In this video we use Vyatta to setup an Internet Gateway.
We set it up with the following features:
Firewall
DHCP Server
DNS forwarding+Cache
NAT
Web Cache
Web Filtering
Reverse NAT (Port Forwarding)
Vyatta Internet Gateway from Richard Vimeo on Vimeo.
As requested here is the config for the router in the video:
firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
name WAN_IN {
default-action drop
rule 10 {
action accept
destination {
address 192.168.10.10
port 80
}
log enable
protocol tcp
}
rule 20 {
action accept
destination {
address 192.168.10.10
port 3389
}
log enable
protocol tcp
}
rule 30 {
action accept
destination {
address 192.168.10.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Outside
duplex auto
firewall {
in {
name WAN_IN
}
local {
name ALLOW_ESTABLISHED
}
}
hw-id 00:0c:29:7b:1a:29
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.10.1/24
description Inside
duplex auto
hw-id 00:0c:29:7b:1a:33
smp_affinity auto
speed auto
}
ethernet eth2 {
description DMZ
duplex auto
hw-id 00:0c:29:7b:1a:3d
smp_affinity auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name Vyatta.local
lease 86400
start 192.168.10.10 {
stop 192.168.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
nat {
rule 10 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
rule 20 {
destination {
address 192.168.0.84
port 80
}
inbound-interface eth0
inside-address {
address 192.168.10.10
port 80
}
protocol tcp
type destination
}
rule 30 {
destination {
address 192.168.0.84
port 3389
}
inbound-interface eth0
inside-address {
address 192.168.10.10
port 3389
}
protocol tcp
type destination
}
}
ssh {
allow-root true
port 22
protocol-version v2
}
webproxy {
cache-size 200
default-port 3128
listen-address 192.168.10.1 {
}
url-filtering {
squidguard {
auto-update daily
block-category malware
block-category porn
block-category warez
block-category proxy
default-action allow
local-block facebook.com
redirect-url http://www.google.com
}
}
}
}
system {
host-name vyatta
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository kenwood {
components main
distribution kenwood
password ""
url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */
