I am setting up a vyatta router on VMware ESXi,
But I see to have hit a major snag, I could not get my firewall and NAT to work correctly.
I am not sure what was wrong with NAT but it "seems" to be working now. But the firewall is not allowing traffic from my WAN interface (eth0) to my LAN (eth1). I can confirm its the firewall because I disabled all firewall rules and everything worked with just NAT. If put the firewalls (WAN and LAN) back in place nothing can get through to port 25.
I am not really sure what the issue could be I am using pretty basic firewall rules, I wrote the rules while looking at the vyatta docs so unless there is something odd with the documentation they "should" be working.
Here is my NAT rules so far;
vyatta@gateway# show service nat
rule 20 {
description "Zimbra SNAT #1"
outbound-interface eth0
outside-address {
address 74.XXX.XXX.XXX
}
source {
address 10.0.0.17
}
type source
}
rule 21 {
description "Zimbra SMTP #1"
destination {
address 74.XXX.XXX.XXX
port 25
}
inbound-interface eth0
inside-address {
address 10.0.0.17
}
protocol tcp
type destination
}
rule 100 {
description "Default LAN -> WAN"
outbound-interface eth0
outside-address {
address 74.XXX.XXX.XXX
}
source {
address 10.0.0.0/24
}
type source
}
Then here is my firewall rules, this is where I believe the problem is.
vyatta@gateway# show firewall
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_in {
rule 100 {
action accept
description "Default LAN -> any"
protocol all
source {
address 10.0.0.0/24
}
}
}
name LAN_out {
}
name LOCAL {
rule 100 {
action accept
state {
established enable
}
}
}
name WAN_in {
rule 20 {
action accept
description "Allow SMTP connections to MX01"
destination {
address 74.XXX.XXX.XXX
port 25
}
protocol tcp
}
rule 100 {
action accept
description "Allow established connections back through"
state {
established enable
}
}
}
name WAN_out {
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
SIDENOTE
To test for open ports I have using this website, http://www.yougetsignal.com/tools/open-ports/, it showed port 25 as open without the firewall rules and closed with the firewall rules.
UPDATE
Just to see if the firewall was working properly I made a rule to block SSH from the WAN interface. When I checked for port 22 on my primary WAN address it said it was still open even though I outright blocked the port.
Here is the rule I used;
rule 21 {
action reject
destination {
address 74.219.80.163
port 22
}
protocol tcp
}
So now I am convinced either I am doing something wrong or the firewall is not working like it should.
Best Answer
Its working the way it should. Are you applying your firewall rules to zones or interfaces? If you are fconfiguring your rules against zones, you havae to make zone policies also. ie WAN-LOCAL,