[CentOS] Firewall frustration

Thu Jan 3 15:29:09 UTC 2008
Marko A. Jennings <markobiz at bluegargoyle.com>

On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote:
> Steven Haigh wrote:
>> On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
>>> Christopher Chan wrote:
>>>>
>>>>> I spent much of the past 24 hours trying to find out how to set up
>>>>> iptables for firewall routing WITHOUT NATing. Could not find
>>>>> anything.
>>>>>
>>>>
>>>> Eh? You just need to enable ip forwarding to enable routing. After
>>>> that, it is put up the firewall rules as is necessary, build the
>>>> appropriate routing tables on the firewall box and the boxes on the
>>>> intranet(s).
>>>>
>>>> iptables does not handle routing.
>>> No, but iptables controls what is allowed to route,
>>
>> I think this is where you are getting confused and causing yourself
>> issues. iptables has ZERO effect on what is allowed to route. It is a
>> simple YES or NO as to if it should be allowed to pass or be filtered.
> I have been tested as having a significant language usage problem, and
> am working on it. 'what is allowed to route', was a poor choice of
> wording. What you wrote above is much closer to what I wanted to say.
>
> ip src/dest is used for routing decisions by the kernel. The IP state
> machine (check the RFC or any decent TCP/IP textbook) is really quite
> simple. But iptables sticks its nose into the center of that state
> machine and can mangle addresses to change how packets flow through the
> machine, or just simplely yank packets right out of the machine with a
> simple NO (drop).
>
> So in my mind's eye of the IP state machine (my MSU CPS 410 prof was
> death on state machines; turn in a perfectly executing assignment
> without one and there went half your grade. See HIP for its state
> machine) is dictated by iptables as to what it is allowed to route.
>>
>>> Those little words, "put up the firewall rules as necessary" are
>>> equivalent to "and magic happens here."
>>
>> It's actually not magical at all... Work with the mindset of "I want
>> to allow X, Y, and Z, then deny everything else". This translates
>> easily into iptables rules -j ACCEPT and then your last rule (or
>> policy) should be a deny/drop/reject.
> That is exactly what I tried to do. I just used the wrong bit of pixie
> dust (during some of the 'heated' IPsec meeting debates one fellow would
> try to sneak up a speaker 'that just did not get it' and sprinkle some
> glitter on them. He had labeled his tube of glitter as 'security pixie
> dust').

If you are interested in learning how iptables work, I suggest reading
this book:

Linux Firewalls, Second Edition
by Robert L. Ziegler
ISBN 0-7357-1099-6

It covers everything from packet filtering concepts to practical examples.

Marko