Les premiers pas avec une image firewall Vyatta

Cette page concerne l'image firewall Vyatta fourni avec le Claranet Cloud.

Configurer les adresses IP

Une fois que vous avez créé une appliance virtuelle et ajouté un adresse IP publique :

reserve-ip-thumb.png

Et ajouté l'image Vyatta depuis votre Bibliothèque d'applications, cliquez sur l'icône 'Configuration' de l'image.

Choisissez l'onglet réseau, cliquez sur l'onglet public, sélectionnez l'adresse IP publique que vous voulez assigner et cliquez sur 'Accepter'

Afin de définir le VLAN privé sur le NIC1 (au lieu du NIC0 par defaut), et pour que NIC1 puis prendre l'adresse de passerelle par défaut du VLAN privé, suivez les étapes suivantes :

  1. Sélectionnez l'onglet 'Réseau par défaut'
  2. Supprimez l'adresse IP (du coup relanchant NIC0)
  3. Add a new address with the Add icon button
  4. Choisissez la passerelle par défaut (habituellement 192.168.1.1)

Si vous avez créé un VLAN privé, choisissez la passerelle par défaut que vous avez configurée pour ce réseau. Vous pouvez modifier la passerelle pour tous les VLAN sauf le VLAN par défaut.

Déployez l'appliance pour démarrer la machine virtuelle.

Configurer le Firewall

Ouvrez un navigateur et allez sur l'URL https:// avec les identifiants trouvés sur la page d'identifiants

Vous êtes maintenant loggé sur la machine virtuelle Vyatta.

Logging in

Premiers pas conseillés

Modifiez votre mot de passe :

1.  expand: system → login → user → authentication
2.  Enter your password (accepts plaintext or encrypted) and click “set”
3.  Click the green “commit” button in the top right hand corner.
4.  Click “Save” to save your changes

or you can use the command line:

1. set system login user vyatta authentication plaintext-password \<your_password_here\>
2. commit

Change password

Create a generic address translation so machines can access the internet

1.  expand: service → nat → rule
2.  type rule # 100 and press “set”
3.  expand: rule 100
4.  set as follows:
1.  outbound interface: eth0
2.  Description: Generic PAT
3.  type: masquerade
5.  click “set”
6.  click “Commit” green button in the top right hand corner
7.  Click “Save” to save your changes

or you can use the command line:

1. edit service nat rule 100
2. set description "Generic PAT"
3. set outbound-interface eth0
4. set type masquerade
5. commit

Set up NAT

Create a Port Address Translation to map common services to hosts inside the network

We'll use the example of a linux server on the default network with IP address 192.168.1.3, and an address translation from the public address of the firewall to the ssh service.

1.  Expand: service → nat → rule
2.  type rule # 10 and press “set”

Set the rule as follows:
3.  description: PAT to SSH onto 192.168.1.3
4.  protocol: tcp
5.  Inbound-Interface: eth0
6.  type: destination
7.  Click “set”

Then:
8.  expand “inside address” and create:
9.  Address: 192.168.1.3
10. port: 22
11. expand “destination address” and create:
12. Address: <your_public_ip>
13. port: 9022
14. Click “Commit” green button in the top right hand corner
15. Click “Save” to save your changes
16. Test this by trying an ssh session to port 9022

or you can use the command line:

edit service nat rule 10
set description "PAT to SSH onto 192.168.1.3"
set destination address 195.157.12.15
set destination port 9022
set inbound-interface eth0
set inside-address address 192.168.1.3
set inside-address port 22
set protocol tcp
set type destination
commit

and test with:

ssh sysadmin@195.157.12.15 -p 9022
sysadmin@195.157.12.15's password: \<enter the password\>

You should see:

Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-server x86_64)

Set up PAT

Create a zone based firewall

Consider the situation where you would like to allow all traffic from the Trusted (LAN) side of the network out to the rest of the world, but only allow specific traffic in from the Untrusted (WAN) side to your trusted network.

1. Expand Firewall → name and type “LAN2WAN” and click set.

Name Firewall Rule

2. Change “default-action” to accept and type description “LAN to WAN traffic”. Click Set.

Default action

3.  Expand Firewall → name and type “WAN2LAN” and click set
4. Change “default-action” to drop and type description “WAN to LAN traffic”. Click Set 
5.  Expand Firewall → name → WAN2LAN → rule, type “1” in the rule box and click Set. 
6.  In rule 1, change action to “accept”, protocol to “icmp” and description to “Sample rule to allow ping replies” and click Set.

ICMP rule

7.  Expand Firewall → name → WAN2LAN → rule → 1 → icmp and click the create button.
8.  Change type-name to “echo-reply” and click Set.
9. Expand Firewall → name → WAN2LAN → rule, type 5 in the rule box and click Set 
10. In rule 5, change action to “accept”, protocol to “tcp” and description to “Allow PAT'd SSH” and click Set

SSH rule

11. Expand Firewall → name → WAN2LAN → rule → 5 → destination and click the create button
12. In the port box type 9022 and click Set 
13. Expand Firewall → name → WAN2LAN → rule, type 100 in the rule box and click Set 
14. In rule 100, change action to “accept” and description to “Allow established traffic” and click Set
15. Expand Firewall → name → WAN2LAN → rule → 100 → state and tick the box saying “Established” and click Set

Allow established rule

16. Expand zone-policy → Zone and type “WAN” and click create
17. Give it a description such as “WAN zone” and click the tick box next to “eth0” and click Set
18. Expand zone-policy → Zone and type “LAN” and click create
19. Give it a description such as “LAN zone” and click the tick box next to “eth1” and click Set

Zones

20. Expand zone-policy → zone → LAN → from and type “WAN” and click set
21. Expand zone-policy → zone → LAN → from → WAN → firewall and click “create”
22. In the drop down box select WAN2LAN and click set
23. Expand zone-policy → zone → WAN → from and type “LAN” and click set
24. Expand zone-policy → zone → WAN → from → LAN → firewall and click “create”
25. In the drop down box select LAN2WAN and click set.

Policies

26. Click commit
27. Click save

or you can use the command line:

edit firewall name LAN2WAN set default-action accept set description “LAN to WAN traffic” exit
edit firewall name WAN2LAN set default-action drop set description “WAN to LAN traffic”
edit rule 1 
set description “Sample rule to allow ping replies” 
set action accept 
set protocol icmp 
set icmp type-name echo-reply
exit
edit firewall name WAN2LAN rule 5
set description “Allow PAT'd SSH”
set action accept set protocol tcp set destination port 9022
exit
edit firewall name WAN2LAN rule 100
set description “Allow established traffic”
set state established enabled exit
edit zone-policy zone LAN
set description LAN
set interface eth1 exit
edit zone-policy zone WAN
set description WAN
set interface eth0 exit
set zone-policy zone LAN from WAN firewall name WAN2LAN
set zone-policy zone WAN from LAN firewall name LAN2WAN
commit