Hello everyone, I encountered a small problem during the experiment, and I hope to get your help. Although this situation is not the right way to use it, I just want to ask if there is a way to solve this problem. Thank you all!
set interfaces ethernet eth0 address address '1.1.1.1/24'
set interfaces ethernet eth0 address address '2.2.2.2/24'
Internet---OUTSIDE eth0 1.1.1.1 2.2.2.2 && INSIDE eth1 10.10.10.1---PC10.10.10.2(8080,443)
NAT: 1.1.1.1:80---10.10.10.2:8080
2.2.2.2--dmz--10.10.10.2
Firewall:
OUTSIDE-INSIDE port 8080 accept
Excuse me, if I let the existing 8080 firewall rules only match 1.1.1.1 addresses, and the 2.2.2.2 addresses pass or use other firewall rules to match.
Currently, neither address can access 443, but I only want to make 2.2.2.2:443 accessible and 1.1.1.1:443 inaccessible. I add in the firewall if the identification is 1.1.1.1 or 2.2.2.2?
The system information is as follows
vyos@vRoute:~$ show version
Version: VyOS 1.3-rolling-202009030118
Release Train: equuleus
Built by: [email protected]
Built on: Thu 03 Sep 2020 01:18 UTC
Build UUID: 83c8515b-213b-4ac6-9b9a-2a0f24bbbda7
Build Commit ID: 221fd153830307
Architecture: x86_64
Boot via: installed image
System type: VMware guest
Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: Unknown
Hardware UUID: Unknown
Copyright: VyOS maintainers and contributors
Thank you for your prompt recovery!
I know the method you mentioned, but I still need the OUTSIDE-INSIDE firewall setting. I need to add here the access whitelist restriction from 1.1.1.1. And I need to be completely exposed when 2.2.2.2 comes in.
3.3.3.3 is my whitelist
Only hope that 3.3.3.3 can access 1.1.1.1:80 (10.10.10.2:8080), and other mapped ports are not allowed.
Anyone can access all ports above 2.2.2.2
I’m just an assumption of a certain scenario, so the logic will be a bit strange.
set zone-policy zone OUTSIDE interface eth0
set zone-policy zone INSIDE interface eth1
set firewall name INSIDE-OUTSIDE default-action accept
set firewall name OUTSIDE-INSIDE default-action reject
set firewall name OUTSIDE-INSIDE rule 1 action accept
set firewall name OUTSIDE-INSIDE rule 1 state established enable
set firewall name OUTSIDE-INSIDE rule 1 state related enable
set firewall name OUTSIDE-INSIDE rule 100 action accept
set firewall name OUTSIDE-INSIDE rule 100 destination address 10.10.10.2
set firewall name OUTSIDE-INSIDE rule 100 destination port 8080
set firewall name OUTSIDE-INSIDE rule 100 protocol tcp
set firewall name OUTSIDE-INSIDE rule 100 source address '3.3.3.3'
set zone-policy zone INSIDE from OUTSIDE firewall name OUTSIDE-INSIDE
This configuration 1.1.1.1 and 2.2.2.2 are both subject to supervision. I only want 1.1.1.1 to be subject to this supervision. At the moment, 2.2.2.2 I just want to completely release it to distinguish. Later, I will make new rules for him.
The current situation is that both 1.1.1.1 and 2.2.2.2 match the same firewall policy, but I only want 1.1.1.1 to match.
#NAT
#1.1.1.1:80-->10.10.10.2:8080
set nat destination rule 30 destination address '1.1.1.1'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.10.10.2'
set nat destination rule 30 translation port '8080'
#2.2.2.2->10.10.10.2
set interfaces ethernet eth0 address 2.2.2.2/24
set nat destination rule 40 inbound-interface 'eth0'
set nat destination rule 40 destination address '2.2.2.2'
set nat destination rule 40 translation address '10.10.10.2'
set nat source rule 40 outbound-interface eth1
set nat source rule 40 source address '10.10.10.2'
set nat source rule 40 translation address '2.2.2.2'
#FIREWALL
set zone-policy zone OUTSIDE interface eth0
set zone-policy zone INSIDE interface eth1
set firewall name INSIDE-OUTSIDE default-action accept
set zone-policy zone OUTSIDE from INSIDE firewall name INSIDE-OUTSIDE
set firewall name OUTSIDE-INSIDE default-action reject
set firewall name OUTSIDE-INSIDE rule 1 action accept
set firewall name OUTSIDE-INSIDE rule 1 state established enable
set firewall name OUTSIDE-INSIDE rule 1 state related enable
set firewall name OUTSIDE-INSIDE rule 100 action accept
set firewall name OUTSIDE-INSIDE rule 100 destination address 10.10.10.2
set firewall name OUTSIDE-INSIDE rule 100 destination port 8080
set firewall name OUTSIDE-INSIDE rule 100 protocol tcp
set firewall name OUTSIDE-INSIDE rule 100 source address '3.3.3.3'
set zone-policy zone INSIDE from OUTSIDE firewall name OUTSIDE-INSIDE
I have tried to make the rule work on OUTSIDE-IN, but it still takes effect after NAT, so I cannot verify the address before the address translation.
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 1 action 'accept'
set firewall name OUTSIDE-IN rule 1 state established 'enable'
set firewall name OUTSIDE-IN rule 1 state related 'enable'
set firewall name OUTSIDE-IN rule 100 action 'accept'
set firewall name OUTSIDE-IN rule 100 destination address '1.1.1.1'
set firewall name OUTSIDE-IN rule 100 destination port '80'
set firewall name OUTSIDE-IN rule 100 protocol 'tcp'
set firewall name OUTSIDE-IN rule 100 source address '3.3.3.3'
set firewall name OUTSIDE-IN rule 100 action 'accept'
set firewall name OUTSIDE-IN rule 100 destination address '2.2.2.2'
set firewall name OUTSIDE-IN rule 100 protocol 'tcp'
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
There is no problem with my NAT rules. They can access normally without adding firewall rules.
But I want to add a 3.3.3.3 whitelist to 1.1.1.1:80 (10.10.10.2:8080), and all others are rejected. 2.2.2.2 (10.10.10.2) There are no restrictions on access. For example, 2.2.2.2:8080 (10.10.10.2:8080) or 2.2.2.2:443 (10.10.10.2:443) are not restricted by firewall rules. Or customize new matching rules for it.
Using the source rule of NAT can satisfy my assumption, but I still want to ask if two IPs on the same network card are separately formulated through firewall rules.
Can’t firewall rules be formulated separately for 1.1.1.1 and 2.2.2.2? It can be done using iptables, but vyos is not yet clear how to set it up.
Delete ip addresses from eth0 and assign it to pethX interfaces. Example in LTS release.
nat-gw configuration
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name OUTSIDE-INSIDE default-action 'reject'
set firewall name OUTSIDE-INSIDE rule 1 action 'accept'
set firewall name OUTSIDE-INSIDE rule 1 state established 'enable'
set firewall name OUTSIDE-INSIDE rule 1 state related 'enable'
set firewall name OUTSIDE-INSIDE rule 100 action 'accept'
set firewall name OUTSIDE-INSIDE rule 100 destination address '10.10.10.2'
set firewall name OUTSIDE-INSIDE rule 100 destination port '8080'
set firewall name OUTSIDE-INSIDE rule 100 protocol 'tcp'
set firewall name OUTSIDE-INSIDE rule 100 source address '3.3.3.3'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 description 'Wan'
set interfaces ethernet eth1 address '10.10.10.1/24'
set interfaces pseudo-ethernet peth1 address '1.1.1.1/24'
set interfaces pseudo-ethernet peth1 firewall in name 'OUTSIDE-INSIDE'
set interfaces pseudo-ethernet peth1 link 'eth0'
set interfaces pseudo-ethernet peth1 mode 'private'
set interfaces pseudo-ethernet peth2 address '2.2.2.2/24'
set interfaces pseudo-ethernet peth2 link 'eth0'
set interfaces pseudo-ethernet peth2 mode 'private'
set nat destination rule 30 destination address '1.1.1.1'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'peth1'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.10.10.2'
set nat destination rule 30 translation port '8080'
set nat destination rule 40 destination address '2.2.2.2'
set nat destination rule 40 inbound-interface 'peth2'
set nat destination rule 40 translation address '10.10.10.2'
set nat source rule 900 outbound-interface 'peth1'
set nat source rule 900 source address '10.10.10.0/24'
set nat source rule 900 translation address 'masquerade'
set nat source rule 910 outbound-interface 'peth2'
set nat source rule 910 source address '10.10.10.0/24'
set nat source rule 910 translation address 'masquerade'
set system host-name 'nat-gw'
And assign firewall to pethX interface, If you want you can use zones…
Access from 3.3.3.2
vyos@client1:~$ ssh [email protected] -p 80
ssh: connect to host 1.1.1.1 port 80: Connection refused
vyos@client1:~$ ssh [email protected] -p 555
ssh: connect to host 1.1.1.1 port 555: Connection refused
vyos@client1:~$ ssh [email protected] -p 22
[email protected]'s password:
vyos@r-service:~$
vyos@client1:~$ ssh [email protected] -p 443
ssh: connect to host 1.1.1.1 port 443: Connection refused
vyos@client1:~$ ssh [email protected] -p 443
Welcome to VyOS
[email protected]'s password:
Access from 3.3.3.3
vyos@client2:~$ ssh [email protected] -p 80
The authenticity of host '[1.1.1.1]:80 ([1.1.1.1]:80)' can't be established.
ECDSA key fingerprint is 8b:f5:50:16:ac:b6:62:b7:65:81:a5:3f:8e:67:a4:d1.
Are you sure you want to continue connecting (yes/no)?
vyos@client2:~$ ssh [email protected] -p 443
ssh: connect to host 1.1.1.1 port 443: Connection refused
vyos@client2:~$ ssh [email protected] -p 443
The authenticity of host '[2.2.2.2]:443 ([2.2.2.2]:443)' can't be established.
ECDSA key fingerprint is 8b:f5:50:16:ac:b6:62:b7:65:81:a5:3f:8e:67:a4:d1.
Are you sure you want to continue connecting (yes/no)?