Vyatta with iptables

10 posts / 0 new
Last post
tbaror
Vyatta with iptables

Hello,

I am new with Vyatta , i used to work with iptables combined with FwBuilderhttp://www.fwbuilder.org/index.html

i like Vyatta distribution since its comes packed with lots of nice features, i like to use it but i have few question.

Is Vyatta is based on iptables fw?
If yes is it recommended to work with fwbuilder for firewall management witch is very comfortable to manage firewall rules set and application?

Thanks

slioch
Vyatta with iptables

Hi tbaror,

Yes Vyatta uses iptables for firewall. It also uses iptables in other features as well (i.e. nat, wan load balance).

Yes, you can configure iptables outside of the vyatta configuration. But you will need to make sure that fwbuilder doesn't flush or remove any of the vyatta iptables rules (configured via the cli). So, I'd recommend making a decision to use either the cli to configure firewall or fwbuilder.

The other consideration if you use fwbuilder--do the fw rules set up correctly on boot?

Just an fyi--one of the enhancements on our list of things to do is to support loading of firewall rules via a iptables saved file. And to have this set up via the cli. I think this would be the best of both worlds for you as it would allow you to use fwbuilder and then save out your configuration via iptables, then finally assign register it with the vyatta cli.

Mike

tbaror
iptables with Vyatta

Thanks looking forward :D

peanut3122
Vyatta with iptables

is there an option to use fwbuilder yet?

slioch
Vyatta with iptables

not yet.

fyi-to help raise visibility of your request add this to the enhancement poll:

http://www.vyatta.org/contribute/enhancements-poll

Mike

sqyntz2
configuring iptables rules from within the vyatta config

Has any thought been given to allowing (potentially more complex) iptables rules to be set from the Vyatta config?

There are some complex NAT/Port Redirection configurations that I would like to implement but the vyatta CLI is not up to the task.

Thanks,
-sqyntz

stig
Re: configuring iptables rules from within the vyatta config

sqyntz2 wrote:
Has any thought been given to allowing (potentially more complex) iptables rules to be set from the Vyatta config?

There are some complex NAT/Port Redirection configurations that I would like to implement but the vyatta CLI is not up to the task.

Can you give an example of what you're looking for or open an enhancement request at: https://bugzilla.vyatta.com/

sqyntz2
Vyatta with iptables

I can also add this as a feature request but here is what I am thinking:

I needed to add the following rules to my Vyatta router in order to redirect some IPsec traffic to a VPN appliance. these rules solved my immediate problem, but now I've introduced a configuration management headache. My understanding is that there is (at present) no way to insert these rules using the vyatta configuration, but it would be super convenient it there was.

iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to-destination 192.168.168.3
iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to-destination 192.168.168.3
iptables -t nat -I PREROUTING -p 50 -j DNAT --to-destination 192.168.168.3

Chain PREROUTING (policy ACCEPT 3339K packets, 1976M bytes)
pkts bytes target prot opt in out source destination
2 328 DNAT udp -- eth2 any anywhere anywhere udp dpt:4500 to:192.168.168.3
29 22187 DNAT udp -- eth2 any anywhere anywhere udp dpt:isakmp to:192.168.168.3
0 0 DNAT esp -- eth2 any anywhere anywhere to:192.168.168.3

stig
Vyatta with iptables

sqyntz2 wrote:
I can also add this as a feature request but here is what I am thinking:

I needed to add the following rules to my Vyatta router in order to redirect some IPsec traffic to a VPN appliance. these rules solved my immediate problem, but now I've introduced a configuration management headache. My understanding is that there is (at present) no way to insert these rules using the vyatta configuration, but it would be super convenient it there was.

iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to-destination 192.168.168.3
iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to-destination 192.168.168.3
iptables -t nat -I PREROUTING -p 50 -j DNAT --to-destination 192.168.168.3
Chain PREROUTING (policy ACCEPT 3339K packets, 1976M bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   328 DNAT       udp  --  eth2   any     anywhere             anywhere            udp dpt:4500 to:192.168.168.3
   29 22187 DNAT       udp  --  eth2   any     anywhere             anywhere            udp dpt:isakmp to:192.168.168.3
    0     0 DNAT       esp  --  eth2   any     anywhere             anywhere            to:192.168.168.3

Isn't that the same as:

vyatta@S1# show service nat 
 rule 10 {
     destination {
         port 500
     }
     inbound-interface eth2
     inside-address {
         address 192.168.168.3
     }
     protocol udp
     type destination
 }
 rule 20 {
     destination {
         port 4500
     }
     inbound-interface eth2
     inside-address {
         address 192.168.168.3
     }
     protocol udp
     type destination
 }
 rule 30 {
     inbound-interface eth2
     inside-address {
         address 192.168.168.3
     }
     protocol 50
     type destination
 }
[edit]

Which generates the following in iptables:

vyatta@S1# sudo iptables -t nat -vL PREROUTING       
Chain PREROUTING (policy ACCEPT 745 packets, 32093 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       udp  --  eth2   any     anywhere             anywhere            udp dpt:isakmp /* NAT-10 */ to:192.168.168.3 
    0     0 DNAT       udp  --  eth2   any     anywhere             anywhere            udp dpt:4500 /* NAT-20 */ to:192.168.168.3 
    0     0 DNAT       esp  --  eth2   any     anywhere             anywhere            /* NAT-30 */ to:192.168.168.3 
[edit]
sqyntz2
Vyatta with iptables

:oops: actually, yes it is... thank you

-sq