Re: [CentOS] CentOS 6.3 as Firewall/Router
On 05/01/2013 15:25, Ryan Wagoner wrote: Or don't use CentOS at all and try OpenBSD PF. The syntax is much cleaner and easier to maintain than Netfilter/IPTables and it works pretty darn well. ;) If you want to stick with linux look at Vyatta. I have 5 production installs (3 physical and 3 VMs) and upgrades have been flawless. The config resides in one file and the console has a Juniper style syntax. On a similar vein, I use pfsense as a Firewall (FreeBSD derivative) Has many features and Web GUI configuration. Seems to really do the trick for me. I tend to only use the iptables firewall in Centos for host based firewalling (basically I only edit the INPUT table), for multi-homed dedicated firewalls (i.e. using the FORWARD'ing table) something like pfsense really does it nicely. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On Sat, 5 Jan 2013, Tim Evans wrote: On 01/05/2013 10:13 AM, m...@tdiehl.org wrote: On Fri, 4 Jan 2013, Steve Campbell wrote: On 1/4/2013 12:21 PM, Tim Evans wrote: On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. Use Firewall Builder. It makes things so much easier. And it's free. http://www.fwbuilder.org/ +1000 for fwbuilder. Raw iptables commands are not only error prone but will make your brain hurt. As the original poster, I welcome these suggestions, but point out my ruleset was already written and working. Last I looked (a long time ago, I admit), fwbuilder could not import an existing set of rules and turn it into the necessary fwbuilder abstractions, which meant I'd have to re-invent the working wheel, just to get it into fwbuilder. That is no longer true. fwb has a tool to import existing rules although I have never used it. Regards, -- Tom m...@tdiehl.org Spamtrap address me...@tdiehl.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
fwbuilder+quagga is a great choice. Banyan He Blog: http://www.rootong.com Email: ban...@rootong.com On 1/5/2013 11:13 PM, m...@tdiehl.org wrote: On Fri, 4 Jan 2013, Steve Campbell wrote: On 1/4/2013 12:21 PM, Tim Evans wrote: On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. Use Firewall Builder. It makes things so much easier. And it's free. http://www.fwbuilder.org/ +1000 for fwbuilder. Raw iptables commands are not only error prone but will make your brain hurt. Regards, ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On Fri, 4 Jan 2013, Steve Campbell wrote: On 1/4/2013 12:21 PM, Tim Evans wrote: On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. Use Firewall Builder. It makes things so much easier. And it's free. http://www.fwbuilder.org/ +1000 for fwbuilder. Raw iptables commands are not only error prone but will make your brain hurt. Regards, -- Tom m...@tdiehl.org Spamtrap address me...@tdiehl.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On Fri, Jan 4, 2013 at 12:31 PM, James A. Peltier jpelt...@sfu.ca wrote: - Original Message - | | On 1/4/2013 12:21 PM, Tim Evans wrote: | On 01/04/2013 12:01 PM, Tim Evans wrote: | I'm replacing an ancient Solaris 'ipf' firewall/router with a | brand new | CentOS 6.3 system. In the olden days, I successfully used the | attached | iptables script (as /etc/rc.local) on Red Hat 5.x systems, but | this | doesn't seem to be quite working on the new system. | | Specifically, while it seems to be routing ok, you cannot connect | to | anything on the inside net (e.g., with ssh or a browser) and | cannot | connect to the system with ssh or anything else from elsewhere on | the | inside net. Yet arp shows this system active. | | Is there obsolete stuff here, and/or anything missing that would | cause | this? | | Nevermind... Temporary IP address in the script was wrong; | corrected | and now working. Will be glad to see comments, though. | | | Use Firewall Builder. It makes things so much easier. And it's free. | | http://www.fwbuilder.org/ | | steve campbell Or don't use CentOS at all and try OpenBSD PF. The syntax is much cleaner and easier to maintain than Netfilter/IPTables and it works pretty darn well. ;) If you want to stick with linux look at Vyatta. I have 5 production installs (3 physical and 3 VMs) and upgrades have been flawless. The config resides in one file and the console has a Juniper style syntax. Ryan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On 01/05/2013 10:13 AM, m...@tdiehl.org wrote: On Fri, 4 Jan 2013, Steve Campbell wrote: On 1/4/2013 12:21 PM, Tim Evans wrote: On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. Use Firewall Builder. It makes things so much easier. And it's free. http://www.fwbuilder.org/ +1000 for fwbuilder. Raw iptables commands are not only error prone but will make your brain hurt. As the original poster, I welcome these suggestions, but point out my ruleset was already written and working. Last I looked (a long time ago, I admit), fwbuilder could not import an existing set of rules and turn it into the necessary fwbuilder abstractions, which meant I'd have to re-invent the working wheel, just to get it into fwbuilder. -- Tim Evans | 5 Chestnut Court Linux/UNIX Consulting | Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkev...@tkevans.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6.3 as Firewall/Router
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Thanks. -- Tim Evans | 5 Chestnut Court UNIX System Admin Consulting| Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkev...@tkevans.com #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local #/sbin/insmod e100 #/sbin/ifup eth1 ROUTER=`grep routers /var/lib/dhclient/dhclient-eth0.leases | head -1 | awk \ '{print $NF}' | sed 's/;//g'` route add default gw $ROUTER # # Sun Apr 3 09:11:44 EDT 2005 ## # IPTABLES=/sbin/iptables INET_IFACE=eth0 OSPREY=192.168.252.3 INET_IP=`ifconfig eth0 | grep 'inet addr' | awk -F: '{print $2}' | sed 's/ Bcast//'` LAN_IP=192.168.252.5 DHCP=yes DHCP_SERVER=`grep dhcp-server-identifier /var/lib/dhclient/dhclient-eth0.leases \ | head -1 | awk '{print $NF}' | sed 's/;//g'` LAN_IP_RANGE=192.168.252.0/24 LAN_BROADCAST_ADDRESS=192.168.252.255 LAN_IFACE=eth0 LO_IFACE=lo LO_IP=127.0.0.1 # 2. Module loading. /sbin/depmod -a # 2.1 Required modules /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE # 2.2 Non-Required modules #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT /sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc # 3. /proc set up. #Disabling IP Spoofing attacks. echo 2 /proc/sys/net/ipv4/conf/all/rp_filter #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 0 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 0 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 /proc/sys/net/ipv4/conf/all/log_martians # 3.2 Non-Required proc configuration #echo 1 /proc/sys/net/ipv4/conf/all/rp_filter #echo 1 /proc/sys/net/ipv4/conf/all/proxy_arp #echo 1 /proc/sys/net/ipv4/ip_dynaddr # 4. rules set up. # 4.1 Filter table # 4.1.1 Set policies /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # 4.1.2 Create userspecified chains # Create chain for bad tcp packets /sbin/iptables -N bad_tcp_packets # Create separate chains for ICMP, TCP and UDP to traverse /sbin/iptables -N allowed /sbin/iptables -N tcp_packets /sbin/iptables -N udpincoming_packets /sbin/iptables -N icmp_packets # 4.1.3 Create content in userspecified chains # bad_tcp_packets chain /sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix New not syn: /sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # allowed chain /sbin/iptables -A allowed -p TCP --syn -j ACCEPT /sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A allowed -p TCP -j DROP # UDP ports /sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == yes ] ; then /sbin/iptables -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # ICMP rules /sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT /sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # 4.1.4 INPUT chain # Bad TCP packets we don't want. /sbin/iptables -A INPUT -p tcp -j bad_tcp_packets # Rules for special networks not part of the Internet /sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT /sbin/iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT /sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT # Special rule for DHCP requests from LAN, which are not caught properly # otherwise. /sbin/iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # Rules for incoming packets from the internet. /sbin/iptables -A INPUT -p ALL -i $INET_IFACE -m state --state \ ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A
Re: [CentOS] CentOS 6.3 as Firewall/Router
Why not try reconfiguring using /usr/bin/system-config-firewall-tui instead of a manually created configuration. Mike On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. I once ran a Centos firewall/router. I used Shorewall for the heavy lifting on maintaining the tables properly. I recommend you find such a tool as they tend to get things like below sorted out for you. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. -- Tim Evans | 5 Chestnut Court UNIX System Admin Consulting| Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkev...@tkevans.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On 1/4/2013 12:21 PM, Tim Evans wrote: On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. Use Firewall Builder. It makes things so much easier. And it's free. http://www.fwbuilder.org/ steve campbell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
- Original Message - | | On 1/4/2013 12:21 PM, Tim Evans wrote: | On 01/04/2013 12:01 PM, Tim Evans wrote: | I'm replacing an ancient Solaris 'ipf' firewall/router with a | brand new | CentOS 6.3 system. In the olden days, I successfully used the | attached | iptables script (as /etc/rc.local) on Red Hat 5.x systems, but | this | doesn't seem to be quite working on the new system. | | Specifically, while it seems to be routing ok, you cannot connect | to | anything on the inside net (e.g., with ssh or a browser) and | cannot | connect to the system with ssh or anything else from elsewhere on | the | inside net. Yet arp shows this system active. | | Is there obsolete stuff here, and/or anything missing that would | cause | this? | | Nevermind... Temporary IP address in the script was wrong; | corrected | and now working. Will be glad to see comments, though. | | | Use Firewall Builder. It makes things so much easier. And it's free. | | http://www.fwbuilder.org/ | | steve campbell Or don't use CentOS at all and try OpenBSD PF. The syntax is much cleaner and easier to maintain than Netfilter/IPTables and it works pretty darn well. ;) -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking. - Jeff Bezos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
Tim Evans wrote: On 01/04/2013 12:01 PM, Tim Evans wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. Glad you found that. As a followup, though, when I was running a RH system as a firewall router, I ran Bastille Linux on it first, and to the best of my knowledge, never had an intrusion on my home network in about 10 years. But then, I *also* had almost *nothing* on it: no xorg, no compilers mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkev...@tkevans.com wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? You found the error, but I have a question about running this in rc.local. Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end. Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup. -- Dale Dellutri ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On 01/04/2013 03:03 PM, Dale Dellutri wrote: On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkev...@tkevans.com wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? You found the error, but I have a question about running this in rc.local. Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end. Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup. Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing. -- Tim Evans | 5 Chestnut Court UNIX System Admin Consulting| Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkev...@tkevans.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On Fri, Jan 4, 2013 at 3:04 PM, Tim Evans tkev...@tkevans.com wrote: On 01/04/2013 03:03 PM, Dale Dellutri wrote: On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkev...@tkevans.com wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? You found the error, but I have a question about running this in rc.local. Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end. Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup. Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing. Do the out-of-the-box iptables rules allow all entry to the system? What's in /etc/sysconfig/iptables ? I understand that the script does more than simply set iptables rules. However, you could set the rules you want, then just turn on NAT and routing in rc.local. I'm not trying to criticize, just curious. -- Dale Dellutri ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 as Firewall/Router
On 01/04/2013 04:11 PM, Dale Dellutri wrote: On Fri, Jan 4, 2013 at 3:04 PM, Tim Evans tkev...@tkevans.com wrote: On 01/04/2013 03:03 PM, Dale Dellutri wrote: On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkev...@tkevans.com wrote: I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? You found the error, but I have a question about running this in rc.local. Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end. Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup. Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing. Do the out-of-the-box iptables rules allow all entry to the system? What's in /etc/sysconfig/iptables ? I understand that the script does more than simply set iptables rules. However, you could set the rules you want, then just turn on NAT and routing in rc.local. I'm not trying to criticize, just curious. Thanks, again, Dale. I'm curious, too, now, and will try to find any documentation I did back in '05 when I did this. -- Tim Evans | 5 Chestnut Court UNIX System Admin Consulting| Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkev...@tkevans.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos