Hello Guys, first nice to meet you! Is a pleasure to me join on this great team and group.
I would like to know how can I need to do, to close port 179 (BGP) to LAN interface.
I explain: I have a bond interface (ETH0+ETH1) for WAN and ETH2 for WAN using with peers BGP (IX and Transit) and other bond (ETH3+ETH4) for LAN, providing IPv4 public address for customers, the problem is that port 179 is allow on these LAN interfaces. I tried use firewall to close, but not working. So, can you help me on this case?
With Best Regards
Josue
Hi Syncer, how are you?
Thank you so much to your prompt response. Current I deleted all configurations, but I tryed this one:
set rule 1 action ‘drop’
set rule 1 destination port ‘179’
set rule 1 protocol ‘tcp’
Applyed on local rule in bond1 interface (LAN). But don’t works.
The idea is just close 179 port.
With Best Regards
Josue
Hello, @josueconti!
Can you provide full firewall
and interfaces
sections from your configuration? And output of the next command:
sudo iptables -t filter -L -n -v
Hello zsdc, how are you?
Below the output of command sudo iptables -t filter -L -n -v
sudo iptables -t filter -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3863K 1034M VYATTA_PRE_FW_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3863K 1034M VYATTA_FW_LOCAL_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
2822K 768M VYATTA_POST_FW_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3556M 3280G VYATTA_PRE_FW_FWD_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3556M 3280G VYATTA_FW_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3556M 3280G VYATTA_FW_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3556M 3280G VYATTA_POST_FW_FWD_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13M 1088M VYATTA_PRE_FW_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
13M 1088M VYATTA_POST_FW_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IX-SNMP (6 references)
pkts bytes target prot opt in out source destination
5 429 DROP udp -- * * 0.0.0.0/0 187.16.222.105 /* IX-SNMP-1 */ udp dpt:161
39567 2921K RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-2 */ icmptype 8
13107 2192K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-3 */ tcp dpt:179
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-3 */ udp dpt:179
411K 172M RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-4 */ tcp spt:179
1041K 266M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-10000 default-action drop */
Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 IX-SNMP all -- eth5 * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_FW_LOCAL_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 blockbgp all -- bond1.100 * 0.0.0.0/0 0.0.0.0/0
1307K 380M IX-SNMP all -- bond0.2232 * 0.0.0.0/0 0.0.0.0/0
198K 63M IX-SNMP all -- eth7.2 * 0.0.0.0/0 0.0.0.0/0
0 0 blockbgp all -- eth4 * 0.0.0.0/0 0.0.0.0/0
0 0 IX-SNMP all -- eth5 * 0.0.0.0/0 0.0.0.0/0
0 0 blockbgp all -- eth8 * 0.0.0.0/0 0.0.0.0/0
0 0 blockbgp all -- bond1 * 0.0.0.0/0 0.0.0.0/0
0 0 IX-SNMP all -- bond0 * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 IX-SNMP all -- * eth5 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_POST_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
3556M 3280G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_POST_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
2822K 768M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_POST_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
13M 1088M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
3556M 3280G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_PRE_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
3863K 1034M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
13M 1088M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain blockbgp (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-1 */ tcp spt:179
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-1 */ udp spt:179
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-2 */ tcp dpt:179
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-2 */ udp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-10000 default-action drop */
Look the Chain blockbgp, I applyed on LAN interface, rule local, but don’t works.
With Best Regards
Josue
show firewall name blockbgp
Rulesets Information
IPv4 Firewall “blockbgp”:
Active on (bond1,LOCAL) (bond1.100,LOCAL) (eth4,LOCAL) (eth8,LOCAL)
rule action proto packets bytes
1 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp spt:179
2 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp dpt:179
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
show firewall name blockbgp
default-action drop
rule 1 {
action drop
protocol tcp_udp
source {
port 179
}
}
rule 2 {
action drop
destination {
port 179
}
protocol tcp_udp
}
[edit]
Be careful with your firewall rule blockbgp
. In fact, this rule block all traffic to your router, not only BGP.
But, I can’t understand why firewall counters for the following interfaces are zero:
bond1.100
eth4
eth8
bond1
This means that there was no incoming traffic to the router on these interfaces. I propose to check this by:
show interfaces
sudo ip -s l
Hi zscd, how are you?
I have traffic on these interfaces, because is our current customers LAN, that we provide vifs, ok?
The question is about firewall name blockbgp that I don’t understand why reason don’t close the port 179. All traffic need be allow, because customer’s use.
Hi zscd, I change default-action to accept, like below:
show firewall name blockbgp
Rulesets Information
IPv4 Firewall “blockbgp”:
Active on (bond1,LOCAL) (bond1.100,LOCAL) (eth4,LOCAL) (eth8,LOCAL)
rule action proto packets bytes
1 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp spt:179
2 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp dpt:179
10000 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
name blockbgp {
default-action accept
rule 1 {
action drop
protocol tcp_udp
source {
port 179
}
}
rule 2 {
action drop
destination {
port 179
}
protocol tcp_udp
But not working yet. Maybe something about local scope, right?
Look the interfaces:
bonding bond1 {
description “LACP Customers 20Gbps”
firewall {
local {
name blockbgp
}
}
hash-policy layer2
On bond1 interface, I have the VIFs of customers
ethernet eth4 {
bond-group bond1
description "New 10Gbps BGP LAN /29 Vyatta@20Gbps"
duplex auto
firewall {
local {
name blockbgp
}
}
ethernet eth8 {
bond-group bond1
description "New 10Gbps BGP LAN /29 Vyatta@20Gbps"
duplex auto
firewall {
local {
name blockbgp
}
}
Hello guys, how are you?
The firewall name is working now. I applyed on eth0 and eth1, that are my current transit interfaces.
Is OK now, thank you for all.
With Best Regards
Josue
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.