Setup NAT Rules on Vyatta

Following are some examples of Network Addres Translation (NAT) rules used on a Vyatta.

One-to-many NAT rule (masquerade)

Enter the following commands in the prompt:

  • set nat source rule 1000 description 'pass traffic to the internet'
  • set nat source rule 1000 outbound-interface 'bond1'
  • set nat source rule 1000 protocol 'tcp_udp'
  • set nat source rule 1000 source address '10.125.49.128/26'
  • set nat source rule 1000 translation address 'masquerade'
  • commit

Connection request from machines in the 10.xxx.xxx.xxx network are mapped to the IP on bond1 and get an ephemeral port associated to it when going outbound. An idea is to assign one-to-many masquerade rule numbers higher so they don't conflict with lower NAT rules that you may have.1

One-to-one NAT rule

The commands below show how to setup a one-to-one NAT rule. Notice the rule numbers are set up to be lower than the masquerade rule. This is so the one-to-one rules will take precedence over the one-to-many rules.2

The following commands are for a source and destination rule. Type show nat in configuration mode to see the NAT rule type.3

Enter the following commands in the prompt after ensuring you are in configuration mode:

  • set nat source rule 9 outbound-interface 'bond1'
  • set nat source rule 9 protocol 'all'
  • set nat source rule 9 source address '10.52.69.202'
  • set nat source rule 9 translation address '50.97.203.22'
  • set nat destination rule 9 destination address '50.97.203.227'
  • set nat destination rule 9 inbound-interface 'bond1'
  • set nat destination rule 9 protocol 'all'
  • set nat destination rule 9 translation address '10.52.69.202'
  • commit

If traffic comes in on IP 50.97.203.227 on bond1, that IP will be mapped to IP 10.52.69.202 (on any interface defined). If traffic goes outbound with the IP of 10.52.69.202 (on any interface defined), it will get translated to IP 50.97.203.227 and proceed out bound on interface bond1.4

Adding IP ranges through your Brocade 5400 vRouter (Vyatta)

Depending on your Brocade 5400 vRouter configuration, you may want to accept specific SoftLayer IP addresses. A complete list of SoftLayer IP addresses you may want to add to your vyatta can be found at http://knowledgelayer.softlayer.com/faq/what-ip-ranges-do-i-allow-through-firewall/

Newer Brocade 5400 vRouter deployments come with SoftLayer's services network IP addresses defined in a firewall rule called SERVICE-ALLOW.

The following is an example of SERVICE-ALLOW (note that this is not a complete private IP rule set):

  • set firewall name SERVICE-ALLOW rule 1 action 'accept'
  • set firewall name SERVICE-ALLOW rule 1 destination address '10.0.64.0/19'
  • set firewall name SERVICE-ALLOW rule 2 action 'accept'
  • set firewall name SERVICE-ALLOW rule 2 destination address '10.1.128.0/19'
  • set firewall name SERVICE-ALLOW rule 3 action 'accept'
  • set firewall name SERVICE-ALLOW rule 3 destination address '10.0.86.0/24'

Once you have deinfed the firewall rules, you may now assign them as you see fit. Two examples are listed below - applying to a zone or applying to a bond interface.

  • set zone-policy zone private from dmz firewall name SERVICE-ALLOW
  • set interfaces bonding bond0 firewall local name SERVICE-ALLOW

 

Notes:

1You will need to configure the server passing its Internet traffic through the Brocade 5400 vRouter so that its default gateway is the Private IP address of the managed virtual LAN (VLAN). For example, for bond0.2254 the gateway is 10.52.69.201; this should be the gateway address for the server passing Internet traffic.

2IP addresses that are mapped one-to-one cannot also be masqueraded. If you translate۝ an IP inbound, you must translate۝ that IP outbound in order for traffic to go both ways.

3Use the following command to help troubleshoot NAT: run show nat source translations detail.

4Use the following command to help troubleshoot NAT: run show nat source translations detail.