Hello Guys, first nice to meet you! Is a pleasure to me join on this great team and group.
I would like to know how can I need to do, to close port 179 (BGP) to LAN interface.
I explain: I have a bond interface (ETH0+ETH1) for WAN and ETH2 for WAN using with peers BGP (IX and Transit) and other bond (ETH3+ETH4) for LAN, providing IPv4 public address for customers, the problem is that port 179 is allow on these LAN interfaces. I tried use firewall to close, but not working. So, can you help me on this case?
With Best Regards
Josue
Welcome @josueconti
Will be great to see your sanitized config before recommend anything
Hi Syncer, how are you?
Thank you so much to your prompt response. Current I deleted all configurations, but I tryed this one:
set rule 1 action ‘drop’
set rule 1 destination port ‘179’
set rule 1 protocol ‘tcp’
Applyed on local rule in bond1 interface (LAN). But don’t works.
The idea is just close 179 port.
With Best Regards
Josue
Hello, @josueconti!
Can you provide full firewall and interfaces sections from your configuration? And output of the next command:
sudo iptables -t filter -L -n -v
Hello zsdc, how are you?
Below the output of command sudo iptables -t filter -L -n -v
sudo iptables -t filter -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3863K 1034M VYATTA_PRE_FW_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3863K 1034M VYATTA_FW_LOCAL_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
2822K 768M VYATTA_POST_FW_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3556M 3280G VYATTA_PRE_FW_FWD_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3556M 3280G VYATTA_FW_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3556M 3280G VYATTA_FW_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
3556M 3280G VYATTA_POST_FW_FWD_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13M 1088M VYATTA_PRE_FW_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
13M 1088M VYATTA_POST_FW_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IX-SNMP (6 references)
pkts bytes target prot opt in out source destination
5 429 DROP udp -- * * 0.0.0.0/0 187.16.222.105 /* IX-SNMP-1 */ udp dpt:161
39567 2921K RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-2 */ icmptype 8
13107 2192K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-3 */ tcp dpt:179
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-3 */ udp dpt:179
411K 172M RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-4 */ tcp spt:179
1041K 266M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* IX-SNMP-10000 default-action drop */
Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 IX-SNMP all -- eth5 * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_FW_LOCAL_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 blockbgp all -- bond1.100 * 0.0.0.0/0 0.0.0.0/0
1307K 380M IX-SNMP all -- bond0.2232 * 0.0.0.0/0 0.0.0.0/0
198K 63M IX-SNMP all -- eth7.2 * 0.0.0.0/0 0.0.0.0/0
0 0 blockbgp all -- eth4 * 0.0.0.0/0 0.0.0.0/0
0 0 IX-SNMP all -- eth5 * 0.0.0.0/0 0.0.0.0/0
0 0 blockbgp all -- eth8 * 0.0.0.0/0 0.0.0.0/0
0 0 blockbgp all -- bond1 * 0.0.0.0/0 0.0.0.0/0
0 0 IX-SNMP all -- bond0 * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 IX-SNMP all -- * eth5 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_POST_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
3556M 3280G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_POST_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
2822K 768M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_POST_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
13M 1088M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
3556M 3280G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_PRE_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
3863K 1034M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
13M 1088M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain blockbgp (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-1 */ tcp spt:179
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-1 */ udp spt:179
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-2 */ tcp dpt:179
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-2 */ udp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* blockbgp-10000 default-action drop */
Look the Chain blockbgp, I applyed on LAN interface, rule local, but don’t works.
With Best Regards
Josue
show firewall name blockbgp
Rulesets Information
IPv4 Firewall “blockbgp”:
Active on (bond1,LOCAL) (bond1.100,LOCAL) (eth4,LOCAL) (eth8,LOCAL)
rule action proto packets bytes
1 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp spt:179
2 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp dpt:179
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
show firewall name blockbgp
default-action drop
rule 1 {
action drop
protocol tcp_udp
source {
port 179
}
}
rule 2 {
action drop
destination {
port 179
}
protocol tcp_udp
}
[edit]
Be careful with your firewall rule blockbgp. In fact, this rule block all traffic to your router, not only BGP.
But, I can’t understand why firewall counters for the following interfaces are zero:
bond1.100
eth4
eth8
bond1
This means that there was no incoming traffic to the router on these interfaces. I propose to check this by:
show interfaces
sudo ip -s l
Hi zscd, how are you?
I have traffic on these interfaces, because is our current customers LAN, that we provide vifs, ok?
The question is about firewall name blockbgp that I don’t understand why reason don’t close the port 179. All traffic need be allow, because customer’s use.
Hi zscd, I change default-action to accept, like below:
show firewall name blockbgp
Rulesets Information
IPv4 Firewall “blockbgp”:
Active on (bond1,LOCAL) (bond1.100,LOCAL) (eth4,LOCAL) (eth8,LOCAL)
rule action proto packets bytes
1 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp spt:179
2 drop tcp_udp 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 tcp dpt:179
10000 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
name blockbgp {
default-action accept
rule 1 {
action drop
protocol tcp_udp
source {
port 179
}
}
rule 2 {
action drop
destination {
port 179
}
protocol tcp_udp
But not working yet. Maybe something about local scope, right?
Look the interfaces:
bonding bond1 {
description “LACP Customers 20Gbps”
firewall {
local {
name blockbgp
}
}
hash-policy layer2
On bond1 interface, I have the VIFs of customers
ethernet eth4 {
bond-group bond1
description "New 10Gbps BGP LAN /29 Vyatta@20Gbps"
duplex auto
firewall {
local {
name blockbgp
}
}
ethernet eth8 {
bond-group bond1
description "New 10Gbps BGP LAN /29 Vyatta@20Gbps"
duplex auto
firewall {
local {
name blockbgp
}
}Hello guys, how are you?
The firewall name is working now. I applyed on eth0 and eth1, that are my current transit interfaces.
Is OK now, thank you for all.
With Best Regards
Josue
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.