[Vyatta-users] VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I see example everywhere on how to setup a site-site vpn. Are there any docs on setting up a vpn that users can connect into using a client? Is Vyatta capable? Thanks, Nate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHszdA/n+duykW6K8RAtAOAKCazc5ESqPVCPLZF9KqWvZP3Nc+NwCfaxGj wW2aog7DDmkrUL4p2BlntSs= =gdmV -END PGP SIGNATURE- ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alrighty, If I choose to test the alpha, will the config file be compatible? Nate Steven Kath wrote: Nate, Client/Server VPN functionality is not present in the current stable releases, but it is a feature being developed in the Glendale Alpha 1 release. If you're interested in trying the Alpha release, you should review the release announcement: http://mailman.vyatta.com/pipermail/vyatta-users/2008-January/002966.html The documentation is still under development as well, but you can see a recent revision of the chapter on Remote Access VPN linked from the Communitiy wiki: http://www.vyatta.com/twiki/bin/view/Community/GlendaleAlpha1 - Steve Nathan McBride wrote: I see example everywhere on how to setup a site-site vpn. Are there any docs on setting up a vpn that users can connect into using a client? Is Vyatta capable? Thanks, Nate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHs0x9/n+duykW6K8RAoUAAJ4qTOk+r+dwpgmiHk1l0TEGkFhmtACfRRv7 Zu5LRrTIyu5Ypl9mgR5iMP0= =FZ48 -END PGP SIGNATURE- ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] ps3
I actually couldn't figure how to get the firewall made in vyatta... I ended up just making an rc script to build iptables on startup. :D Nate I'll give this a try and let you know. If I can get it working I'll write up a howto. On Tue, 2008-02-05 at 08:05 -0800, Justin Fletcher wrote: Sure - you can give it a try. Just remember that your iptables will be overwritten by the Vyatta configuration, so you'll need to set up a mechanism to ensure that this runs after the Vyatta configuration files set up iptables, through an appropriate rc script. Justin On Feb 5, 2008 4:40 AM, Nathan McBride [EMAIL PROTECTED] wrote: Sorry, but no - Debian Linux under the hood :-) Ok, and? http://packages.debian.org/etch/linux-igd Nate On Mon, 2008-02-04 at 22:14 -0800, Justin Fletcher wrote: Sorry, but no - Debian Linux under the hood :-) Justin On Feb 4, 2008 10:02 PM, Nathan McBride [EMAIL PROTECTED] wrote: Ok, I'll create a nat rule for each... I was hoping there was uPnP support. Nate On Mon, 2008-02-04 at 21:55 -0800, Justin Fletcher wrote: Port forwarding should be straight-forward with the Vyatta CLI; look for recent ssh examples on this list. Personally, I'd create a rule for each protocol and port/port range. Best, Justin On Feb 4, 2008 8:31 PM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I finally got my old comp which is running vyatta to now be a wireless vyatta router. So I can connect my Playstation 3 to the router and it goes on the network and most things work. However it only has what playstation calls nat3. This is because it isn't getting all the ports it needs. The playstation 3 needs: • TCP Ports: 80, 443, 5223, and 10070 - 10080 • UDP Ports: 3478, 3479, 3658, and 10070 I don't care about 80 and 443. However I really want to get nat2 working because I'm having issues with Unreal III. What would be the best way to do this? Can / should I create an iptables rule to make a DMZ zone? I had to make the firewall with iptables not vyatta cause I couldn't figure it out... :'( Should I just create a nat rule for each port and forward it to my playstation's ip after setting it as static? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users signature.asc Description: This is a digitally signed message part ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Yup you can have a key for each user. Take a look at: http://suso.org/docs/shell/ssh.sdf Nate On Mon, 2008-02-04 at 20:00 +0100, Jostein Martinsen-Jones wrote: Yes, i did change the root password asap! I would much like to see a configuration snippet on how to use rsa-keys. Can I use several rsa-keys so i can login as different users? 2008/2/4, Nathan McBride [EMAIL PROTECTED]: Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78
Re: [Vyatta-users] Vyatta box hacked?
Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 (12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Hmm, gotcha. I guess that makes sense actually. I'll see if I can't figure it out. Nate On Wed, 2008-01-30 at 08:49 +0530, Go Wow wrote: Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which
Re: [Vyatta-users] Firewall question.
You're right it looks exactly like that bug. When I do a show version all I get is: Baseline Version: vc3 Booted From: disk Because of the similarity I would assume I haven't gotten the latest yet. How should I go about updating it? When i do just 'aptitude' it gives me a confusing ncurse thing. Thanks, Nate On Mon, 2008-01-28 at 09:16 -0800, Steven Kath wrote: Nate, Are you using version 2.3? It seems like you might be experiencing bug 2502: http://bugzilla.vyatta.com/show_bug.cgi?id=2502 This bug was resolved with the 2.3.1 release, so you may want to upgrade if you haven't already. If you're already using the latest version and still getting errors, it would be useful to have a look at a log of your commands and the exact error message that's coming back. From what I can tell, the rule 1 you describe below should work properly in version 2.3.1. - Steve Nathan McBride wrote: So then I probably couldn't view a web page or see my pings because the response packets I was getting were being blocked? What is the correct way to make an esablished and related rule so you don't get the errors I am getting? Thanks, Nate On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote: You shouldn't need the out rule; until a firewall is applied, everything is accepted. However, the simple rule is protocol any action accept. That should do it if you want to be thorough :-) Justin On Jan 28, 2008 7:28 AM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I just installed Vyatta and have it working. (big step for me) But I'm having some trouble. I first wanted to know if I should make the firewall using Vyatta's commands or just iptables? I tried iptables and it didn't seem to work. I added a rule to allow ssh but ssh couldn'g go through. So then I made one in Vyatta. Denied ping, enabled ssh, then applied it to the wan interface. Well that killed all network traffic so looking through the manual I saw that when I applied the IN rule for the interface I guess the out rule automatically got a deny everything since I didn't apply a rule to it. So, I needed to add a related and established rule to the in for the wan interface. I did (this is from memory): set firewall name eth0-in rule 1 action accept set firewall name eth0-in rule 1 state established enable set firewall name eth0-in rule 1 state related enable Then I was going to commit this but commit gave an error saying that protocol needed to be icmp. Once I had set that it errored saying protocol needed to be tcp... I'm really confused but I need to get a firewall up. Once this is done I was going make a rule for out on the wan interface to allow everything to go out. Is there a simple rule for this? Thanks, Nate signature.asc Description: This is a digitally signed message part ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] just two more questions for today... :D
...and as far as I know masquerading is done when we want to give access of internet to internal LAN... Right so by wanting to give access so the internet can access my internal webserver doesn't fit this profile? Are you sure I'd still use destination? Nate Yeah Nathan it does load from another computer and as far as I know masquerading is done when we want to give access of internet to internal LAN if this makes sense lol. On 29/01/2008, Nathan McBride [EMAIL PROTECTED] wrote: Hmm, ok. When is masquarading used? I never thought to use destination. And being only my 2nd day with vyatta I'm afraid I can't really say much to help you. But from general admin I know you can ping your server, if you do http://192.168.1.77:80 in a browser, does the page load from another comp? I know this sounds like a dumb question but you never know. :D Nate On Tue, 2008-01-29 at 04:11 +0530, Go Wow wrote: For your first question, yes you need to do NAT and that too DNAT I'm trying to do it so I know that much lol. On 29/01/2008, Nathan McBride [EMAIL PROTECTED] wrote: I just made a script to load a firewall with iptables. I know iptables so until the bug gets fixed I'll just do it that way. I do have two more questions though. 1). How do I setup 'port-forwarding'. So when you go through port 80 from the wan it sends it to some ip on the internal network at port 80? Do I do this with NAT? 2). Is there any easy guides on setting up a vpn? Not a vpn like a cisco router to the vyatta router because I found those guides, but just a vpn that I can access from work or on any computer providing the have an ipsec client? Is there a list of things you guys want made for Vyatta or a project site somewhere? I'm always looking for things to do in my off time. Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- Those that make the rule don't play the game!! -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Starting to get really frustrated... GRRR :D
I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } What do I need to do? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users