Custom IP block list-how to?


#1

Hello I have some IP addresses I want to block from the network.
Can anyone give me a few tips on how to do that?
I tried this (http://www.fordodone.com/2013/10/01/vyatta-create-and-update-ip-based-ban-lists-from-spamhaus/), but I don’t know how to add the rule into the system. I added the bash file and created a cron job, but how do I tell vyos to use this rule?
I am using bridge mode on eth 0 & 1.
3rd nic for maintenance and ssh.
I want block these IP’s from inbound traffic.

Please help-I am going mad here trying to figure it out since Vyatta decided to delete all those notes-my gosh…


#2

Hello samlf3rd.

This thread might be help.
http://forum.vyos.net/showthread.php?tid=9719


Hiroyuki Sato.


#3

Okay, I read through it, but I still can’t figure it out. Can you give me a little info so I can jump on track-I am just still a little lost…

If I create the cron job I have to add it to the task scheduler? How do I apply the firewall rule to a nic? Or, if I apply the bash script it will work on the entire system and block everything automatically?


#4

Hello samlf3rd.

task-scheduler is cron frontend.
If you use task-scheduler, you don’t use cron itself.

You can apply your rule

set interfaces ethernet eth1 firewall out ...

http://vyos.net/wiki/User_Guide#Firewall

Maybe you can add your rule from script like this.

$strVyOSCmd="/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper"
$strNGDesc="This is a Network Group Description"
$strNGName="ngNetworkGroupName"

$strVyOSCmd begin
$strVyOSCmd set firewall group network $strNGName network 128.128.128.0/24
$strVyOSCmd set firewall group network $strNGName description "$strNGDesc"
$strVyOSCmd commit
$strVyOSCmd end

#5

Okay, I am starting to understand. The code you provided from th other thread, do I add that into the file or do I type that in the CLI?

Also, you wrote “set interfaces ethernet eth1 firewall out …” can you give me an example without the dots?
My file is a file called “updateBanList.sh” and it is in the /usr/local/sbin/ directory.
I need to run a task scheduler and then call the rule and it should work?
I keep getting this error:

vyos@vyos# set system task-scheduler task blocked executable path /usr/local/sbin/updateBanList.sh

  File /usr/local/sbin/updateBanList.sh does not exist or is not executable
  
  Value validation failed
  Set failed

How do I add the task scheduler? I cannot find any literature on it.
I really appreciate your help.
Sam


#6

Hello samlf3rd.

I recommend you to implement the following steps.

1, learn how to filter packets on VyOS.

http://vyos.net/wiki/User_Guide#Firewall
http://www.brocade.com/downloads/documents/data_sheets/best-practices-vyatta-firewall.pdf
http://www.forbidden-access.org/vyatta-firewall-how-to-configure/

This is Vyatta manual, but almost same.

You will know what part want to update with script.

Maybe you want to set the following part with script. ($i part.)

  set firewall group network-group blocked network $i

2, Write own script to update firewall rule.

http://forum.vyos.net/showthread.php?tid=9719

Maybe you can use this script as is.
http://www.fordodone.com/2013/10/01/vyatta-create-and-update-ip-based-ban-lists-from-spamhaus/

3, Execute step#2 script periodically with task scheduler.

https://github.com/vyos/vyatta-cron


Hiroyuki Sato.


#7

This is exactly what I am trying to get to work:
http://www.fordodone.com/2013/10/01/vyatta-create-and-update-ip-based-ban-lists-from-spamhaus/

Okay, I did a chmod and changed permissions, now the task scheduler allowed me to commit and save the task scheduler parameters.

So, I have my file, I added a task scheduler, and now I just need to tell VyOS to use the rule.

This is where I am a tiny bit confused still. I have never made my own custom rules.

I need to do something like this:
set firewall group network-group blocked network $i

So in the above line I understand “set firewall group network-group”, but after that I don’t understand what is happening.

Where does the $i come into play? What does that stand for? If I type that in it asks for an IPv4.

"vyos@vyos# set firewall group network-group blocked network $i

“0” is not a valid value of type “ipv4net”
Value validation failed
Set failed"

I just need to add the rule to the firewall now, but am lost still.
I am very close, and thank you for all the literature. I am learning a lot here today!
Sam


I just added this:
set firewall group network-group blocked network 10.0.0.0/24

Everything committed and saved just fine.

Am I missing something else? Is there something more I have to add?

I have my file installed with permissions, I added a task-scheduler:
task-scheduler {
task blocked {
executable {
path /usr/local/sbin/updateBanList.sh
}
interval 1d
}
}

and I added the firewall group:
firewall {
group {
network-group blocked {
network 10.0.0.0/24
}
}
}

Should the file be working now?


#8

Hello sam.

You have to apply rule to specific interface.

Please read the document.

1, learn how to filter packets on VyOS.

http://vyos.net/wiki/User_Guide#Firewall
http://www.brocade.com/downloads/documents/data_sheets/best-practices-vyatta-firewall.pdf
http://www.forbidden-access.org/vyatta-firewall-how-to-configure/

updateBanList.sh works on VyOS as is.

After execute this script you will find similar entries.

set firewall group network-group blocked network '1.116.0.0/14'
set firewall group network-group blocked network '5.34.242.0/23'
set firewall group network-group blocked network '5.72.0.0/14'
set firewall group network-group blocked network '14.4.0.0/14'

Again, you have to apply rule to specific interface.


Hiroyuki Sato.


#9

I have been reading through all the links you have posted, but I am getting more confused… Sorry…
I understand that I need to add an in/out/or local rule. What I don’t understand is how to call it from the task scheduler setting I made.
Is the name “blocked” the rule name?
I added the task scheduler:

task-scheduler {
        task blocked {
            executable {
                path /usr/local/sbin/updateBanList.sh
            }
            interval 1d
        }
    }

I created a rule:

vyos@vyos# show firewall 
 all-ping enable
 broadcast-ping disable
 config-trap disable
 group {
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name blocked {
     default-action accept
     rule 20 {
         action accept
         state {
             established enable
         }
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
 twa-hazards-protection disable

This is my config:

vyos@vyos# show interfaces
 bridge br0 {
     address dhcp
     aging 300
     hello-time 2
     max-age 20
     priority 0
     stp false
 }
 ethernet eth0 {
     bridge-group {
         bridge br0
     }
     duplex auto
     firewall {
         in {
             name blocked
         }
         local {
             name blocked
         }
     }
     hw-id 00:16:76:13:c4:43
     smp_affinity auto
     speed auto
 }
 ethernet eth1 {
     bridge-group {
         bridge br0
     }
     duplex auto
     hw-id 00:50:04:60:53:75
     smp_affinity auto
     speed auto
 }
 ethernet eth2 {
     address 10.0.0.100/24
     duplex auto
     firewall {
         in {
             name blocked
         }
         local {
             name blocked
         }
     }
     hw-id 00:02:e3:02:39:a6
     smp_affinity auto
     speed auto
 }
 loopback lo {
 }

How to I see similar entries? How do I execute the script also so I can see what it is blocking? When I run “show configuration commands” it doesn’t show any blocked ip’s.
I promise I am reading everything I can my partner too. We are trying very hard to learn as well. We appreciate your help Hiroyuki and sorry for our ignorance!


#10

Hello Sam.

First of all, please forget about task-scheduler.
You should confirm without scheduler.
After that, you should config task-scheduler.

About updateBanList.sh

Maybe you can see
“set firewall group network-group blocked network ‘xxx.xxx.xxx.xxx/xx’”
with the following step.

wget https://gist.githubusercontent.com/hiroyuki-sato/828edb3a59e80d73f08e/raw/1c94d82244ee95270bcb69f288d1557ecd15aad8/gistfile1.sh
chmod 755 gistfile1.sh
./gistfile1.sh
show configuration commands

And Firewall configuration step like below.

set firewall group network-group blocked network '1.116.0.0/14'
set firewall name OUTSIDE rule 10 action drop
set firewall name OUTSIDE rule 10 source network-group blocked
set firewall name OUTSIDE rule 10 protocol all
set interfaces ethernet eth0 firewall in name 'OUTSIDE'

I’ve never tested so please fix yourself if something wrong.

Please check anohter example.

https://www.fir3net.com/Routers/Brocade/vyatta-how-to-create-a-firewall-policy.html
http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5600_manual/wwhelp/wwhimpl/js/html/wwhelp.htm


Hiroyuki Sato.


#11

i am trying to do basically the same thing, i got it to update the ips but it still isnt blocking them. any ideas?