Firewall rules not matching


#1

Hi,

I recently started using VyOS and everything seems to be setup fine. However I cannot seem to get the firewalls rules to be applied. They look correct as below.I’m not sure what I am missing.

I have setup multiple interfaces on eth0 in the 192.168.1.0/24 subnet. I am performing a destination and source NAT. If the firewall is not applied to eth0, everything works perfectly and I can RDP to the server on the other side, however as soon as I apply the firewall to interface eth0 the traffic gets blocked.

I tried both group and standalone firewall rules, but no joy.

firewall { all-ping enable broadcast-ping disable config-trap disable group { address-group RDPHOSTS { address 192.168.1.11 description "RDP Traffic" } network-group RDPNETWORKS { description "Networks allowed to connect to RDP" network 192.168.1.0/24 } port-group RDPPORTS { description "TCP Ports for RDP Access" port 3389 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name OUTSIDE-IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 22 { action accept description "Allow RDP to internal server" destination { address 192.168.1.11 port 3389 } protocol tcp } rule 30 { action accept destination { group { address-group RDPHOSTS port-group RDPPORTS } } protocol tcp source { group { network-group RDPNETWORKS } } } rule 100 { action accept destination { port 500 } protocol udp } rule 200 { action accept protocol esp } }

Chain OUTSIDE-IN (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere /* OUTSIDE-IN-10 */ state RELATED,ESTABLISHED 0 0 RETURN icmp -- any any anywhere anywhere /* OUTSIDE-IN-20 */ state NEW icmp echo-request 0 0 RETURN tcp -- any any anywhere 192.168.1.11 /* OUTSIDE-IN-22 */ tcp dpt:3389 0 0 RETURN tcp -- any any anywhere 192.168.1.12 /* OUTSIDE-IN-23 */ tcp dpt:ssh 0 0 RETURN udp -- any any anywhere anywhere /* OUTSIDE-IN-100 */ udp dpt:isakmp 0 0 RETURN esp -- any any anywhere anywhere /* OUTSIDE-IN-200 */ 2677 170K DROP all -- any any anywhere anywhere /* OUTSIDE-IN-10000 default-action drop */

I can definately see the packet/byte count increasing for the dropped packets, so definately know the traffic is getting through but for some reason it is not matching anything?

Any help appreciated.

Thanks


#2

So figured out what was going on! cannot believe i missed this.

DNAT is being performed before the firewall rules are being applied. So I needed to include/add my private IP address (192.168.13.0/24 range) in the firewall instead of keeping the public range.

Once I had done that all firewall rules worked as expected.