[Vyatta-users] VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I see example everywhere on how to setup a site-site vpn. Are there any docs on setting up a vpn that users can connect into using a client? Is Vyatta capable? Thanks, Nate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHszdA/n+duykW6K8RAtAOAKCazc5ESqPVCPLZF9KqWvZP3Nc+NwCfaxGj wW2aog7DDmkrUL4p2BlntSs= =gdmV -END PGP SIGNATURE- ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alrighty, If I choose to test the alpha, will the config file be compatible? Nate Steven Kath wrote: Nate, Client/Server VPN functionality is not present in the current stable releases, but it is a feature being developed in the Glendale Alpha 1 release. If you're interested in trying the Alpha release, you should review the release announcement: http://mailman.vyatta.com/pipermail/vyatta-users/2008-January/002966.html The documentation is still under development as well, but you can see a recent revision of the chapter on Remote Access VPN linked from the Communitiy wiki: http://www.vyatta.com/twiki/bin/view/Community/GlendaleAlpha1 - Steve Nathan McBride wrote: I see example everywhere on how to setup a site-site vpn. Are there any docs on setting up a vpn that users can connect into using a client? Is Vyatta capable? Thanks, Nate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHs0x9/n+duykW6K8RAoUAAJ4qTOk+r+dwpgmiHk1l0TEGkFhmtACfRRv7 Zu5LRrTIyu5Ypl9mgR5iMP0= =FZ48 -END PGP SIGNATURE- ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] ps3
I actually couldn't figure how to get the firewall made in vyatta... I ended up just making an rc script to build iptables on startup. :D Nate I'll give this a try and let you know. If I can get it working I'll write up a howto. On Tue, 2008-02-05 at 08:05 -0800, Justin Fletcher wrote: Sure - you can give it a try. Just remember that your iptables will be overwritten by the Vyatta configuration, so you'll need to set up a mechanism to ensure that this runs after the Vyatta configuration files set up iptables, through an appropriate rc script. Justin On Feb 5, 2008 4:40 AM, Nathan McBride [EMAIL PROTECTED] wrote: Sorry, but no - Debian Linux under the hood :-) Ok, and? http://packages.debian.org/etch/linux-igd Nate On Mon, 2008-02-04 at 22:14 -0800, Justin Fletcher wrote: Sorry, but no - Debian Linux under the hood :-) Justin On Feb 4, 2008 10:02 PM, Nathan McBride [EMAIL PROTECTED] wrote: Ok, I'll create a nat rule for each... I was hoping there was uPnP support. Nate On Mon, 2008-02-04 at 21:55 -0800, Justin Fletcher wrote: Port forwarding should be straight-forward with the Vyatta CLI; look for recent ssh examples on this list. Personally, I'd create a rule for each protocol and port/port range. Best, Justin On Feb 4, 2008 8:31 PM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I finally got my old comp which is running vyatta to now be a wireless vyatta router. So I can connect my Playstation 3 to the router and it goes on the network and most things work. However it only has what playstation calls nat3. This is because it isn't getting all the ports it needs. The playstation 3 needs: • TCP Ports: 80, 443, 5223, and 10070 - 10080 • UDP Ports: 3478, 3479, 3658, and 10070 I don't care about 80 and 443. However I really want to get nat2 working because I'm having issues with Unreal III. What would be the best way to do this? Can / should I create an iptables rule to make a DMZ zone? I had to make the firewall with iptables not vyatta cause I couldn't figure it out... :'( Should I just create a nat rule for each port and forward it to my playstation's ip after setting it as static? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users signature.asc Description: This is a digitally signed message part ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Yup you can have a key for each user. Take a look at:
http://suso.org/docs/shell/ssh.sdf
Nate
On Mon, 2008-02-04 at 20:00 +0100, Jostein Martinsen-Jones wrote:
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use
rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow rsa
keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all
users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine
tomorrow
and doesn't know what went wrong. Haven't had time to check
the logs
either.
How does the user configuration look for you other guys and
girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the
box? Using telnet
in not secure from a public network as the
username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip
202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I
have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4
05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2
14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1
23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1
13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8
character long,
using numbers and letters.
This is from my old config, are plaintext-password
supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine
which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He
complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the
ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]:
(pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed
password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User
root from
12.34.56.78
Re: [Vyatta-users] Vyatta box hacked?
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow
and doesn't know what went wrong. Haven't had time to check the logs
either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet
in not secure from a public network as the username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long,
using numbers and letters.
This is from my old config, are plaintext-password supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password
for invalid user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
for invalid user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect
from 12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Can someone please help me get this worked out?
Nate
Ok these are my nat rules now, I didn't see a command to change the rule
numbers so i just redid them all by hand. It still doesn't work.
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
Nate
On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
Hi Nate,
The inside-address is the internal (private) IP address of your Web
server, which in your case is 192.168.0.105. The destination address
should actually be the public IP address that outside clients will use to
access your server, so usually this is the public IP address of your router.
An-Cheng
Nathan McBride wrote:
I went and looked at the old docs. I thought I set them up correctly
but aparently I didn't. I'll im trying to do is to get people on the
internet to view the website on my comp (192.168.0.105). The only
difference that i noticed when I tried to commit the example in the old
docs was that vc3 requires an 'inside-address'. Could someone please
help me correct this to get it working?
rule 3 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 192.168.0.105
port-name http
}
inside-address {
address: 192.168.0.105 -- didn't know what to put here
exactly...
}
}
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Hmm, gotcha. I guess that makes sense actually. I'll see if I can't figure it out. Nate On Wed, 2008-01-30 at 08:49 +0530, Go Wow wrote: Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
First off I appreciate help from everyone, this is a nice change to some
mailing lists I'm used to. Unfortunately, I am still having the same
problem. I'm giving out real information, probably shouldn't, but
that's how frustrated I am. I just get an unable to connect error. The
firewalls are fine I promise. I can see the page on 192.168.0.105 from
inside the lan, and I can see and use the webgui of the router just
fine. Altho I did disable it of course since I want the port forwarded.
In the ssh example sent to me which is below, I notice that the address
are just numbers where mine have around them. Does this matter? Can
anyone please give any suggestions?
Thanks alot,
Nate
My domain is:
www.nombyte.com
The IP is:
71.62.193.105
Full Nat is:
nat {
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
Here's what I use to port-forward ssh; just adjust for address (where
destination address is the public IP) and change it to http.
rule 2 {
type: destination
inbound-interface: eth0
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 1.2.3.4
port-name ssh
}
inside-address {
address: 10.0.0.30
}
}
Best,
Justin
On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote:
Can someone please help me get this worked out?
Nate
Ok these are my nat rules now, I didn't see a command to change
the rule
numbers so i just redid them all by hand. It still doesn't work.
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
Nate
On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
Hi Nate,
The inside-address is the internal (private) IP address of
your Web server, which in your case is 192.168.0.105. The destination
address should actually be the public IP address that outside clients
will use to access your server, so usually this is the public IP address
of your router.
An-Cheng
Nathan McBride wrote:
I went and looked at the old docs. I thought I set them up
correctly
but aparently I didn't. I'll im trying to do is to get people
on the
internet to view the website on my comp (192.168.0.105). The
only
difference that i noticed when I tried to commit the example
in the old
docs was that vc3 requires an 'inside-address'. Could someone
please
help me correct this to get it working?
rule 3 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 192.168.0.105
port-name http
}
inside-address {
address: 192.168.0.105 -- didn't know what to put
here
exactly...
}
}
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
John just told me he can get to the page too.
From inside the lan I am going to a browser and typing
www.nombyte.com. And it doesn't work?
Nate
On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
*shrug* same here
Are you trying to hit the natted address from inside the LAN that is
being natted to? Hairpin NAT doesnt work in iptables...
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com
On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
I just connected and see the Apache 2 test page running on CentOS
John
Nathan McBride wrote:
First off I appreciate help from everyone, this is a nice change to
some
mailing lists I'm used to. Unfortunately, I am still having the same
problem. I'm giving out real information, probably shouldn't, but
that's how frustrated I am. I just get an unable to connect
error. The
firewalls are fine I promise. I can see the page on 192.168.0.105
from
inside the lan, and I can see and use the webgui of the router just
fine. Altho I did disable it of course since I want the port
forwarded.
In the ssh example sent to me which is below, I notice that the
address
are just numbers where mine have around them. Does this
matter? Can
anyone please give any suggestions?
Thanks alot,
Nate
My domain is:
www.nombyte.com
The IP is:
71.62.193.105
Full Nat is:
nat {
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
Here's what I use to port-forward ssh; just adjust for address
(where
destination address is the public IP) and change it to http.
rule 2 {
type: destination
inbound-interface: eth0
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 1.2.3.4
port-name ssh
}
inside-address {
address: 10.0.0.30
}
}
Best,
Justin
On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote:
Can someone please help me get this worked out?
Nate
Ok these are my nat rules now, I didn't see a command to change
the rule
numbers so i just redid them all by hand. It still doesn't work.
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
Nate
On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
Hi Nate,
The inside-address is the internal (private) IP address of
your Web server, which in your case is 192.168.0.105. The
destination
address should actually be the public IP address that outside
clients
will use to access your server, so usually this is the public IP
address
of your router.
An-Cheng
Nathan McBride wrote:
I went and looked at the old docs. I thought I set them up
correctly
but aparently I didn't. I'll im trying to do is to get people
on the
internet to view the website on my comp (192.168.0.105). The
only
difference that i noticed when I tried to commit the example
in the old
docs was that vc3 requires
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Can't I do another nat rule?
On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
It sounds like you're a victim of hairpin natting. Very frustrating.
Iptables doesnt do it (that I know of.) I first encountered this on a
PIX firewall years ago and thought it was an absurd limitation (then I
found out my beloved linux couldn't do it either and was crushed).
Cisco fixed it in v7 of the PIX software IIRC but iptables still can't
do it.
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com
On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
John just told me he can get to the page too.
From inside the lan I am going to a browser and typing
www.nombyte.com. And it doesn't work?
Nate
On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
*shrug* same here
Are you trying to hit the natted address from inside the LAN that is
being natted to? Hairpin NAT doesnt work in iptables...
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com
On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
I just connected and see the Apache 2 test page running on CentOS
John
Nathan McBride wrote:
First off I appreciate help from everyone, this is a nice change to
some
mailing lists I'm used to. Unfortunately, I am still having the
same
problem. I'm giving out real information, probably shouldn't, but
that's how frustrated I am. I just get an unable to connect
error. The
firewalls are fine I promise. I can see the page on 192.168.0.105
from
inside the lan, and I can see and use the webgui of the router just
fine. Altho I did disable it of course since I want the port
forwarded.
In the ssh example sent to me which is below, I notice that the
address
are just numbers where mine have around them. Does this
matter? Can
anyone please give any suggestions?
Thanks alot,
Nate
My domain is:
www.nombyte.com
The IP is:
71.62.193.105
Full Nat is:
nat {
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
Here's what I use to port-forward ssh; just adjust for address
(where
destination address is the public IP) and change it to http.
rule 2 {
type: destination
inbound-interface: eth0
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 1.2.3.4
port-name ssh
}
inside-address {
address: 10.0.0.30
}
}
Best,
Justin
On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED]
wrote:
Can someone please help me get this worked out?
Nate
Ok these are my nat rules now, I didn't see a command to change
the rule
numbers so i just redid them all by hand. It still doesn't
work.
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
Nate
On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
Hi Nate,
The inside-address is the internal (private) IP address of
your Web server, which
Re: [Vyatta-users] Firewall question.
You're right it looks exactly like that bug. When I do a show version all I get is: Baseline Version: vc3 Booted From: disk Because of the similarity I would assume I haven't gotten the latest yet. How should I go about updating it? When i do just 'aptitude' it gives me a confusing ncurse thing. Thanks, Nate On Mon, 2008-01-28 at 09:16 -0800, Steven Kath wrote: Nate, Are you using version 2.3? It seems like you might be experiencing bug 2502: http://bugzilla.vyatta.com/show_bug.cgi?id=2502 This bug was resolved with the 2.3.1 release, so you may want to upgrade if you haven't already. If you're already using the latest version and still getting errors, it would be useful to have a look at a log of your commands and the exact error message that's coming back. From what I can tell, the rule 1 you describe below should work properly in version 2.3.1. - Steve Nathan McBride wrote: So then I probably couldn't view a web page or see my pings because the response packets I was getting were being blocked? What is the correct way to make an esablished and related rule so you don't get the errors I am getting? Thanks, Nate On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote: You shouldn't need the out rule; until a firewall is applied, everything is accepted. However, the simple rule is protocol any action accept. That should do it if you want to be thorough :-) Justin On Jan 28, 2008 7:28 AM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I just installed Vyatta and have it working. (big step for me) But I'm having some trouble. I first wanted to know if I should make the firewall using Vyatta's commands or just iptables? I tried iptables and it didn't seem to work. I added a rule to allow ssh but ssh couldn'g go through. So then I made one in Vyatta. Denied ping, enabled ssh, then applied it to the wan interface. Well that killed all network traffic so looking through the manual I saw that when I applied the IN rule for the interface I guess the out rule automatically got a deny everything since I didn't apply a rule to it. So, I needed to add a related and established rule to the in for the wan interface. I did (this is from memory): set firewall name eth0-in rule 1 action accept set firewall name eth0-in rule 1 state established enable set firewall name eth0-in rule 1 state related enable Then I was going to commit this but commit gave an error saying that protocol needed to be icmp. Once I had set that it errored saying protocol needed to be tcp... I'm really confused but I need to get a firewall up. Once this is done I was going make a rule for out on the wan interface to allow everything to go out. Is there a simple rule for this? Thanks, Nate signature.asc Description: This is a digitally signed message part ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] just two more questions for today... :D
...and as far as I know masquerading is done when we want to give access of internet to internal LAN... Right so by wanting to give access so the internet can access my internal webserver doesn't fit this profile? Are you sure I'd still use destination? Nate Yeah Nathan it does load from another computer and as far as I know masquerading is done when we want to give access of internet to internal LAN if this makes sense lol. On 29/01/2008, Nathan McBride [EMAIL PROTECTED] wrote: Hmm, ok. When is masquarading used? I never thought to use destination. And being only my 2nd day with vyatta I'm afraid I can't really say much to help you. But from general admin I know you can ping your server, if you do http://192.168.1.77:80 in a browser, does the page load from another comp? I know this sounds like a dumb question but you never know. :D Nate On Tue, 2008-01-29 at 04:11 +0530, Go Wow wrote: For your first question, yes you need to do NAT and that too DNAT I'm trying to do it so I know that much lol. On 29/01/2008, Nathan McBride [EMAIL PROTECTED] wrote: I just made a script to load a firewall with iptables. I know iptables so until the bug gets fixed I'll just do it that way. I do have two more questions though. 1). How do I setup 'port-forwarding'. So when you go through port 80 from the wan it sends it to some ip on the internal network at port 80? Do I do this with NAT? 2). Is there any easy guides on setting up a vpn? Not a vpn like a cisco router to the vyatta router because I found those guides, but just a vpn that I can access from work or on any computer providing the have an ipsec client? Is there a list of things you guys want made for Vyatta or a project site somewhere? I'm always looking for things to do in my off time. Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- Those that make the rule don't play the game!! -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Starting to get really frustrated... GRRR :D
I went and looked at the old docs. I thought I set them up correctly
but aparently I didn't. I'll im trying to do is to get people on the
internet to view the website on my comp (192.168.0.105). The only
difference that i noticed when I tried to commit the example in the old
docs was that vc3 requires an 'inside-address'. Could someone please
help me correct this to get it working?
rule 3 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 192.168.0.105
port-name http
}
inside-address {
address: 192.168.0.105 -- didn't know what to put here
exactly...
}
}
What do I need to do?
Thanks,
Nate
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Ok these are my nat rules now, I didn't see a command to change the rule
numbers so i just redid them all by hand. It still doesn't work.
rule 1 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 71.62.193.105
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 3 {
type: masquerade
outbound-interface: eth0
protocols: all
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
Nate
On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
Hi Nate,
The inside-address is the internal (private) IP address of your Web server,
which in your case is 192.168.0.105. The destination address should
actually be the public IP address that outside clients will use to access
your server, so usually this is the public IP address of your router.
An-Cheng
Nathan McBride wrote:
I went and looked at the old docs. I thought I set them up correctly
but aparently I didn't. I'll im trying to do is to get people on the
internet to view the website on my comp (192.168.0.105). The only
difference that i noticed when I tried to commit the example in the old
docs was that vc3 requires an 'inside-address'. Could someone please
help me correct this to get it working?
rule 3 {
type: destination
inbound-interface: eth0
protocols: tcp
destination {
address: 192.168.0.105
port-name http
}
inside-address {
address: 192.168.0.105 -- didn't know what to put here
exactly...
}
}
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
