I am setting up a vyatta router on VMware ESXi,
But I see to have hit a major snag, I could not get my firewall and NAT to work correctly.
I am not sure what was wrong with NAT but it "seems" to be working now. But the firewall is not allowing traffic from my WAN interface (eth0) to my LAN (eth1). I can confirm its the firewall because I disabled all firewall rules and everything worked with just NAT. If put the firewalls (WAN and LAN) back in place nothing can get through to port 25.
I am not really sure what the issue could be I am using pretty basic firewall rules, I wrote the rules while looking at the vyatta docs so unless there is something odd with the documentation they "should" be working.
Here is my NAT rules so far;
vyatta@gateway# show service nat
rule 20 {
description "Zimbra SNAT #1"
outbound-interface eth0
outside-address {
address 74.XXX.XXX.XXX
}
source {
address 10.0.0.17
}
type source
}
rule 21 {
description "Zimbra SMTP #1"
destination {
address 74.XXX.XXX.XXX
port 25
}
inbound-interface eth0
inside-address {
address 10.0.0.17
}
protocol tcp
type destination
}
rule 100 {
description "Default LAN -> WAN"
outbound-interface eth0
outside-address {
address 74.XXX.XXX.XXX
}
source {
address 10.0.0.0/24
}
type source
}
Then here is my firewall rules, this is where I believe the problem is.
vyatta@gateway# show firewall
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_in {
rule 100 {
action accept
description "Default LAN -> any"
protocol all
source {
address 10.0.0.0/24
}
}
}
name LAN_out {
}
name LOCAL {
rule 100 {
action accept
state {
established enable
}
}
}
name WAN_in {
rule 20 {
action accept
description "Allow SMTP connections to MX01"
destination {
address 74.XXX.XXX.XXX
port 25
}
protocol tcp
}
rule 100 {
action accept
description "Allow established connections back through"
state {
established enable
}
}
}
name WAN_out {
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
SIDENOTE
To test for open ports I have using this website, http://www.yougetsignal.com/tools/open-ports/, it showed port 25 as open without the firewall rules and closed with the firewall rules.
UPDATE
Just to see if the firewall was working properly I made a rule to block SSH from the WAN interface. When I checked for port 22 on my primary WAN address it said it was still open even though I outright blocked the port.
Here is the rule I used;
rule 21 {
action reject
destination {
address 74.219.80.163
port 22
}
protocol tcp
}
So now I am convinced either I am doing something wrong or the firewall is not working like it should.
