Vyatta VC5 - Simple Firewall and NAT Rules

Since I've noticed that configuring Vyatta's firewall is a popular topic, I've decided to write this article.
I was not sure if to put it in a blog post, or on the main site, as it is my current understanding that in the future the firewall on Vyatta and the way firewall rules are configured might get some updates, making the bellow lines to need some updates. I actually hope that will be so and the firewall on Vyatta would be more user friendly.

Personal I'm not a big fan on how the firewall can be currently configured on Vyatta VC 5.0.2. Simple put, it's just too easy to get it wrong, or to not obtain the most secure configuration due to some details. And the underlying iptables are currently underused.

I will try to cover some common scenarios(but there are many possible common scenarios), firewalling Vyatta itself or traffic through Vyatta. Over the time I hope to add more configuration examples.

I will not use the Web GUI, as in its current form I don't feel it brings too much in configuring Vyatta's firewall, and it would be difficult for me to picture every step needed to configure a firewall rule. Rather, the Web GUI would be more suited for some videos tutorials.

What I currently added in this article:

- 1. Introduction
- 2. Overview
- 3. Firewalling Vyatta itself
   - 3.1 Allow DNS name resolution for Vyatta itself
   - 3.2 Allow NTP for Vyatta itself
   - 3.3 Allow HTTP and HTTPS for Vyatta itself
   - 3.4 Dynamic IP address from DHCP on an interface
   - 3.5 Allow SSH to Vyatta Itself
   - 3.6 Allow ping from Vyatta itself
   - 3.7 Allow TFTP from Vyatta itself to an internal TFTP server
   - 3.8 Allow FTP from Vyatta itself to an internal FTP server
   - 3.9 Allow SCP from Vyatta itself to an internal SCP server and from an internal SCP client to
     Vyatta itself
   - 3.10 Allow Radius traffic from Vyatta itself to an internal Radius server
   - 3.11 Vyatta as PPTP VPN Server: VPN traffic destined to Vyatta itself
   - 3.12 Vyatta as L2TP/IPsec VPN Server: VPN traffic destined to Vyatta itself
   - 3.13 Vyatta as an IPsec tunnel mode VPN gateway: s2s traffic destined to Vyatta itself
   - 3.14 GRE over IPsec: Traffic destined to Vyatta itself
   - 3.15 Allow OSPF traffic to Vyatta itself
   - 3.16 Allow RIP traffic to Vyatta itself
   - 3.17 Vyatta as DHCP server
   - 3.18 Vyatta as DHCP relay server
   - 3.19 DNS Forwarding on Vyatta
   - 3.20 Vyatta as a web proxy
- 4. Traffic through Vyatta
   - 4.1 Allow FTP through Vyatta
   - 4.2 Allow TFTP through Vyatta
   - 4.3 Allow web traffic through Vyatta
   - 4.4 Allow DNS through Vyatta
   - 4.5 Allow Ping through Vyatta
   - 4.6 Allow PPTP through Vyatta
   - 4.7 Allow L2TP/IPsec through Vyatta
   - 4.8 Vyatta as L2TP/IPsec or PPTP VPN Server: Filter VPN clients' traffic
   - 4.9 Vyatta as an IPsec tunnel mode VPN gateway: s2s traffic between the local and remote subnets
     and vice-versa
   - 4.10 Vyatta as an IPsec tunnel mode VPN gateway: Excluding from the NAT process traffic destined
     to the remote subnet(s)
   - 4.11 Vyatta as web proxy + Vyatta as VPN gateway
   - 4.12 GRE over IPsec: Traffic between local and remote subnets on the tunnel interface(tun1)
   - 4.13 GRE over IPsec: Traffic between local and remote subnets on the internal interface(eth1)
   - 4.14 GRE over IPsec: In and out firewall instances on the Internet facing interface(eth0)
- 5. Publish servers with Vyatta
   - 5.1 Publish a web(HTTP) server
   - 5.2 Publish a web(HTTP) server on an alternate port
   - 5.3 Publish a FTP server
   - 5.4 Publish a FTP server on an alternate port
   - 5.5 Publish a SMTP server
   - 5.6 Publish a PPTP VPN server
   - 5.7 Publish a L2TP/IPsec or "pure" IPsec VPN server behind Vyatta
- 6. Small home router behavior
- 7. Quickly display firewall rules and view firewall statistics

Read more…

Comments (4) -

  • stig

    7/14/2009 11:21:25 PM |

    Wow, lot of good info.  Thanks!

    • adimcev

      7/15/2009 8:29:41 AM |

      Hi Stig,

      And I have more scenarios on my mind, just haven't had time to add them.

      Thanks,
      Adrian

  • terry

    7/23/2009 3:05:17 PM |

    God bless you,  this is what i have been looking for.  thank you very much

  • piotxa

    1/15/2010 12:19:29 PM |

    Ei Adrian, good job!!

    Really helpful tutorials.
    Add more when you can, please.

    Regards!

Comments are closed