Preparing the lab – Vyatta NAT Masquerade

Vyatta documentation (available after registration) provides many configuration examples and full command syntax reference. Today I’m going to explain how to set Masquerade NAT in Vyatta Core. Please forgive me if my explanation is not quite clear, let me know if you need more information (leave comments!)

My lab has started with a basic configuration where I’m not using VLAN (but I will…) so I’ve configured several interfaces in my Vyatta Core router. I want my virtual machines to be able to get packets from Internet but unfortunately the router which connects me to Internet has no way to add routes so it doesn’t know how to deal with packages from the networks behind my router.

n40lab_network_addressing

I need to translate the source address of packages from 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 and 192.168.30.0/24 networks so one address of 192.168.1.0/24 network is used when those networks try to connect to Internet. I will configure “Masquerade” NAT so the eth0 IP address of my Vyatta Core router (watson) will be used as the source address for package source translation. For example, if I want to translate 192.168.10.0/24 source address packets with the one set in eth0 I’ll use this commands:

//I've used 10 as the route number identifier, but you can use any other unused number in your configuration
vyatta@one-router:~$ configure
[edit]
vyatta@one-router# set nat source rule 10 outbound-interface eth0
[edit]
vyatta@one-router# set nat source rule 10 source address 192.168.10.0/24
[edit]
vyatta@one-router# set nat source rule 10 translation address masquerade
[edit]
vyatta@one-router# commit
[edit]
vyatta@one-router# save

OK, thanks to this masquerade NAT, my virtual machine can download packages from Internet. Important: this translation won’t allow these virtual machines to be reachable from Internet.

Advertisements

OpenVswitch – Port mirroring

I’m preparing a virtual laboratory for IDS and Honeypot testing that will be running on my OpenNebula private cloud. In the following diagram you can see that I want my IDS (sherlock) to inspect traffic from/to my Vyatta firewall so I’ll do that configuring port mirroring, thanks to openvswitch impressive functionalities. (I’ve used Dia for creating this diagram, what a great tool!).

n40lab_ids_honeypot_ovswitch

My N40L server has only one physical ethernet interface (eth0) and I’ve already created an openvswitch bridge called br0 which is associated to eth0.

In OpenNebula I’ve configured one virtual network called inet which is assigned to br0. Watson (my vyatta router) and Sherlock (my OSSIM machine full of sensors) have one interface attached to inet/br0: vnet2 and vnet0 respectively.

#ovs-vsctl show
...
Bridge "br0"
    Port "vnet2"
        Interface "vnet2"
    Port "eth0"
        Interface "eth0"
    Port "vnet0"
        Interface "vnet0"
    Port "br0"
        Interface "br0"
          type: internal

OK. Now, according to ovs-vsctl man page, if I want the vnet2’s traffic to be mirrored onto vnet0 I’ll run this command:


#ovs-vsctl -- set Bridge br0 mirrors=@m \
 -- --id=@vnet0 get Port vnet0 \
 -- --id=@vnet2 get Port vnet2 \
 -- --id=@m create Mirror name=mymirror select-dst-port=@vnet0 select-src-port=@vnet0 output-port=@vnet2
b74eaf43-92ca-48f5-9fe6-9a561a9937dd // the mirror id

#ovs-vsctl list Bridge br0
_uuid : e3e03141-9754-489b-b4b8-17de2f063b44
controller : []
datapath_id : "0000009c029752bd"
datapath_type : ""
external_ids : {}
fail_mode : []
flood_vlans : []
flow_tables : {}
mirrors : [b74eaf43-92ca-48f5-9fe6-9a561a9937dd] // The mirror id is the one shown after the previous command<strong>
</strong>

I checked that as soon as the mirror was set, my tcpdump started showing traffic sent to my firewall so that’s what I exactly wanted 😀

If you want to stop the mirror you can use:

# ovs-vsctl clear Bridge br0 mirrors

Well, ovs-vsctl man page is full of info so if I find more interesting things I’ll let you know.

My first OpenNebula appliance in the Marketplace

I’m very happy to announce that today I’ve uploaded my first appliance to OpenNebula’s Marketplace. For my first appliance I’ve choosen Vyatta Core’s virtual router/firewall.

It was difficult to make the contextualization work but it helped me to learn more about OpenNebula and Vyatta. Please leave your comments or contact me if you find any problem with this image.

Thanks to Vyatta’s forum and other blogs I could understand how I could configure automatically the interface addresses. I want to share with you many links that were helpful:

I’d also like to thank C12G for Marketplace and my friend Jose David for hosting the image.

I hope this image works for you and that you find it useful.

Enjoy!