You are on page 1of 3

Vyatta Internet Gateway Router Sample Configuration

Written by Gene Cooper Saturday, 24 November 2007 04:24 - Last Updated Tuesday, 15 December 2009 18:11

THIS IS A WORK IN PROGRESS and was Written for Vyatta VC3

Vyatta OFR Highlights


The Vyatta Linux-based router provides a flexible, high-performance alternative to Cisco routers. It is free, professional, open-source software.

Vyatta OFR runs on standard x86 hardware and supports many types of interfaces. It has a comprehensive command line interface (CLI) implemented as a Linux shell. The Vyatta OFR also has a comprehensive graphical user interface (GUI) accesses via a web browser.

Support
One of the best things about the Vyatta OFR is professional support. Purchasing support from Vyatta helps you and the Vyatta community.

There is also a mailing list and a wiki for free support. Don't expect professional support on the mailing list, but it is fairly active and Vyatta representatives do participate. Searching List Archives The mailing list archives are not searchable, however on Google, you can use the &quot;site:&quot; operator: <search terms> site:mailman.vyatta.com Other Resources IP Subnet Calculator Fix a Bug First (VC3)

Internet Access Application

There is a bug when configuring state match rules on protocols other than TCP that complicates building a NAT firewall.

1/3

Vyatta Internet Gateway Router Sample Configuration


Written by Gene Cooper Saturday, 24 November 2007 04:24 - Last Updated Tuesday, 15 December 2009 18:11

Here is a workaround for the VC3 release that removes the error checking that only allows state rules to be configured in conjunction with TCP:

Log in as root and edit: /opt/vyatta/share/perl5/VyattaIpTablesRule.pm and change the following line from:

if (($self->{_protocol} eq &quot;tcp&quot;) || ($self->{_protocol} eq &quot;6&quot;)) {

to: if (1) {

Sample Internet Access Configuration

2/3

Vyatta Internet Gateway Router Sample Configuration


Written by Gene Cooper Saturday, 24 November 2007 04:24 - Last Updated Tuesday, 15 December 2009 18:11

network pointing Internal following Own access time in designing your the application. that diagramEthernet Router router. to save Hopefully, youAccess examplewithnetwork. Static application will no doubt ownsubnetted Note The in this Privateto usethe Networks features: some router needs a route tobe different. subnetted Vyata can ourthis example Internet Your IP Address We'll be implementing Router the Its - 4-Port Networks Using 192.168.x.x Addresses - InternetshowstheOnly example InternetNetworks Protected From NAT Forwarded Port Traffic - Two Forwarding (Destination NAT)Related Traffic In Firewall - Allows Stateful Internal - AnotherHTTP,Internal EstablishedPrivate Network Private Allows Networks Port Time Synchronization RDP - PrivateServer HTTPSServers on Each Other SMTP, Forwarded to Private Management and NTP HTTP and HTTPSServers - DHCPFree Public Timeandfor HTTPto BeHTTPS Using Non-Standard Remote SSH, Standard HTTP - NTPifCertain ApplicationsDNS serversand free public servers andServers leave them as Using Allows Subnetting - statictimeconfigurationPorts need(ntp.org) Forwarded to Internal for your configuration. For you they are next-hop: 123.123.123.1 be copied and then edited in place you can The following server There fileno HTTPS change them. /opt/vyatta/etc/config/config.boot to are /*XORP metric: 1 and thev1.0*/ protocols { 0.0.0.0/0 { File,is can } Optional wish. disable: false Configuration restore: {false {&quot;Loopback&quot; } loopbacketh0 policy { interfaces lo { &quot;Internet&quot; } route &quot;auto&quot; } { prefix-length: 30 ethernet &quot;auto&quot; disable: discard: description: description: &quot;from-external&quot; speed: 123.123.123.2 { address disable: false duplex: {false { eth1 {&quot;to-router&quot; #1&quot; in name: &quot;Internal Network local } } } firewall &quot;auto&quot; ethernet {false disable: 192.168.1.1 discard: description: duplex: } prefix-length: 24 { disable: false } firewall { &quot;auto&quot; in name: {&quot;lan-to-lan&quot; address&quot;auto&quot; Network #2&quot; } speed:eth2 false 24 { ethernet &quot;auto&quot; disable: 192.168.2.1 discard: } } { {false description: &quot;lan-to-lan&quot; duplex: speed: address prefix-length: } disable: {&quot;Internal Subnetted Network&quot; name: &quot;Internal in eth3 description: } } } duplex: &quot;auto&quot; ethernet discard: firewall &quot;auto&quot; disable: 123.123.123.5 { firewall in { {false 30 name:false speed: stop: 192.168.1.199 } disable: } address 192.168.1.0/2424 } dhcp-server { &quot;lan-to-lan&quot; service prefix-length: 209.218.76.2 { default-router: 192.168.1.1 } } start 192.168.1.65 { { shared-network-name &quot;eth1_pool&quot; { subnet 86400 &quot;disable&quot; } client-prefix-length:{ { lease: authoritative: } dns-server 208.67.220.220 } subnet 192.168.2.65 shared-network-name &quot;eth2_pool&quot; { start 192.168.2.0/2424 2 { stop: 192.168.2.199 209.218.76.2 208.67.220.220 default-router: 192.168.2.1 authoritative: } dns-server smtp } { type: &quot;destination&quot; } rule } nat } client-prefix-length: protocols: &quot;tcp&quot; lease: 86400{&quot;disable&quot; &quot;123.123.123.2&quot; port-name destination { http inside-address 192.168.1.2 } protocols: &quot;tcp&quot; rule 4address: { { { type: &quot;destination&quot; port-name 6 { &quot;destination&quot; } address: { https } destination 192.168.1.2 inside-address { destination &quot;123.123.123.2&quot; 8 { &quot;destination&quot; &quot;123.123.123.2&quot; } inside-address type: rule address: { { } protocols: &quot;tcp&quot; rule port-name 3389 type: protocols: &quot;tcp&quot; destination &quot;123.123.123.2&quot; address: 192.168.1.2 port-number } 10 {&quot;masquerade&quot; inside-address 192.168.1.2 } type: {&quot;masquerade&quot; rule 20 { outbound-interface: &quot;eth0&quot; source { network: &quot;192.168.2.0/24&quot; } { } network: &quot;192.168.1.0/24&quot; type: 22 81 } rule { } } outbound-interface: &quot;eth0&quot; ssh source &quot;disable&quot; port: http-port: &quot;enable&quot; https-port: &quot;disable&quot; } webgui10 { &quot;enable&quot; LAN Interaction&quot; firewall description:&quot;disable&quot; { &quot;lan-to-lan&quot; } protocol-version: &quot;v2&quot; log-martians: 444 &quot;Block {192.168.x.x Networks&quot; receive-redirects: &quot;disable&quot; ip-src-route: { broadcast-ping: &quot;192.168.0.0/16&quot; send-redirects:&quot;Block Internal syn-cookies: name description: &quot;all&quot; rule protocol: action: &quot;reject&quot; 20&quot;disable&quot; 172.16.x.x Networks&quot; log: &quot;disable&quot; destination &quot;192.168.0.0/16&quot; } source &quot;reject&quot; rule } network: {&quot;Block log: { { &quot;all&quot; source 30&quot;disable&quot; 10.x.x.x Networks&quot; description:{&quot;Block } destination &quot;172.16.0.0/12&quot; } protocol: &quot;all&quot; rule network: { action: &quot;reject&quot; log: { { source description: &quot;10.0.0.0/8&quot;Not Previously Blocked&quot; destination &quot;192.168.0.0/16&quot; 40&quot;disable&quot; All Traffic } protocol: &quot;all&quot; rule network: {&quot;Allow action: &quot;accept&quot; protocol: action: log: source 10 { { &quot;Block Unwanted Internet Traffic&quot; } &quot;from-external&quot; { destination &quot;Accept } description: &quot;0.0.0.0/0&quot; } description: &quot;all&quot; Established-Related Connections&quot; name network:&quot;enable&quot; rule new:&quot;accept&quot; description: } 20&quot;disable&quot; established: &quot;enable&quot; protocol:&quot;disable&quot; log: { } protocol:&quot;all&quot; Subnet Traffic&quot; rule related: &quot;disable&quot; } 30&quot;disable&quot; state {{ &quot;accept&quot; log: { source invalid:&quot;tcp&quot; action: &quot;accept&quot; } destination &quot;0.0.0.0/0&quot; } description:{&quot;Pass SMTP&quot; rule network: {&quot;Pass action: { log: { { source 40&quot;disable&quot;HTTP&quot; description: &quot;123.123.123.4/30&quot; destination &quot;0.0.0.0/0&quot; address: &quot;0.0.0.0/0&quot; smtp protocol: &quot;tcp&quot; } action: &quot;accept&quot; rule port-name&quot;123.123.123.2 &quot; description: &quot;123.123.123.2 &quot; } network: {&quot;Pass log: source { 50&quot;disable&quot;HTTPS&quot; } port-name http destination address: &quot;Pass network: &quot;0.0.0.0/0&quot; protocol: &quot;tcp&quot; } action: &quot;accept&quot; rule address:{ &quot;123.123.123.2 &quot; description: protocol: } port-name https action: log: &quot;disable&quot; source 60{{ { } } destination &quot;Pass RDP&quot; network: &quot;0.0.0.0/0&quot; } }rule &quot;disable&quot; source description:{ &quot;123.123.123.2 &quot; port-number 3389 Destined for Router&quot; protocol: &quot;tcp&quot; } address: &quot;Accept 10 {{ &quot;accept&quot; action: {&quot;disable&quot; } new: &quot;Traffic } log: } description: &quot;all&quot; Established-Related Connections&quot; name &quot;to-router&quot; { rule established: &quot;enable&quot; destination&quot;enable&quot; state { &quot;accept&quot; 20&quot;disable&quot; invalid: description: &quot;200.200.200.0/29&quot; action: { log: } protocol: &quot;tcp&quot; rule related: &quot;disable&quot; description: protocol: action: } 30&quot;disable&quot; network: {&quot;SSH Access&quot; destination log: &quot;disable&quot; } source &quot;accept&quot; Access&quot; rule port-name ssh protocol: &quot;tcp&quot; } 40 { &quot;accept&quot; action: { log: { source &quot;accept&quot; network: {&quot;WebGUI } port-number 81 description: &quot;200.200.200.0/29&quot; destination &quot;200.200.200.0/29&quot; } protocol: &quot;tcp&quot; rule network: description:{&quot;Secure WebGUI Access&quot; log: { { source action: &quot;accept&quot; 60&quot;disable&quot; ICMP Unreachable&quot; } destination &quot;Accept } 70&quot;disable&quot; ICMP Echo Request&quot; icmp {{ &quot;8&quot; port-number 444 } description: &quot;Accept action: rule 80&quot;disable&quot; rule type: &quot;3&quot; protocol: &quot;icmp&quot; icmp type:&quot;accept&quot; } action: &quot;icmp&quot; log: } log: &quot;disable&quot; ICMP Time-Exceeded&quot; } protocol: &quot;icmp&quot; rule type:&quot;accept&quot; description: &quot;Accept {{ &quot;router&quot; } protocol:208.67.222.222 action: log: } description: } user root&quot;GMT&quot; } host-name: { &quot;11&quot; system icmp {&quot;pool.ntp.org&quot; { domain-name: &quot;yourdomain.com&quot; name-server 208.67.220.220 time-zone: ntp-server login }{ plaintext-password: &quot;vyatta&quot; } full-name: &quot;&quot; authentication { vyatta { &quot;&quot; user { community { &quot;http://archive.vyatta.com/vyatta&quot; } plaintext-password: &quot;vyatta&quot; } full-name: &quot;main&quot; } auto-sync: 1 package Do vyatta-config-version: following line. */ component: url: repository not remove the } authentication { */ } === /* } === Warning: &quot;firewall@1:webgui@1:serial@1:nat@2:dhcp-server@2:dhcp-relay@1:cluster@1&quot;

3/3