Roggy: Vyatta as an Internet Gateway

Thursday, 24 December 2009

Vyatta as an Internet Gateway

Here is the lab:

In this video we use Vyatta to setup an Internet Gateway.
We set it up with the following features:
Firewall
DHCP Server
DNS forwarding+Cache
NAT
Web Cache
Web Filtering
Reverse NAT (Port Forwarding)

Vyatta Internet Gateway from Richard Vimeo on Vimeo.

As requested here is the config for the router in the video:


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        rule 10 {
            action accept
            destination {
                address 192.168.10.10
                port 80
            }
            log enable
            protocol tcp
        }
        rule 20 {
            action accept
            destination {
                address 192.168.10.10
                port 3389
            }
            log enable
            protocol tcp
        }
        rule 30 {
            action accept
            destination {
                address 192.168.10.0/24
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Outside
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name ALLOW_ESTABLISHED
            }
        }
        hw-id 00:0c:29:7b:1a:29
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.10.1/24
        description Inside
        duplex auto
        hw-id 00:0c:29:7b:1a:33
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        description DMZ
        duplex auto
        hw-id 00:0c:29:7b:1a:3d
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name POOL1 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name Vyatta.local
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
        rule 20 {
            destination {
                address 192.168.0.84
                port 80
            }
            inbound-interface eth0
            inside-address {
                address 192.168.10.10
                port 80
            }
            protocol tcp
            type destination
        }
        rule 30 {
            destination {
                address 192.168.0.84
                port 3389
            }
            inbound-interface eth0
            inside-address {
                address 192.168.10.10
                port 3389
            }
            protocol tcp
            type destination
        }
    }
    ssh {
        allow-root true
        port 22
        protocol-version v2
    }
    webproxy {
        cache-size 200
        default-port 3128
        listen-address 192.168.10.1 {
        }
        url-filtering {
            squidguard {
                auto-update daily
                block-category malware
                block-category porn
                block-category warez
                block-category proxy
                default-action allow
                local-block facebook.com
                redirect-url http://www.google.com
            }
        }
    }
}
system {
    host-name vyatta
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository kenwood {
            components main
            distribution kenwood
            password ""
            url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */

15 comments:

Unknown said...: Hey, thanks for the tutorial. It was great! I also watched your load balancing tutorial which helped me a lot. I'm having problems doing a lab at work to test vyatta. My scenario is to load balance three internet connections, but I want to exclude my mail server from load balancing and make it available only through one ISP. Do you think you can create a tutorial with a scenario similar to this? I know that many people over at the vyatta forum will take much advantage of this. It has been asked many times without a clear demonstration on how to doit correctly. I will link to these Vyatta tutorials where ever I go...much appreciated!!; 29 January 2010 at 10:52
Roggy said...: No Problem Jose, if I have time ill do it next week for you.; 29 January 2010 at 14:44
eusys said...: Muy Buen Tutorial, sigue asi, con mas configuraciones avanzadas de vyatta router y todo sobre redes.

Emena; 23 March 2010 at 18:29
Roggy said...: Yo no hablo español, pero gracias a traductor Google. Lo que puedo decir, gracias por los comentarios; 30 March 2010 at 04:49
hamuod said...: hi,
your videos are great.
1 question.

i am running ver 6.0 when i block ftp or any other protocol in the firewall rules it gets blocked.

but when i go through vyatta web proxy the rules dont work.
please can you guide me whats happening.

Thanks; 13 April 2010 at 00:02
Roggy said...: The proxy within vyatta is designed to pick up traffic on port 80 im not sure that ftp traffic will hit the proxy (squid)

I would use the firewall to block the traffic to port 21 or reconfigure the hosts to use the vyatta as a proxy or redirect the traffic.
Have a google for documentation on squid and ftp for more info; 14 April 2010 at 12:33
greeendatacentre said...: My Internet Gateway is 192.168.12.1 and I need to offer DHCP to 192.168.0.0/16 segment. Currently Vyatta only offers me an IP if I'm plugged into the same LAN switch. Any ideas?; 16 September 2010 at 10:58
Conversation said...: what a nice tutorial very informative.; 11 December 2010 at 01:14
Conversation said...: very nice tutorial very informative; 11 December 2010 at 01:14
Unknown said...: Have you ever tried this type of setup with multiple WAN (red) interfaces on one Vyatta box? I just can not seem to get it to work. Everything seems to be in the right place but traffic just will not flow either in or out.; 29 December 2010 at 05:34
Ninguno said...: Hola!
Antes que todo te quiero felicitar por todo estos trabajos que haces.
Una pregunta: En que tipo de conexiones trabaja el host, y el pc-vyatta?

Hice igual los primeros comandos para el DHCP, pero no logro que me de la IP.
Gracias!
---------------------
Hello!
First of all I congratulate you all this work you do.
One question: In what kind of work the host connections, and the pc-Vyatta?

I like the first commands for DHCP, but I can not give me the IP.
Thanks!; 4 April 2011 at 08:34
Anonymous said...: if you don't mind, may i have your email address so I can share my different scenarios with vyatta.

short intro:
- I can do Nat with 2-legged firewall
- I can do load-balancing with multiples interfaces;
but... if i mixed these 2 features in one, then problem starts.

basic problem that I can't sort out.
1. Load-balancing + dNAT

I know your not an entity with vyatta but your examples are way better compared with them.

Hope to hear from you soon.
eslavedroid@gmail.com; 24 May 2012 at 16:26
Jansson said...: Hi!
Great post about basic Vyatta configuration!

I think you have made a mistake in your firewall rule "WAN_IN":

rule 30 {
action accept
destination {
address 192.168.10.0/24
}
}

You have missed out the "ESTABLISHED ENABLE":

state {
established enable
}

leaving a big hole in the firewall.

Best Regards
Jansson; 9 September 2012 at 00:32
iamadigitaljanitor said...: Jansson, i don't see that as a big hole. Coud you elaborate this furthere.; 24 March 2013 at 08:48
Hamzain said...: can any one help to watch these videos bcz its giving an warning " Private videos Sorry u don't have permission to watch" How can i get permission.......Plz help me.; 21 September 2014 at 04:40