[CentOS] Build a Firewall (Can I learn to do this...)
Florin Andrei
florin at andrei.myip.org
Thu Oct 1 23:27:31 UTC 2009
ML wrote:
>
> I used to work with PIX 525's so I have knowledge, I just dont quite
> know how to do this with CentOS and such.
Firewall Builder.
http://www.fwbuilder.org/
But if you've configured the PIX in command-line mode, iptables is not
that hard. You could setup a local firewall right on your webserver and
it's going to be rock-solid. It's not an "enterprise" type of setup, but
for a small installation I see no problem whatsoever with it. Trust
iptables, it's a very good firewall. I use it all the time, even for
purposes that firewalls are normally not intended to serve. :-)
http://www.netfilter.org/documentation/index.html#documentation-howto
There's a lot of info there, but you don't need everything. This is the
10% info that you will use 90% of the time:
- the main tables (filter, nat), what can they do
- the built-in chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING)
- the main targets (ACCEPT, DROP, REJECT)
- user-defined chains and how to insert them into the built-ins.
Also, hardcopy this diagram and put it on the wall, it will make things
very clear for you:
http://developer.gauner.org/doc/iptables/images/nfk-traversal.png
For a former PIXer, the learning curve should be peachy. By the way,
netfilter/iptables is a lot more expressive and flexible than PIX.
You'll be amazed by what you can do with it.
"man iptables" also helps.
Go ahead, do "service iptables stop" to clean everything up, then apply
some rules of your own. Do "service iptables save" to save them.
"service iptables restart" to restart from the saved version (if you
mess up the running one). All rules are saved in /etc/sysconfig/iptables
(you may want to backup the original version before you start messing
with the firewall).
Other commands:
See current running state:
iptables [-t nat] -L -n [-v] # I do recommend using -v often
or
service iptables status
See current saved state:
less /etc/sysconfig/iptables
Flush and delete everything, fall back to a "permit all" firewall:
iptables [-t nat] -F; iptables [-t nat] -X
or
service iptables stop
See if the iptables service is enabled:
chkconfig --list iptables
Tip: if the FORWARD chain doesn't seem to work, check
net.ipv4.ip_forward in /etc/sysctl.conf, it's probably set to 0.
That's it, you're good to go.
--
Florin Andrei
http://florin.myip.org/
More information about the CentOS
mailing list