Convert iptables to Brocade/Vyatta

Question

I would like to switch from iptables to Brocade/Vyatta, but are having trouble with "converting" firewall rules.

This is my iptables, which works:

# Default policy to drop 'everything' but our output to internet
iptables -P FORWARD DROP
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Allow traffic between VLAN servers
iptables -A INPUT -s 89.55.42.0/28 -j ACCEPT

# Allow SSH
#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow ICMP for monitoring
iptables -A INPUT -p icmp -j ACCEPT

And this is my try on Brocade/Vyatta:

set security firewall name VLAN-200-IN default-action 'drop'

set security firewall name VLAN-200-IN rule 10 action 'accept'
set security firewall name VLAN-200-IN rule 10 source address '89.55.42.0/28'

set security firewall name VLAN-200-IN rule 20 action 'accept'
set security firewall name VLAN-200-IN rule 20 destination port '22'
set security firewall name VLAN-200-IN rule 20 protocol 'tcp'

set security firewall name VLAN-200-IN rule 30 action 'accept'
set security firewall name VLAN-200-IN rule 30 protocol 'icmp'

set security firewall name VLAN-200-OUT default-action 'accept'

Which is attached to my VLAN/VIF:

 interfaces {
        bonding dp0bond1 {
                address 77.51.23.1/23
                mode lacp
                vif 200 {
                        address 89.55.42.0/28
                        firewall {
                            in VLAN-200-IN
                            out VLAN-200-OUT
                        }
                }
                vrrp {
                        vrrp-group 2 {
                                ...
                        }
                }
        }
...

I'm testing and want to protect the VLAN 200, but with my example I'm still able to send packets via SIP port 5060 through to servers behind the gateway. What have I misunderstood?

Answer 1

Admittedly I don't know these Vyatta boxes, but if we assume the VIF configuration is similar in behaviour to an SVI (Vlan interface) on a Cisco router then the in and out directions of the rules should be considered from the router's VLAN interface's perspective not the VLAN itself.

In other words, IN is for traffic entering the router on this VLAN, OUT is for traffic leaving the router on this VLAN. The IN rules protect the rest of your routed network from stuff on the vif 200 interface. The OUT rules protect stuff on the vif 200 interface from the rest of your network.

Now you should see that with your very-permissive VLAN-200-OUT policy, you are allowing anything to be routed out the vif 200 interface towards your servers. Since the SIP traffic on 5060 is likely UDP, it doesn't need a two-way TCP connection setup (that might be caught by the IN rules) and is instead allowed to pass.

Of course I may be wrong about this particular platform - and it's not entirely obvious what your actual network topology is. Presumably the Vyatta box is acting as a router?