[CentOS] DNS or firewall problem
Christopher Chan
christopher.chan at bradbury.edu.hk
Wed Jul 7 01:13:15 UTC 2010
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
ugh...fwbuilder crap...oh well.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
Seriously? Them two are redundant since you already accept everything on lo.
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
Hmm...you do not appear to have a blanket accept for your internal
interface. What services are supposed to be open to the internal lan?
>
>
>> 'netstat -ntlp'
>
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 0.0.0.0:20000 0.0.0.0:*
> LISTEN 3580/perl
> tcp 0 0 127.0.0.1:2208 0.0.0.0:*
> LISTEN 2960/hpiod
> tcp 0 0 0.0.0.0:3306 0.0.0.0:*
> LISTEN 3138/mysqld
> tcp 0 0 127.0.0.1:3310 0.0.0.0:*
> LISTEN 3049/clamd
> tcp 0 0 0.0.0.0:111 0.0.0.0:*
> LISTEN 2667/portmap
> tcp 0 0 0.0.0.0:6000 0.0.0.0:*
> LISTEN 3958/X
> tcp 0 0 0.0.0.0:10000 0.0.0.0:*
> LISTEN 3588/perl
> tcp 0 0 192.168.1.101:53 0.0.0.0:*
> LISTEN 2639/named
> tcp 0 0 127.0.0.1:53 0.0.0.0:*
> LISTEN 2639/named
> tcp 0 0 127.0.0.1:631 0.0.0.0:*
> LISTEN 2980/cupsd
> tcp 0 0 0.0.0.0:25 0.0.0.0:*
> LISTEN 3218/sendmail: acce
> tcp 0 0 127.0.0.1:953 0.0.0.0:*
> LISTEN 2639/named
> tcp 0 0 0.0.0.0:766 0.0.0.0:*
> LISTEN 2704/rpc.statd
> tcp 0 0 0.0.0.0:3551 0.0.0.0:*
> LISTEN 3032/apcupsd
> tcp 0 0 127.0.0.1:2207 0.0.0.0:*
> LISTEN 2965/python
> tcp 0 0 :::80 :::*
> LISTEN 5464/httpd
> tcp 0 0 :::6000 :::*
> LISTEN 3958/X
> tcp 0 0 ::1:953 :::*
> LISTEN 2639/named
> tcp 0 0 :::443 :::*
> LISTEN 5464/httpd
>
> Not sure what all this means. Hope someone can.
>
You should be able to connect to the web service from the internal lan
using the internal ip and also to the smtp service. But I guess your web
service is probably apache doing proxy work unless you have a different
meaning to 'internal boxes can access the internet'...
What services were internal boxes supposed to be able to access again?
webmin? mysql? dns?
More information about the CentOS
mailing list