPNAT)
StatefulPrivate Networks- Allows OnlyProtectedEstablishedFrom EachRelatedOtherTraffic In
PrivateFirewallNetworks Using 192.168.x.x Addresses
---
ForwardedDHCP Serverto Internal Servers on Private Network
---
- -
NTPUsingRemoteTimeFreeManagementSynchronizationPublic Time Servers (ntp.org)
Private Networks
--
--
--
UsingAllowsSubnettingNon-StandardStandard HTTPPortsandforHTTPSHTTPtoandBeHTTPSForwarded to Internal Servers
SSH, HTTP and HTTPS
ThetheyThe/opt/vyatta/etc/config/config.bootNTPfollowingareForifCertaintimeyouconfigurationserverwish.ApplicationsThereand thefileis DNSnocanneedserversbe copiedto changeareandfreethem.thenpubliceditedserversin placeand foryouyourcan configuration.leave them as
Optional
/*XORPprotocolsstaticConfiguration{ {
disable:routenext-hop:metric:0.0.0.0/0false1 123.123.123.1{
File, v1.0*/
policy}interfacesrestore:loopback}ethernetdescription:{
}
}
}
{falseeth0lo {
{&quot;Loopback&quot;
}firewallin}local{name:{{
disable:discard:description:duplex:speed: &quot;auto&quot;&quot;auto&quot;falsefalse&quot;Internet&quot;
addressprefix-length:disable:123.123.123.2false 30
{
}ethernetdisable:discard:eth1falsefalse{
}
}
name: &quot;to-router&quot;
&quot;from-external&quot;
}firewall}
description:duplex:speed: &quot;auto&quot;&quot;auto&quot;&quot;Internal Network #1&quot;
addressprefix-length:disable:192.168.1.1false 24
{
}ethernetdisable:discard:eth2falsefalse{
in}
{name:{
&quot;lan-to-lan&quot;
description:duplex:speed: &quot;auto&quot;&quot;auto&quot;&quot;Internal Network #2&quot;
addressprefix-length:disable:192.168.2.1false 24
{
}ethernetdisable:discard:eth3falsefalse{
}firewall} in} {name:{
&quot;lan-to-lan&quot;
description:duplex:speed: &quot;auto&quot;&quot;auto&quot;&quot;Internal Subnetted Network&quot;
addressprefix-length:disable:123.123.123.5false 30 {
}firewall} in} {name:{
}service}dhcp-servershared-network-namesubnet{ start
&quot;lan-to-lan&quot;
192.168.1.0/24{192.168.1.65&quot;eth1_pool&quot;{ {
default-router:lease:authoritative:86400 &quot;disable&quot;192.168.1.1
}client-prefix-length:dns-serverdns-serverstop: 192.168.1.199209.218.76.2208.67.220.22024
}shared-network-name}subnetstart 192.168.2.0/24192.168.2.65&quot;eth2_pool&quot;{ {
}client-prefix-length:dns-serverdns-serverstop: 192.168.2.199209.218.76.2208.67.220.22024
{ {
}
}
}
default-router:lease:authoritative:86400 &quot;disable&quot;192.168.2.1
natrule{ type:protocols:destination}inside-address} 2address:port-nameaddress:{ &quot;destination&quot;&quot;tcp&quot;{&quot;123.123.123.2&quot;192.168.1.2smtp{
rule} type:protocols:destination}inside-address} 4address:port-nameaddress:{ &quot;destination&quot;&quot;tcp&quot;{&quot;123.123.123.2&quot;192.168.1.2http{
}ruletype:protocols:destination}inside-address} 6address:port-nameaddress:{ &quot;destination&quot;&quot;tcp&quot;{&quot;123.123.123.2&quot;192.168.1.2https{
}ruletype:protocols:destination}inside-address8address:port-number{ &quot;destination&quot;&quot;tcp&quot;{&quot;123.123.123.2&quot;{3389
}
ruletype:outbound-interface:source10network:{&quot;masquerade&quot;{
}
address: 192.168.1.2
}rule}type:outbound-interface:source20network:{&quot;masquerade&quot;{ &quot;192.168.2.0/24&quot;&quot;eth0&quot;
&quot;192.168.1.0/24&quot;&quot;eth0&quot;
ssh}webguiport:protocol-version:{
}
}
}
http-port:https-port:81444
22{
&quot;v2&quot;
firewalllog-martians:send-redirects:receive-redirects:ip-src-route:broadcast-ping:{
}
}
syn-cookies:namedescription:ruledescription:protocol:action:&quot;lan-to-lan&quot;10 {
&quot;disable&quot;&quot;enable&quot;&quot;disable&quot;&quot;disable&quot;&quot;disable&quot;
log:source}destinationnetwork:&quot;disable&quot;{
&quot;reject&quot;&quot;enable&quot;&quot;all&quot;&quot;Block&quot;BlockInternal{192.168.x.xLAN Interaction&quot;Networks&quot;
ruledescription:protocol:action:20
}
network: &quot;192.168.0.0/16&quot;
{
{&quot;192.168.0.0/16&quot;
log:source}destinationnetwork:&quot;disable&quot;{
&quot;reject&quot;&quot;all&quot;&quot;Block 172.16.x.x Networks&quot;
ruledescription:protocol:action:30
}
network: &quot;172.16.0.0/12&quot;
{&quot;192.168.0.0/16&quot;
log:source}destinationnetwork:&quot;disable&quot;{
&quot;reject&quot;&quot;all&quot;&quot;Block 10.x.x.x Networks&quot;
} } }
ruledescription:protocol:action:40
}
network: &quot;10.0.0.0/8&quot;
{&quot;192.168.0.0/16&quot;
log:source}destinationnetwork:&quot;disable&quot;{
{ {
&quot;accept&quot;&quot;all&quot;&quot;Allow All Traffic Not Previously Blocked&quot;
}namedescription:ruledescription:protocol:state&quot;from-external&quot;10 {{
}
}
network: &quot;0.0.0.0/0&quot;
{&quot;0.0.0.0/0&quot;
established:new:related:&quot;disable&quot;&quot;enable&quot;&quot;enable&quot;
&quot;all&quot;&quot;Block&quot;AcceptUnwantedEstablished-Related{
Internet Traffic&quot;Connections&quot;
}ruleprotocol:log:description:action:20&quot;disable&quot;{ &quot;accept&quot;&quot;all&quot;&quot;Pass Subnet Traffic&quot;
}action:invalid:&quot;accept&quot;&quot;disable&quot;
log:source}destinationnetwork:&quot;disable&quot;{
}
ruledescription:protocol:action:30
}
network: &quot;123.123.123.4/30&quot;
{&quot;0.0.0.0/0&quot;
log:source}destinationaddress:&quot;disable&quot;{
{
&quot;accept&quot;&quot;tcp&quot;&quot;Pass SMTP&quot;
}
{&quot;0.0.0.0/0&quot;
}ruledescription:protocol:action:40 {
address:port-name&quot;smtp123.123.123.2&quot;
log:source}destinationnetwork:&quot;disable&quot;{
&quot;accept&quot;&quot;tcp&quot;&quot;Pass HTTP&quot;
{&quot;0.0.0.0/0&quot;
}ruledescription:protocol:action:50 {
}
port-nameaddress: &quot;http
123.123.123.2&quot;
log:source}destinationnetwork:&quot;disable&quot;{
&quot;accept&quot;&quot;tcp&quot;&quot;Pass HTTPS&quot;
port-nameaddress: &quot;https 123.123.123.2&quot;
{&quot;0.0.0.0/0&quot;
}ruledescription:protocol:action:60 {
}
log:source}destinationnetwork:&quot;disable&quot;{
&quot;accept&quot;&quot;tcp&quot;&quot;Pass RDP&quot;
port-numberaddress: &quot;3389123.123.123.2&quot;
{&quot;0.0.0.0/0&quot;
}name}description:ruledescription:protocol:state&quot;to-router&quot;10 {{
}
&quot;all&quot;&quot;Traffic&quot;AcceptDestined{
Established-Relatedfor Router&quot;Connections&quot;
}action:invalid:&quot;accept&quot;&quot;disable&quot;
established:new:related:&quot;disable&quot;&quot;enable&quot;&quot;enable&quot;
}rulelog:description:protocol:action:20&quot;disable&quot;{ &quot;accept&quot;&quot;tcp&quot;&quot;SSH Access&quot;
log:source}destinationnetwork:&quot;disable&quot;{
}
ruledescription:protocol:action:30
}
port-name ssh
log:source}destinationnetwork:&quot;disable&quot;{
{
{&quot;200.200.200.0/29&quot;
&quot;accept&quot;&quot;tcp&quot;&quot;WebGUI Access&quot;
ruledescription:protocol:action:40
}
port-number 81
{&quot;200.200.200.0/29&quot;
log:source}destinationnetwork:&quot;disable&quot;{
&quot;accept&quot;&quot;tcp&quot;&quot;Secure WebGUI Access&quot;
} }
ruledescription:protocol:icmp60
}
port-number 444
{{ {
{&quot;200.200.200.0/29&quot;
&quot;icmp&quot;&quot;Accept ICMP Unreachable&quot;
}rulelog:description:protocol:icmp70&quot;disable&quot;{{
}action:type:&quot;accept&quot;&quot;3&quot;
}rulelog:description:protocol:icmp80&quot;disable&quot;{{
}action:type:&quot;accept&quot;&quot;8&quot;
&quot;icmp&quot;&quot;Accept ICMP Echo Request&quot;
}
}action:type:&quot;accept&quot;&quot;11&quot;
&quot;icmp&quot;&quot;Accept ICMP Time-Exceeded&quot;
}systemhost-name:domain-name:name-servername-server{
}
log: &quot;disable&quot;
time-zone:ntp-serverlogin {
&quot;router&quot;208.67.222.222208.67.220.220&quot;yourdomain.com&quot;
user}
full-name:authentication}
rootplaintext-password:{
&quot;pool.ntp.org&quot;&quot;GMT&quot;
&quot;&quot;{
user} full-name:authentication} vyattaplaintext-password:{ &quot;&quot;{ &quot;vyatta&quot;
&quot;vyatta&quot;
}
}
}packageauto-sync:repositorycomponent:url: &quot;http://archive.vyatta.com/vyatta&quot;{
}
community1
&quot;main&quot;{
&quot;firewall@1:webgui@1:serial@1:nat@2:dhcp-server@2:dhcp-relay@1:cluster@1&quot;===/*/* Warning:===*/
vyatta-config-version:Do not remove the following line. */