Vyatta
Unix based Open Source firewall router that sees itself in competition with Cisco. The firewall module is not on by default, so once interfaces are defined it will pass traffic freely. All configuration is done via the CLI [1].
Set-up
Installation (ISO Install)
- Download the LiveOS ISO
- Create Red Hat RHEL5 (32 bit) VM with
- 2GB hard drive
- 2x E1000 NIC
- 128MB RAM
- Connect ISO and allow to boot fully
- Login as
root / vyatta - To install to local disk, run the install script with the following command
install-system- Accept all defaults
- Reboot and disconnect ISO
Installation (OVF Deployment)
- Get the URL or download the OVF from http://www.vyatta.com/downloads/
- Import into vCentre
- Reconfigure network 2nd NIC is connected to as required
- Start the VM
- Login via the console using
vyatta / vyatta
Basic Set-up
- Login and run the following commands to set IP address and default gateway
configureset system host-name router-nameset interfaces ethernet eth0 address 192.168.1.10/24(repeat for other interfaces)set system gateway-address 192.168.10.1
- Enable remote ssh access
set service ssh
- Enable/config NTP (optional, out of the box the router will sync to Vyatta's NTP server pool)
set system time-zone Europe/Londonset system ntp server 192.168.1.50delete system ntp server 0.vyatta.pool.ntp.orgdelete system ntp server 1.vyatta.pool.ntp.orgdelete system ntp server 2.vyatta.pool.ntp.org
- Commit changes and save
commitsaveexit
DNS Client
- To set DNS servers, use following command (repeat for more servers)
set system name-server 172.16.0.34
- To set DNS suffix search order, in order of preference (1st entered is 1st used)
set system domain-search domain mydomain.com
- To review config
show system name-servershow system domain-search
Configuration
Basic Commands
In similar fashion to Cisco IOS, configuration has to be entered in config mode, and the configuration can only be viewed in Operator mode.
| Command | Description |
|---|---|
configure |
Enter configuration mode |
commit |
Apply changes made since last commit |
save |
Save changes since last save (otherwise lost at reboot) |
discard |
Discard changes made since last commit |
User Accounts
| Command | Description |
|---|---|
set system login user <user> |
Create user |
set system login user <user> authentication plaintext-password <password> |
Change users password |
set system login user <user> level admin |
Change users authorisation level |
delete system login user <user> |
Delete user |
Firewall
If an interface has no firewall config, then it passes all traffic. Once any firewall config is applied then that interface acts as a firewall.
- http://www.carbonwind.net/VyattaOFR/Firewall/Firewall.htm - A bit old, but a useful page to learn from
| Command | Description |
|---|---|
delete firewall name home_in rule 5 |
Delete firewall rule no 5 |
vyatta@vyatta:~$ configure
vyatta@vyatta# set firewall name home_out rule 10 action accept
vyatta@vyatta# set firewall name home_out rule 10 description "VC client access"
vyatta@vyatta# set firewall name home_out rule 10 destination address 10.1.1.5
vyatta@vyatta# set firewall name home_out rule 10 destination port 80,443,8084,8443,9084
vyatta@vyatta# set firewall name home_out rule 10 protocol tcp
vyatta@vyatta# set interfaces ethernet eth0 firewall in name home_out
vyatta@vyatta# commit
vyatta@vyatta# exit
vyatta@vyatta:~$ show firewall home_out
Active on (eth0,IN)
State Codes: E - Established, I - Invalid, N - New, R - Related
rule action source destination proto state
---- ------ ------ ----------- ----- -----
10 ACCEPT 0.0.0.0/0 10.1.1.5 tcp any
dst ports: 80,443,8084,8443,9084
1025 DROP 0.0.0.0/0 0.0.0.0/0 all any
The firewall filters in both directions, in and out of the interface. Traffic has to be configured in both directions to work! Therefore its necessary to config as shown...
vyatta@vyatta:~$ show firewall home_in
Active on (eth0,OUT)
State Codes: E - Established, I - Invalid, N - New, R - Related
rule action source destination proto state
---- ------ ------ ----------- ----- -----
5 ACCEPT 0.0.0.0/0 0.0.0.0/0 icmp any
10 ACCEPT 0.0.0.0/0 88.221.188.7 tcp any
dst ports: 443
11 ACCEPT 0.0.0.0/0 92.123.36.7 tcp any
dst ports: 443
1025 DROP 0.0.0.0/0 0.0.0.0/0 all any
vyatta@vyatta:~$ show firewall home_out
Active on (eth0,IN)
State Codes: E - Established, I - Invalid, N - New, R - Related
rule action source destination proto state
---- ------ ------ ----------- ----- -----
5 ACCEPT 0.0.0.0/0 0.0.0.0/0 icmp any
110 ACCEPT 88.221.188.7/32 0.0.0.0/0 tcp any
src ports: 443
111 ACCEPT 92.123.36.7 0.0.0.0/0 tcp any
src ports: 443
1025 DROP 0.0.0.0/0 0.0.0.0/0 all any
NAT
For full details see http://www.vyatta.com/sites/vyatta.com/files/pdfs/Vyatta_NATRef_R6.2_v01.pdf
To allow masquerade NAT, out through eth0, from multiple inside addresses out through the router's outside interface address
set service nat rule 10 type masquerade set service nat rule 10 source address 10.1.1.0/24 set service nat rule 10 outbound-interface eth0 commit
To allow destination NAT, into the router, presenting machines on the inside, to the outside world
set interfaces ethernet eth0 address 192.168.1.20/24 set service nat set service nat rule 20 description InsideServerName set service nat rule 20 type destination set service nat rule 20 inbound-interface eth0 set service nat rule 20 destination address 192.168.1.20 set service nat rule 20 inside-address address 10.1.1.20 set service nat rule 20 protocol all
To allow source NAT, going out from the router, so that machines on the inside, pick up external addresses as they communicate to the outside world
set service nat set service nat rule 1020 description InsideServerName set service nat rule 1020 type source set service nat rule 1020 inbound-interface eth0 set service nat rule 1020 source address 10.1.1.20 set service nat rule 1020 outside-address address 192.168.1.20 set service nat rule 1020 protocol all
To configure bidirectional NAT, whereby machines on the inside appear to the outside world by the same address for traffic initiated from either outside or inside the router just combine both source and destination NAT configuration.
To delete a NAT rule, use syntax similar to the following...
delete service nat rule 42
Troubleshooting and General Commands
| Command | Comments |
|---|---|
reboot |
|
shutdown |
|
show arp |
|
show interfaces |
|
show ip route |
|
show nat rules |
|
show configuration |
|
set system flow-accounting interface eth0 |
Enable flow accounting |
delete system flow-accounting |
Disable flow accounting |
show flow-accounting interface eth0 |
Show flow accounting for eth0
|
show flow-accounting interface eth0 host 10.1.1.1 |
Show flow accounting for specific IP through eth0
|
TCPdump
TCPdump can only be run as root, therefore you may need to set the root password first...
sudo passwd root
...then you'll be elevate to be the super user, from where you can run TCPdump...
su -
Some basic TCPdump examples...
| Command | Comments |
|---|---|
tcpdump -i eth0 port 80 |
Anything on port 80 through eth0 |
tcpdump -i eth0 dst 10.10.0.10 and port 80 |
Anything going to 10.10.0.10:80 through eth0 |
tcpdump -w capture.pcap -i eth0 port 80 |
Write capture to capture.pcap |
For more info see the TCPdump man page - http://www.tcpdump.org/tcpdump_man.html