Vyos as bridge firewall in EC2


I am trying to implement vyos as bridge firewall in EC2 invironment.

Amazon Load balancer <-> eth0 vyos <-> eth1 vyos <-> actually server.

  1. I want to bridge two nic eth0 and eth1 so I can filter some packets with vyos.
    I tried to search many ways but couldnt find any similar implementation.

  2. If I can make 1 happen, I know I can apply packet filter rules.
    Is it possible to implement to filter packet by algorithm?
    I am having issue that attacker is sending massive null tcp packet to my server.

Thank you very much.

I added eth1 from EC2 and set eth1 as dhcp.

vyos@VyOS-AMI:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description

eth0 u/u OUTSIDE
eth1 u/u INSIDE

vyos@VyOS-AMI:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

S>* [1/0] via, eth0
C>* is directly connected, lo
C * is directly connected, eth1
C>* is directly connected, eth0

From server, I can ping to but cant ping

I think I have to add static route to eth1 as well but I cant do it.

Your outside network needs to know where to go for the subnet you are trying to reach – your router on subnet needs to know what IP address is the gateway for subnet Do you know what is the router IP address for your first subnet? It seems strange that you are using on eth0, since that usually goes to the router, unless your router is using something else, like You need to find this out and change your eth0 IP if it turns out to be the same.

Two things you need to do:

  1. You need to add a route to your outside router, so it will know where to send your traffic for the unknown subnet.
  2. You need to make sure your firewall allows this traffic through. I am assuming you have a firewall, because you say you are trying to protect your internal network. If you don’t have a firewall, then you just worry about getting your route in your outside network.