[CentOS] 2 questions on CentOS firewall
Ljubomir Ljubojevic
office at plnet.rs
Tue Jul 19 18:16:48 UTC 2011
Robert Spangler wrote:
> On Tuesday 19 July 2011 09:11, the following was written:
>
>> Timothy Murphy wrote:
>> > I'm running CentOS-6 on an HP MicroServer
>> > with a Billion 5200S modem/router connecting to the internet.
>> > I'm running the standard CentOS-6 firewall on the server.
>> >
>> > (1) I can open port 22 on the Billion, allowing me to ssh in from
>> > outside. But for some reason I cannot ping the same address from
>> > outside. (I can ping it internally.)
>> > Why is this?
>> > I'm not sure if the problem lies with the router or the server?
>> > There does not seem to be any explicit rule on either
>> > to allow ICMP packets through.
>>
>> This is due to modem refuses to answer to pings. You might have option
>> to allow it in modem config.
>
> Modems cannot answer pings. They are a bridge. The most likely reason why
> the OP cannot ping is because the firewall is not allowing it. Adding rules
> to allow pings should clear up this issue.
Please first read OP mail then give me lessons. HE said it was
modem/router, I shortened it. I was little lazy.
How do you think he opened and forwarded port on his modem(/router) if
he was in bridged mode?
>
>> > (2) I have a Linksys WRT54GL WiFi router attached to the server,
>> > to allow access to the internet from laptops.
>> > This works fine.
>> > But I was surprised to find that when I turn OFF
>> > the firewall on the server this stops access to the internet on laptops.
>> > (I didn't test to see if re-booting the laptop would solve this.)
>> > Can disabling the firewall actually prevent some linkage?
>>
>> When you turn off firewall, it stops routing packets so they can not be
>> passed to systems behind it.
>
> IPTABLES does not route packets. IPTABLES manipulate packet so that they can
> be routed to the proper destination.
You can nitpick if you like, but do not forget that OP is most probably
noob (no disrespect intended). Why is necessary to write "War & Peace"
when the result is the same, no firewall = no internet for PC's behind
the CentOS system.
And lets finish it with a style:
Timothy, you could turn off firewall and still have internet if you set
static route in modem/router for the subnet used between CentOS and
Clients, so modem/router does final NAT'ing.
>
> The reason the OP could not connect to the internet is because the firewall
> was NAT'ing his packets that were leaving his network to his internet facing
> ip address. Ounce the natting stopped the packets were sent to the internet
> with the address of his laptop which was most likely a private address.
> Since private addresses are not supposed to be routed on the internet the
> receiving router dropped the return packet.
Irrelevant, modem/router is used.
I have spent last 6 years doing NAT-ing, policy routing, static and
dynamic routing, complex iptables rules, marking packets to block and/or
slowdown torrents but leave gamers alone, what ever you can think of.
But there is not need to complicate things when the question is so simple:
"In the current state of his network, if he turns of firewall, clients
behind it will not have internet."
--
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe
Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
More information about the CentOS
mailing list