Vyatta

From vwiki
Jump to navigation Jump to search

{{#widget:Widget:GoogleAdSenseSkyscraper}} Unix based Open Source firewall router that sees itself in competition with Cisco. The firewall module is not on by default, so once interfaces are defined it will pass traffic freely. All configuration is done via the CLI [1].

Set-up

Vyatta Download

Installation (ISO Install)

  1. Download the LiveOS ISO
  2. Create Red Hat RHEL5 (32 bit) VM with
    • 2GB hard drive
    • 2x E1000 NIC
    • 128MB RAM
  3. Connect ISO and allow to boot fully
  4. Login as root / vyatta
  5. To install to local disk, run the install script with the following command
    • install-system
    • Accept all defaults
  6. Reboot and disconnect ISO

Installation (OVF Deployment)

  1. Get the URL or download the OVF from http://www.vyatta.com/downloads/
  2. Import into vCentre
  3. Reconfigure network 2nd NIC is connected to as required
  4. Start the VM
  5. Login via the console using vyatta / vyatta

Basic Set-up

  1. Login and run the following commands to set IP address and default gateway
    • configure
    • set system host-name router-name
    • set interfaces ethernet eth0 address 192.168.1.10/24 (repeat for other interfaces)
    • set system gateway-address 192.168.10.1
  2. Enable remote ssh access
    • set service ssh
  3. Enable/config NTP (optional, out of the box the router will sync to Vyatta's NTP server pool)
    • set system time-zone Europe/London
    • set system ntp server 192.168.1.50
    • delete system ntp server 0.vyatta.pool.ntp.org
    • delete system ntp server 1.vyatta.pool.ntp.org
    • delete system ntp server 2.vyatta.pool.ntp.org
  4. Commit changes and save
    • commit
    • save
    • exit

DNS Client

  1. To set DNS servers, use following command (repeat for more servers)
    • set system name-server 172.16.0.34
  2. To set DNS suffix search order, in order of preference (1st entered is 1st used)
    • set system domain-search domain mydomain.com
  3. To review config
    • show system name-server
    • show system domain-search

SNMP Server

To set up the SNMP service and allow a polling server to interact with (for example perform SNMP Gets, etc) with the router

  1. Go into configuration mode
    • configure
  2. Create a SNMP community (don't use public!)
    • set service snmp community public
  3. Create a SNMP client that's allowed to make SNMP requests
    • set service snmp community public client 192.168.1.25
  4. Apply changes and move back up to top-level part of config
    • commit

To set up SNMP trapping (assumes you're already in config mode)

  1. Configure a trap destination (repeat for further destinations)
    • set service snmp trap‐target 192.168.10.199
  2. Apply changes
    • commit

If you have the firewall enabled, you'll need to allow SNMP traffic in, eg 

set firewall name eth0-local rule 70 description 'VYATTA SNMP'
set firewall name eth0-local rule 70 action 'accept'
set firewall name eth0-local rule 70 destination port '161'
set firewall name eth0-local rule 70 protocol 'udp'
set firewall name eth0-local rule 70 source address '192.168.1.25'

Configuration

Basic Commands

In similar fashion to Cisco IOS, configuration has to be entered in config mode, and the configuration can only be viewed in Operator mode.

Command Description
configure Enter configuration mode
commit Apply changes made since last commit
save Save changes since last save (otherwise lost at reboot)
discard Discard changes made since last commit

User Accounts

Command Description
set system login user <user> Create user
set system login user <user> authentication plaintext-password <password> Change users password
set system login user <user> level admin Change users authorisation level
delete system login user <user> Delete user

Firewall

If an interface has no firewall config, then it passes all traffic. Once any firewall config is applied then that interface acts as a firewall.

Command Description
delete firewall name home_in rule 5 Delete firewall rule no 5 


vyatta@vyatta:~$ configure
vyatta@vyatta# set firewall name home_out rule 10 action accept
vyatta@vyatta# set firewall name home_out rule 10 description "VC client access"
vyatta@vyatta# set firewall name home_out rule 10 destination address 10.1.1.5
vyatta@vyatta# set firewall name home_out rule 10 destination port 80,443,8084,8443,9084
vyatta@vyatta# set firewall name home_out rule 10 protocol tcp
vyatta@vyatta# set interfaces ethernet eth0 firewall in name home_out
vyatta@vyatta# commit
vyatta@vyatta# exit
vyatta@vyatta:~$ show firewall home_out

Active on (eth0,IN)

State Codes: E - Established, I - Invalid, N - New, R - Related

rule  action  source              destination         proto  state
----  ------  ------              -----------         -----  -----
10    ACCEPT  0.0.0.0/0           10.1.1.5            tcp    any
                                  dst ports: 80,443,8084,8443,9084
1025  DROP    0.0.0.0/0           0.0.0.0/0           all    any

The firewall filters in both directions, in and out of the interface. Traffic has to be configured in both directions to work! Therefore its necessary to config as shown... 

vyatta@vyatta:~$ show firewall home_in

Active on (eth0,OUT)

State Codes: E - Established, I - Invalid, N - New, R - Related

rule  action  source              destination         proto  state
----  ------  ------              -----------         -----  -----
5     ACCEPT  0.0.0.0/0           0.0.0.0/0           icmp   any
10    ACCEPT  0.0.0.0/0           88.221.188.7        tcp    any
                                  dst ports: 443
11    ACCEPT  0.0.0.0/0           92.123.36.7         tcp    any
                                  dst ports: 443
1025  DROP    0.0.0.0/0           0.0.0.0/0           all    any

vyatta@vyatta:~$ show firewall home_out

Active on (eth0,IN)

State Codes: E - Established, I - Invalid, N - New, R - Related

rule  action  source              destination         proto  state
----  ------  ------              -----------         -----  -----
5     ACCEPT  0.0.0.0/0           0.0.0.0/0           icmp   any
110   ACCEPT  88.221.188.7/32     0.0.0.0/0           tcp    any
              src ports: 443
111   ACCEPT  92.123.36.7         0.0.0.0/0           tcp    any
              src ports: 443
1025  DROP    0.0.0.0/0           0.0.0.0/0           all    any

NAT

For full details see http://www.vyatta.com/sites/vyatta.com/files/pdfs/Vyatta_NATRef_R6.2_v01.pdf

To allow masquerade NAT, out through eth0, from multiple inside addresses out through the router's outside interface address 

set service nat rule 10 type masquerade
set service nat rule 10 source address 10.1.1.0/24
set service nat rule 10 outbound-interface eth0
commit

To allow destination NAT, into the router, presenting machines on the inside, to the outside world 

set interfaces ethernet eth0 address 192.168.1.20/24
set service nat
set service nat rule 20 description InsideServerName
set service nat rule 20 type destination
set service nat rule 20 inbound-interface eth0
set service nat rule 20 destination address 192.168.1.20
set service nat rule 20 inside-address address 10.1.1.20
set service nat rule 20 protocol all

To allow source NAT, going out from the router, so that machines on the inside, pick up external addresses as they communicate to the outside world 

set service nat
set service nat rule 1020 description InsideServerName
set service nat rule 1020 type source
set service nat rule 1020 inbound-interface eth0
set service nat rule 1020 source address 10.1.1.20
set service nat rule 1020 outside-address address 192.168.1.20
set service nat rule 1020 protocol all

To configure bidirectional NAT, whereby machines on the inside appear to the outside world by the same address for traffic initiated from either outside or inside the router just combine both source and destination NAT configuration.

To delete a NAT rule, use syntax similar to the following... 

delete service nat rule 42

Troubleshooting and General Commands

Command Comments
reboot
shutdown
show arp
show interfaces
show ip route
show nat rules
show configuration
set system flow-accounting interface eth0 Enable flow accounting
delete system flow-accounting Disable flow accounting
show flow-accounting interface eth0 Show flow accounting for eth0
show flow-accounting interface eth0 host 10.1.1.1 Show flow accounting for specific IP through eth0

Unable to Commit Interface Change (RTNETLINK)

When trying to commit interface changes you receive an error like... 

admin@router# commit
[ interfaces ethernet eth1 address ]
RTNETLINK answers: File exists

Commit failed

A show interfaces shows the config to be correct, but a show configuration shows that the config hasn't been saved properly.

To resolve - restart the router (reboot).

On restart the conflicted part of the configuration is lost (so can no longer be seen via show interfaces ). However it can be reapplied, and shouldn't generate an error this time around.

TCPdump

TCPdump can only be run as root, therefore you may need to set the root password first... 

sudo passwd root

...then you'll be elevate to be the super user, from where you can run TCPdump... 

su -

Some basic TCPdump examples...

Command Comments
tcpdump -i eth0 port 80 Anything on port 80 through eth0
tcpdump -i eth0 dst 10.10.0.10 and port 80 Anything going to 10.10.0.10:80 through eth0
tcpdump -w capture.pcap -i eth0 port 80 Write capture to capture.pcap

For more info see the TCPdump man page - http://www.tcpdump.org/tcpdump_man.html

Notes

  1. There was a web interface available with the free version (which was just a pretty version of the CLI anyway), but this now only available via the paid-for version due to its use of the REST API (which is a premium feature).
Retrieved from ‘https://vwiki.co.uk/index.php?title=Vyatta&oldid=2640