[CentOS] DNS or firewall problem
Thomas Dukes
tdukes at sc.rr.com
Wed Jul 7 01:38:10 UTC 2010
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Christopher Chan
> Sent: Tuesday, July 06, 2010 9:13 PM
> To: centos at centos.org
> Subject: Re: [CentOS] DNS or firewall problem
>
>
> > # Firewall configuration written by system-config-securitylevel #
> > Manual customization of this file is not recommended.
>
> ugh...fwbuilder crap...oh well.
>
>
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :RH-Firewall-1-INPUT - [0:0]
> > -A INPUT -j RH-Firewall-1-INPUT
> > -A FORWARD -j RH-Firewall-1-INPUT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A
> RH-Firewall-1-INPUT -p icmp
> > --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A
> > RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp
> > --dport 5353 -d 224.0.0.251 -j ACCEPT -A
> RH-Firewall-1-INPUT -p udp -m
> > udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m
> tcp --dport
> > 631 -j ACCEPT
>
> Seriously? Them two are redundant since you already accept
> everything on lo.
I didn't do that. :-)
>
> > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
> --dport 21
> > -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
> > --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m
> > udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state
> > --state NEW -m udp -p udp --dport 138 -j ACCEPT -A
> RH-Firewall-1-INPUT
> > -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A
> > RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
> --dport 445 -j
> > ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
> > --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state
> --state NEW -m
> > tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT
> > --reject-with icmp-host-prohibited COMMIT
>
> Hmm...you do not appear to have a blanket accept for your
> internal interface. What services are supposed to be open to
> the internal lan?
Really just intersted in web, ftp and maybe samba
>
>
> >
> >
> >> 'netstat -ntlp'
> >
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address Foreign Address
> > State PID/Program name
> > tcp 0 0 0.0.0.0:20000 0.0.0.0:*
> > LISTEN 3580/perl
> > tcp 0 0 127.0.0.1:2208 0.0.0.0:*
> > LISTEN 2960/hpiod
> > tcp 0 0 0.0.0.0:3306 0.0.0.0:*
> > LISTEN 3138/mysqld
> > tcp 0 0 127.0.0.1:3310 0.0.0.0:*
> > LISTEN 3049/clamd
> > tcp 0 0 0.0.0.0:111 0.0.0.0:*
> > LISTEN 2667/portmap
> > tcp 0 0 0.0.0.0:6000 0.0.0.0:*
> > LISTEN 3958/X
> > tcp 0 0 0.0.0.0:10000 0.0.0.0:*
> > LISTEN 3588/perl
> > tcp 0 0 192.168.1.101:53 0.0.0.0:*
> > LISTEN 2639/named
> > tcp 0 0 127.0.0.1:53 0.0.0.0:*
> > LISTEN 2639/named
> > tcp 0 0 127.0.0.1:631 0.0.0.0:*
> > LISTEN 2980/cupsd
> > tcp 0 0 0.0.0.0:25 0.0.0.0:*
> > LISTEN 3218/sendmail: acce
> > tcp 0 0 127.0.0.1:953 0.0.0.0:*
> > LISTEN 2639/named
> > tcp 0 0 0.0.0.0:766 0.0.0.0:*
> > LISTEN 2704/rpc.statd
> > tcp 0 0 0.0.0.0:3551 0.0.0.0:*
> > LISTEN 3032/apcupsd
> > tcp 0 0 127.0.0.1:2207 0.0.0.0:*
> > LISTEN 2965/python
> > tcp 0 0 :::80 :::*
> > LISTEN 5464/httpd
> > tcp 0 0 :::6000 :::*
> > LISTEN 3958/X
> > tcp 0 0 ::1:953 :::*
> > LISTEN 2639/named
> > tcp 0 0 :::443 :::*
> > LISTEN 5464/httpd
> >
> > Not sure what all this means. Hope someone can.
> >
>
> You should be able to connect to the web service from the
> internal lan
> using the internal ip and also to the smtp service. But I
> guess your web
> service is probably apache doing proxy work unless you have a
> different
> meaning to 'internal boxes can access the internet'...
>
> What services were internal boxes supposed to be able to
> access again?
> webmin? mysql? dns?
Not really relying on my server for dns for the local machines, just for
local services, ftp, webmin, local web. I'm not on a commercial account with
my isp so 'external' mail is not an issue.
I have most services turned off but can activate them , remotely, from
webmin if I need ssh or ftp.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list