Thursday, 24 December 2009

Vyatta as an Internet Gateway

Here is the lab:






In this video we use Vyatta to setup an Internet Gateway.
We set it up with the following features:
Firewall
DHCP Server
DNS forwarding+Cache
NAT
Web Cache
Web Filtering
Reverse NAT (Port Forwarding)


Vyatta Internet Gateway from Richard Vimeo on Vimeo.




As requested here is the config for the router in the video:

firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
name WAN_IN {
default-action drop
rule 10 {
action accept
destination {
address 192.168.10.10
port 80
}
log enable
protocol tcp
}
rule 20 {
action accept
destination {
address 192.168.10.10
port 3389
}
log enable
protocol tcp
}
rule 30 {
action accept
destination {
address 192.168.10.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Outside
duplex auto
firewall {
in {
name WAN_IN
}
local {
name ALLOW_ESTABLISHED
}
}
hw-id 00:0c:29:7b:1a:29
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.10.1/24
description Inside
duplex auto
hw-id 00:0c:29:7b:1a:33
smp_affinity auto
speed auto
}
ethernet eth2 {
description DMZ
duplex auto
hw-id 00:0c:29:7b:1a:3d
smp_affinity auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name Vyatta.local
lease 86400
start 192.168.10.10 {
stop 192.168.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
nat {
rule 10 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
rule 20 {
destination {
address 192.168.0.84
port 80
}
inbound-interface eth0
inside-address {
address 192.168.10.10
port 80
}
protocol tcp
type destination
}
rule 30 {
destination {
address 192.168.0.84
port 3389
}
inbound-interface eth0
inside-address {
address 192.168.10.10
port 3389
}
protocol tcp
type destination
}
}
ssh {
allow-root true
port 22
protocol-version v2
}
webproxy {
cache-size 200
default-port 3128
listen-address 192.168.10.1 {
}
url-filtering {
squidguard {
auto-update daily
block-category malware
block-category porn
block-category warez
block-category proxy
default-action allow
local-block facebook.com
redirect-url http://www.google.com
}
}
}
}
system {
host-name vyatta
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository kenwood {
components main
distribution kenwood
password ""
url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */

15 comments:

Jose said...

Hey, thanks for the tutorial. It was great! I also watched your load balancing tutorial which helped me a lot. I'm having problems doing a lab at work to test vyatta. My scenario is to load balance three internet connections, but I want to exclude my mail server from load balancing and make it available only through one ISP. Do you think you can create a tutorial with a scenario similar to this? I know that many people over at the vyatta forum will take much advantage of this. It has been asked many times without a clear demonstration on how to doit correctly. I will link to these Vyatta tutorials where ever I go...much appreciated!!

Roggy said...

No Problem Jose, if I have time ill do it next week for you.

eusys said...

Muy Buen Tutorial, sigue asi, con mas configuraciones avanzadas de vyatta router y todo sobre redes.

Emena

Roggy said...

Yo no hablo espaƱol, pero gracias a traductor Google. Lo que puedo decir, gracias por los comentarios

hamood said...

hi,
your videos are great.
1 question.

i am running ver 6.0 when i block ftp or any other protocol in the firewall rules it gets blocked.

but when i go through vyatta web proxy the rules dont work.
please can you guide me whats happening.

Thanks

Roggy said...

The proxy within vyatta is designed to pick up traffic on port 80 im not sure that ftp traffic will hit the proxy (squid)

I would use the firewall to block the traffic to port 21 or reconfigure the hosts to use the vyatta as a proxy or redirect the traffic.
Have a google for documentation on squid and ftp for more info

greeendatacentre said...

My Internet Gateway is 192.168.12.1 and I need to offer DHCP to 192.168.0.0/16 segment. Currently Vyatta only offers me an IP if I'm plugged into the same LAN switch. Any ideas?

Conversation said...

what a nice tutorial very informative.

Conversation said...

very nice tutorial very informative

Willie said...

Have you ever tried this type of setup with multiple WAN (red) interfaces on one Vyatta box? I just can not seem to get it to work. Everything seems to be in the right place but traffic just will not flow either in or out.

Dario said...

Hola!
Antes que todo te quiero felicitar por todo estos trabajos que haces.
Una pregunta: En que tipo de conexiones trabaja el host, y el pc-vyatta?

Hice igual los primeros comandos para el DHCP, pero no logro que me de la IP.
Gracias!
---------------------
Hello!
First of all I congratulate you all this work you do.
One question: In what kind of work the host connections, and the pc-Vyatta?

I like the first commands for DHCP, but I can not give me the IP.
Thanks!

eslavedroid said...

if you don't mind, may i have your email address so I can share my different scenarios with vyatta.

short intro:
- I can do Nat with 2-legged firewall
- I can do load-balancing with multiples interfaces;
but... if i mixed these 2 features in one, then problem starts.

basic problem that I can't sort out.
1. Load-balancing + dNAT

I know your not an entity with vyatta but your examples are way better compared with them.

Hope to hear from you soon.
eslavedroid@gmail.com

Jansson said...

Hi!
Great post about basic Vyatta configuration!

I think you have made a mistake in your firewall rule "WAN_IN":

rule 30 {
action accept
destination {
address 192.168.10.0/24
}
}

You have missed out the "ESTABLISHED ENABLE":

state {
established enable
}

leaving a big hole in the firewall.

Best Regards
Jansson

iamadigitaljanitor said...

Jansson, i don't see that as a big hole. Coud you elaborate this furthere.

Hamzain said...

can any one help to watch these videos bcz its giving an warning " Private videos Sorry u don't have permission to watch" How can i get permission.......Plz help me.