Getting started with the Vyatta firewall image

This page covers the Vyatta firewall image provided as a courtesy with the Claranet Cloud.

Configuring the IP addresses

Once you have created a Virtual Appliance, added a Public IP address for the Appliance to use:

reserve-ip-thumb.png

and added the Vyatta image from your Apps Library, click the Configuration icon on the image.

Choose the Network tab, click the Public tab, select the public IP address you want to assign and click accept.

In order to have the Vyatta set NIC 1 to be on the Private VLAN (instead of NIC 0, which is the default), and so that you can have the Vyatta NIC 1 take the default gateway address for the Private VLAN, perform the following steps:

  1. Select the Delete the Default Network tab
  2. Delete the IP address (thus releasing NIC 0)
  3. Add a new address with the Add icon button
  4. Choose the default gateway address (usually 192.168.1.1)

If you have created a Private VLAN, choose the default gateway address you've configured in that VLAN. You can also change the default gateway address in the Private VLAN configuration pane for any network except the default network.

Deploy the Virtual Appliance to start the Virtual Machine.

Configuring the Firewall

Open a web browser to https://<your_public_IP> with the credentials from the login details page

and you will now be logged into the Vyatta firewall Virtual Machine.

Logging in

Suggested Quickstart

Change your password:

1.  expand: system → login → user → authentication
2.  Enter your password (accepts plaintext or encrypted) and click “set”
3.  Click the green “commit” button in the top right hand corner.
4.  Click “Save” to save your changes

or you can use the command line:

1. set system login user vyatta authentication plaintext-password \<your_password_here\>
2. commit

Change password

Create a generic address translation so machines can access the internet

1.  expand: service → nat → rule
2.  type rule # 100 and press “set”
3.  expand: rule 100
4.  set as follows:
1.  outbound interface: eth0
2.  Description: Generic PAT
3.  type: masquerade
5.  click “set”
6.  click “Commit” green button in the top right hand corner
7.  Click “Save” to save your changes

or you can use the command line:

1. edit service nat rule 100
2. set description "Generic PAT"
3. set outbound-interface eth0
4. set type masquerade
5. commit

Set up NAT

Create a Port Address Translation to map common services to hosts inside the network

We'll use the example of a linux server on the default network with IP address 192.168.1.3, and an address translation from the public address of the firewall to the ssh service.

1.  Expand: service → nat → rule
2.  type rule # 10 and press “set”

Set the rule as follows:
3.  description: PAT to SSH onto 192.168.1.3
4.  protocol: tcp
5.  Inbound-Interface: eth0
6.  type: destination
7.  Click “set”

Then:
8.  expand “inside address” and create:
9.  Address: 192.168.1.3
10. port: 22
11. expand “destination address” and create:
12. Address: <your_public_ip>
13. port: 9022
14. Click “Commit” green button in the top right hand corner
15. Click “Save” to save your changes
16. Test this by trying an ssh session to port 9022

or you can use the command line:

edit service nat rule 10
set description "PAT to SSH onto 192.168.1.3"
set destination address 195.157.12.15
set destination port 9022
set inbound-interface eth0
set inside-address address 192.168.1.3
set inside-address port 22
set protocol tcp
set type destination
commit

and test with:

ssh sysadmin@195.157.12.15 -p 9022
sysadmin@195.157.12.15's password: \<enter the password\>

You should see:

Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-server x86_64)

Set up PAT

Create a zone based firewall

Consider the situation where you would like to allow all traffic from the Trusted (LAN) side of the network out to the rest of the world, but only allow specific traffic in from the Untrusted (WAN) side to your trusted network.

1. Expand Firewall → name and type “LAN2WAN” and click set.

Name Firewall Rule

2. Change “default-action” to accept and type description “LAN to WAN traffic”. Click Set.

Default action

3.  Expand Firewall → name and type “WAN2LAN” and click set
4. Change “default-action” to drop and type description “WAN to LAN traffic”. Click Set 
5.  Expand Firewall → name → WAN2LAN → rule, type “1” in the rule box and click Set. 
6.  In rule 1, change action to “accept”, protocol to “icmp” and description to “Sample rule to allow ping replies” and click Set.

ICMP rule

7.  Expand Firewall → name → WAN2LAN → rule → 1 → icmp and click the create button.
8.  Change type-name to “echo-reply” and click Set.
9. Expand Firewall → name → WAN2LAN → rule, type 5 in the rule box and click Set 
10. In rule 5, change action to “accept”, protocol to “tcp” and description to “Allow PAT'd SSH” and click Set

SSH rule

11. Expand Firewall → name → WAN2LAN → rule → 5 → destination and click the create button
12. In the port box type 9022 and click Set 
13. Expand Firewall → name → WAN2LAN → rule, type 100 in the rule box and click Set 
14. In rule 100, change action to “accept” and description to “Allow established traffic” and click Set
15. Expand Firewall → name → WAN2LAN → rule → 100 → state and tick the box saying “Established” and click Set

Allow established rule

16. Expand zone-policy → Zone and type “WAN” and click create
17. Give it a description such as “WAN zone” and click the tick box next to “eth0” and click Set
18. Expand zone-policy → Zone and type “LAN” and click create
19. Give it a description such as “LAN zone” and click the tick box next to “eth1” and click Set

Zones

20. Expand zone-policy → zone → LAN → from and type “WAN” and click set
21. Expand zone-policy → zone → LAN → from → WAN → firewall and click “create”
22. In the drop down box select WAN2LAN and click set
23. Expand zone-policy → zone → WAN → from and type “LAN” and click set
24. Expand zone-policy → zone → WAN → from → LAN → firewall and click “create”
25. In the drop down box select LAN2WAN and click set.

Policies

26. Click commit
27. Click save

or you can use the command line:

edit firewall name LAN2WAN set default-action accept set description “LAN to WAN traffic” exit
edit firewall name WAN2LAN set default-action drop set description “WAN to LAN traffic”
edit rule 1 
set description “Sample rule to allow ping replies” 
set action accept 
set protocol icmp 
set icmp type-name echo-reply
exit
edit firewall name WAN2LAN rule 5
set description “Allow PAT'd SSH”
set action accept set protocol tcp set destination port 9022
exit
edit firewall name WAN2LAN rule 100
set description “Allow established traffic”
set state established enabled exit
edit zone-policy zone LAN
set description LAN
set interface eth1 exit
edit zone-policy zone WAN
set description WAN
set interface eth0 exit
set zone-policy zone LAN from WAN firewall name WAN2LAN
set zone-policy zone WAN from LAN firewall name LAN2WAN
commit