Summary
This blog posts covers the steps to allow access to a Web or Application server that is being protected by a Vyatta gateway in IBM SoftLayer. Vyatta can be used as a firewall as well as a network gateway. Vyatta is a low cost firewall option but the learning curve to using it is steeper than the FortiGate firewall options available on SoftLayer.This post will cover some steps to protect a Web server or application server in SoftLayer.
Process
Order a Gateway appliance in the data center where you have your application servers.Associate the VLANs with the Gateway as shown below in the picture. The application server is configured to sit on the public VLAN and the private VLAN. The database tier will sit only on a private VLAN.
 |
| SoftLayer Gateway Page |
In the picture above, there are two associated VLANs. The VLANs can bypass Vyatta or be associated with the Vyatta gateway. Once the VLAN is associated with the Vyatta gateway, Vyatta firewall rules must be applied to access the applications running on that VLAN.
To configure Vyatta you need the gateway address and the subnet address of the associated VLAN.
Determine the subnet and gateway address for the VLAN.
- From the gateway page, click on the link to the VLAN page.
- From the VLAN page, click on the Subnet page as shown below.
 |
| SoftLayer VLAN subnet page |
Login to the Vyatta system.
Enter configure to change settings.
-- Associate the gateway with an adapter. eth0 is the private network. eth1 is the public network
set interfaces ethernet eth1 vif <public vlan number> address <gateway address>
set interfaces ethernet eth0 vif <private vlan number> address <other gateway address>
--example
set interfaces ethernet eth0 vif 1607 address 10.77.153.65/26
set interfaces ethernet eth1 vif 1253 address 184.173.49.1/27
You may also see a bonded adapter configuration when invoking show interfaces before entering configuration mode. If so you the following commands instead.
set interfaces bonding bond1 vif 1253 address 184.173.49.1/27
set firewall name home_in rule 10 action accept
set firewall name home_in rule 10 description "allow access to web or application server port"
-- The 184.173.49.0/27 is the subnet address
set firewall name home_in rule 10 destination address 184.173.49.0/27
set firewall name home_in rule 10 destination port 80,8080
set firewall name home_in rule 10 protocol tcp
set interfaces ethernet eth1 firewall in name home_in
set firewall name home_out rule 10 action accept
set firewall name home_out rule 10 description "allow traffic from Web subnet back out"
set firewall name home_out rule 10 source address 184.173.49.0/27
set firewall name home_out rule 10 protocol tcp
set interfaces ethernet eth1 firewall out name home_out
-- in my case my database is somewhere else so allow the database server address to connect back to the web subnet
set firewall name home_in rule 11 action accept
set firewall name home_in rule 11 description "database back to web"
set firewall name home_in rule 11 source address 52.22.138.15
set firewall name home_in rule 11 destination address 184.173.49.0/27
set firewall name home_in rule 11 protocol tcp
commit
The Web or application server should now be available.
After entering all these rules enter commit to put them into effect but do not save the configuration until you are satisfied that it is working.
If you do not save your changes, it is easy to reboot and try again.
To view the new routes, exit from configuration mode and enter show ip route.
$ show ip route
S *> 0.0.0.0/0 [1/0] via 173.193.94.249, eth1
S *> 10.0.0.0/8 [1/0] via 10.77.153.1, eth0
C * 10.77.153.0/26 is directly connected, eth0v1
C *> 10.77.153.0/26 is directly connected, eth0
C *> 10.77.153.64/26 is directly connected, eth0.1607
C *> 127.0.0.0/8 is directly connected, lo
C * 173.193.94.248/29 is directly connected, eth1v1
C *> 173.193.94.248/29 is directly connected, eth1
C *> 184.173.49.0/27 is directly connected, eth1.1253
There are two new routes to the associated VLANs.
No comments:
Post a Comment