[CentOS] 2 questions on CentOS firewall

Ljubomir Ljubojevic office at plnet.rs
Tue Jul 19 18:16:48 UTC 2011 

Robert Spangler wrote:
> On Tuesday 19 July 2011 09:11, the following was written:
> 
>>  Timothy Murphy wrote:
>>  > I'm running CentOS-6 on an HP MicroServer
>>  > with a Billion 5200S modem/router connecting to the internet.
>>  > I'm running the standard CentOS-6 firewall on the server.
>>  >
>>  > (1) I can open port 22 on the Billion, allowing me to ssh in from
>>  > outside. But for some reason I cannot ping the same address from
>>  > outside. (I can ping it internally.)
>>  > Why is this?
>>  > I'm not sure if the problem lies with the router or the server?
>>  > There does not seem to be any explicit rule on either
>>  > to allow ICMP packets through.
>>
>>  This is due to modem refuses to answer to pings. You might have option
>>  to allow it in modem config.
> 
> Modems cannot answer pings.  They are a bridge.  The most likely reason why 
> the OP cannot ping is because the firewall is not allowing it.  Adding rules 
> to allow pings should clear up this issue.

Please first read OP mail then give me lessons. HE said it was 
modem/router, I shortened it. I was little lazy.

How do you think he opened and forwarded port on his modem(/router) if 
he was in bridged mode?

> 
>>  > (2) I have a Linksys WRT54GL WiFi router attached to the server,
>>  > to allow access to the internet from laptops.
>>  > This works fine.
>>  > But I was surprised to find that when I turn OFF
>>  > the firewall on the server this stops access to the internet on laptops.
>>  > (I didn't test to see if re-booting the laptop would solve this.)
>>  > Can disabling the firewall actually prevent some linkage?
>>
>>  When you turn off firewall, it stops routing packets so they can not be
>>  passed to systems behind it.
> 
> IPTABLES does not route packets.  IPTABLES manipulate packet so that they can 
> be routed to the proper destination.

You can nitpick if you like, but do not forget that OP is most probably 
noob (no disrespect intended). Why is necessary to write "War & Peace" 
when the result is the same, no firewall = no internet for PC's behind 
the CentOS system.

And lets finish it with a style:
Timothy, you could turn off firewall and still have internet if you set 
static route in modem/router for the subnet used between CentOS and 
Clients, so modem/router does final NAT'ing.

> 
> The reason the OP could not connect to the internet is because the firewall 
> was NAT'ing his packets that were leaving his network to his internet facing 
> ip address.  Ounce the natting stopped the packets were sent to the internet 
> with the address of his laptop which was most likely a private address.  
> Since private addresses are not supposed to be routed on the internet the 
> receiving router dropped the return packet.

Irrelevant, modem/router is used.

I have spent last 6 years doing NAT-ing, policy routing, static and 
dynamic routing, complex iptables rules, marking packets to block and/or 
slowdown torrents but leave gamers alone, what ever you can think of. 
But there is not need to complicate things when the question is so simple:

"In the current state of his network, if he turns of firewall, clients 
behind it will not have internet."

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant

More information about the CentOS mailing list