Vyos as bridge firewall in EC2


#1

Hello.

I am trying to implement vyos as bridge firewall in EC2 invironment.

Amazon Load balancer <-> eth0 vyos <-> eth1 vyos <-> actually server.

  1. I want to bridge two nic eth0 and eth1 so I can filter some packets with vyos.
    I tried to search many ways but couldnt find any similar implementation.

  2. If I can make 1 happen, I know I can apply packet filter rules.
    Is it possible to implement to filter packet by algorithm?
    I am having issue that attacker is sending massive null tcp packet to my server.

Thank you very much.


#2

I added eth1 from EC2 and set eth1 as dhcp.

vyos@VyOS-AMI:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


eth0 172.31.5.1/20 u/u OUTSIDE
eth1 172.31.4.1/20 u/u INSIDE

vyos@VyOS-AMI:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 172.31.0.1, eth0
C>* 127.0.0.0/8 is directly connected, lo
C * 172.31.0.0/20 is directly connected, eth1
C>* 172.31.0.0/20 is directly connected, eth0

From server, I can ping to 172.31.5.1(eth0) but cant ping 172.31.4.1(eth1)

I think I have to add static route to eth1 as well but I cant do it.


#3

Your outside network needs to know where to go for the subnet you are trying to reach – your router on subnet 172.31.5.0/24 needs to know what IP address is the gateway for subnet 172.31.4.0/24. Do you know what is the router IP address for your first subnet? It seems strange that you are using 172.31.5.1 on eth0, since that usually goes to the router, unless your router is using something else, like 172.31.5.254. You need to find this out and change your eth0 IP if it turns out to be the same.

Two things you need to do:

  1. You need to add a route to your outside router, so it will know where to send your traffic for the unknown subnet.
  2. You need to make sure your firewall allows this traffic through. I am assuming you have a firewall, because you say you are trying to protect your internal network. If you don’t have a firewall, then you just worry about getting your route in your outside network.