Multi-address firewall problem

toadzhou · September 9, 2020, 9:15am

Hello everyone, I encountered a small problem during the experiment, and I hope to get your help. Although this situation is not the right way to use it, I just want to ask if there is a way to solve this problem. Thank you all!

set interfaces ethernet eth0 address address '1.1.1.1/24'
set interfaces ethernet eth0 address address '2.2.2.2/24'

Internet---OUTSIDE eth0 1.1.1.1 2.2.2.2 && INSIDE eth1 10.10.10.1---PC10.10.10.2(8080,443)

NAT: 1.1.1.1:80---10.10.10.2:8080
     2.2.2.2--dmz--10.10.10.2

Firewall:
     OUTSIDE-INSIDE  port 8080 accept

Excuse me, if I let the existing 8080 firewall rules only match 1.1.1.1 addresses, and the 2.2.2.2 addresses pass or use other firewall rules to match.
Currently, neither address can access 443, but I only want to make 2.2.2.2:443 accessible and 1.1.1.1:443 inaccessible. I add in the firewall if the identification is 1.1.1.1 or 2.2.2.2?

The system information is as follows

vyos@vRoute:~$ show version 

Version:          VyOS 1.3-rolling-202009030118
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Thu 03 Sep 2020 01:18 UTC
Build UUID:       83c8515b-213b-4ac6-9b9a-2a0f24bbbda7
Build Commit ID:  221fd153830307

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     Unknown
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

Viacheslav · September 9, 2020, 9:07am

@toadzhou
Can you describe more details and share your interface/nat/firewall configuration?
What version?

toadzhou · September 9, 2020, 9:12am

Sorry, I submitted it by mistake before the editing was completed. It has been updated again.

Viacheslav · September 9, 2020, 9:41am

Your configuration should look something like this.

set nat destination rule 10 description 'Web'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.10.10.1'
set nat destination rule 10 translation port '8080'

set nat destination rule 20 description 'Https'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 destination port '443'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.10.10.2'

set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.10.10.1/32'
set nat source rule 10 translation address '1.1.1.1'

set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '10.10.10.2/32'
set nat source rule 20 translation address '2.2.2.2'

set nat source rule 900 outbound-interface 'eth0'
set nat source rule 900 source address '10.10.10.0/24'
set nat source rule 900 translation address masquerade

toadzhou · September 9, 2020, 10:00am

Thank you for your prompt recovery!
I know the method you mentioned, but I still need the OUTSIDE-INSIDE firewall setting. I need to add here the access whitelist restriction from 1.1.1.1. And I need to be completely exposed when 2.2.2.2 comes in.

Viacheslav · September 9, 2020, 10:11am

@toadzhou Show your firewall rules

toadzhou · September 10, 2020, 2:01am

3.3.3.3 is my whitelist
Only hope that 3.3.3.3 can access 1.1.1.1:80 (10.10.10.2:8080), and other mapped ports are not allowed.
Anyone can access all ports above 2.2.2.2

I’m just an assumption of a certain scenario, so the logic will be a bit strange.

set zone-policy zone OUTSIDE interface eth0
set zone-policy zone INSIDE interface eth1

set firewall name INSIDE-OUTSIDE default-action accept

set firewall name OUTSIDE-INSIDE default-action reject
set firewall name OUTSIDE-INSIDE rule 1 action accept
set firewall name OUTSIDE-INSIDE rule 1 state established enable
set firewall name OUTSIDE-INSIDE rule 1 state related enable
set firewall name OUTSIDE-INSIDE rule 100 action accept
set firewall name OUTSIDE-INSIDE rule 100 destination address 10.10.10.2
set firewall name OUTSIDE-INSIDE rule 100 destination port 8080
set firewall name OUTSIDE-INSIDE rule 100 protocol tcp
set firewall name OUTSIDE-INSIDE rule 100 source address '3.3.3.3'
set zone-policy zone INSIDE from OUTSIDE firewall name OUTSIDE-INSIDE

This configuration 1.1.1.1 and 2.2.2.2 are both subject to supervision. I only want 1.1.1.1 to be subject to this supervision. At the moment, 2.2.2.2 I just want to completely release it to distinguish. Later, I will make new rules for him.

toadzhou · September 9, 2020, 11:51am

I tried to restrict OUTSIDE-IN, but it seemed to have no effect. Maybe there is a problem with my configuration.

toadzhou · September 10, 2020, 2:40am

The priority of NAT is higher than that of firewall. Even OUTSIDE-IN is also NAT priority. Can my rules take priority over NAT?

toadzhou · September 10, 2020, 9:18am

Checking the original iptables rules found that they only work on the FORWARD chain, and vyos did not find where the PREROUTING stage is set.

Viacheslav · September 10, 2020, 1:35pm

Provide please your NAT rules.
I send you only example.
It may be this task https://phabricator.vyos.net/T1293

toadzhou · September 10, 2020, 1:54pm

The current situation is that both 1.1.1.1 and 2.2.2.2 match the same firewall policy, but I only want 1.1.1.1 to match.

#NAT
#1.1.1.1:80-->10.10.10.2:8080
set nat destination rule 30 destination address '1.1.1.1'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.10.10.2'
set nat destination rule 30 translation port '8080'

#2.2.2.2->10.10.10.2
set interfaces ethernet eth0 address 2.2.2.2/24
set nat destination rule 40 inbound-interface 'eth0'
set nat destination rule 40 destination address '2.2.2.2'
set nat destination rule 40 translation address '10.10.10.2'
set nat source rule 40 outbound-interface eth1
set nat source rule 40 source address '10.10.10.2'
set nat source rule 40  translation address '2.2.2.2'

#FIREWALL
set zone-policy zone OUTSIDE interface eth0
set zone-policy zone INSIDE interface eth1
set firewall name INSIDE-OUTSIDE default-action accept
set zone-policy zone OUTSIDE from INSIDE firewall name INSIDE-OUTSIDE

set firewall name OUTSIDE-INSIDE default-action reject
set firewall name OUTSIDE-INSIDE rule 1 action accept
set firewall name OUTSIDE-INSIDE rule 1 state established enable
set firewall name OUTSIDE-INSIDE rule 1 state related enable
set firewall name OUTSIDE-INSIDE rule 100 action accept
set firewall name OUTSIDE-INSIDE rule 100 destination address 10.10.10.2
set firewall name OUTSIDE-INSIDE rule 100 destination port 8080
set firewall name OUTSIDE-INSIDE rule 100 protocol tcp
set firewall name OUTSIDE-INSIDE rule 100 source address '3.3.3.3'
set zone-policy zone INSIDE from OUTSIDE firewall name OUTSIDE-INSIDE

I have tried to make the rule work on OUTSIDE-IN, but it still takes effect after NAT, so I cannot verify the address before the address translation.

set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 1 action 'accept'
set firewall name OUTSIDE-IN rule 1 state established 'enable'
set firewall name OUTSIDE-IN rule 1 state related 'enable'
set firewall name OUTSIDE-IN rule 100 action 'accept'
set firewall name OUTSIDE-IN rule 100 destination address '1.1.1.1'
set firewall name OUTSIDE-IN rule 100 destination port '80'
set firewall name OUTSIDE-IN rule 100 protocol 'tcp'
set firewall name OUTSIDE-IN rule 100 source address '3.3.3.3'

set firewall name OUTSIDE-IN rule 100 action 'accept'
set firewall name OUTSIDE-IN rule 100 destination address '2.2.2.2'
set firewall name OUTSIDE-IN rule 100 protocol 'tcp'

set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'

Viacheslav · September 10, 2020, 2:00pm

@toadzhou

Try this is configuration. !80 - mean not port 80.

set nat destination rule 40 destination address '2.2.2.2'
set nat destination rule 40 destination port '!80'
set nat destination rule 40 inbound-interface 'eth0'
set nat destination rule 40 protocol 'tcp_udp'
set nat destination rule 40 translation address '10.10.10.2'

toadzhou · September 10, 2020, 2:11pm

It should not work because OUTSIDE-IN works behind NAT. Today is too late, I will try it tomorrow and give you feedback. Thank you for your advice!

toadzhou · September 11, 2020, 2:41am

Viacheslav:

et nat destination rule 40 destination address '2.2.2.2'
set nat destination rule 40 destination port '!80'
set nat destination rule 40 inbound-interface 'eth0'
set nat destination rule 40 protocol 'tcp_udp'
set nat destination rule 40 translation address '10.10.10.2'

There is no problem with my NAT rules. They can access normally without adding firewall rules.
But I want to add a 3.3.3.3 whitelist to 1.1.1.1:80 (10.10.10.2:8080), and all others are rejected. 2.2.2.2 (10.10.10.2) There are no restrictions on access. For example, 2.2.2.2:8080 (10.10.10.2:8080) or 2.2.2.2:443 (10.10.10.2:443) are not restricted by firewall rules. Or customize new matching rules for it.

Viacheslav · September 11, 2020, 6:32am

How about add source address in nat rules?

set nat destination rule 30 destination address '1.1.1.1'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 source address '3.3.3.3'
set nat destination rule 30 translation address '10.10.10.2'
set nat destination rule 30 translation port '8080'

Or you need it with firewall?

toadzhou · September 11, 2020, 7:48am

Using the source rule of NAT can satisfy my assumption, but I still want to ask if two IPs on the same network card are separately formulated through firewall rules.
Can’t firewall rules be formulated separately for 1.1.1.1 and 2.2.2.2? It can be done using iptables, but vyos is not yet clear how to set it up.

Viacheslav · September 12, 2020, 8:17am

@toadzhou You can use pseudo-ethernet interfaces

Delete ip addresses from eth0 and assign it to pethX interfaces. Example in LTS release.

nat-gw configuration

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name OUTSIDE-INSIDE default-action 'reject'
set firewall name OUTSIDE-INSIDE rule 1 action 'accept'
set firewall name OUTSIDE-INSIDE rule 1 state established 'enable'
set firewall name OUTSIDE-INSIDE rule 1 state related 'enable'
set firewall name OUTSIDE-INSIDE rule 100 action 'accept'
set firewall name OUTSIDE-INSIDE rule 100 destination address '10.10.10.2'
set firewall name OUTSIDE-INSIDE rule 100 destination port '8080'
set firewall name OUTSIDE-INSIDE rule 100 protocol 'tcp'
set firewall name OUTSIDE-INSIDE rule 100 source address '3.3.3.3'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 description 'Wan'
set interfaces ethernet eth1 address '10.10.10.1/24'

set interfaces pseudo-ethernet peth1 address '1.1.1.1/24'
set interfaces pseudo-ethernet peth1 firewall in name 'OUTSIDE-INSIDE'
set interfaces pseudo-ethernet peth1 link 'eth0'
set interfaces pseudo-ethernet peth1 mode 'private'
set interfaces pseudo-ethernet peth2 address '2.2.2.2/24'
set interfaces pseudo-ethernet peth2 link 'eth0'
set interfaces pseudo-ethernet peth2 mode 'private'
set nat destination rule 30 destination address '1.1.1.1'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'peth1'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.10.10.2'
set nat destination rule 30 translation port '8080'
set nat destination rule 40 destination address '2.2.2.2'
set nat destination rule 40 inbound-interface 'peth2'
set nat destination rule 40 translation address '10.10.10.2'
set nat source rule 900 outbound-interface 'peth1'
set nat source rule 900 source address '10.10.10.0/24'
set nat source rule 900 translation address 'masquerade'
set nat source rule 910 outbound-interface 'peth2'
set nat source rule 910 source address '10.10.10.0/24'
set nat source rule 910 translation address 'masquerade'
set system host-name 'nat-gw'

And assign firewall to pethX interface, If you want you can use zones…

Access from 3.3.3.2

vyos@client1:~$ ssh vyos@1.1.1.1 -p 80
ssh: connect to host 1.1.1.1 port 80: Connection refused
vyos@client1:~$ ssh vyos@1.1.1.1 -p 555
ssh: connect to host 1.1.1.1 port 555: Connection refused

vyos@client1:~$ ssh vyos@2.2.2.2 -p 22
vyos@2.2.2.2's password:
vyos@r-service:~$  
vyos@client1:~$ ssh vyos@1.1.1.1 -p 443
ssh: connect to host 1.1.1.1 port 443: Connection refused
vyos@client1:~$ ssh vyos@2.2.2.2 -p 443
Welcome to VyOS
vyos@2.2.2.2's password:

Access from 3.3.3.3

vyos@client2:~$ ssh vyos@1.1.1.1 -p 80
The authenticity of host '[1.1.1.1]:80 ([1.1.1.1]:80)' can't be established.
ECDSA key fingerprint is 8b:f5:50:16:ac:b6:62:b7:65:81:a5:3f:8e:67:a4:d1.
Are you sure you want to continue connecting (yes/no)? 

vyos@client2:~$ ssh vyos@1.1.1.1 -p 443
ssh: connect to host 1.1.1.1 port 443: Connection refused

vyos@client2:~$ ssh vyos@2.2.2.2 -p 443
The authenticity of host '[2.2.2.2]:443 ([2.2.2.2]:443)' can't be established.
ECDSA key fingerprint is 8b:f5:50:16:ac:b6:62:b7:65:81:a5:3f:8e:67:a4:d1.
Are you sure you want to continue connecting (yes/no)?

toadzhou · September 12, 2020, 8:19am

The pseudo-ethernet method is fine, and finally I get the result I want. thank you very much!

system · September 14, 2020, 8:19am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.