ML wrote:
I used to work with PIX 525's so I have knowledge, I just dont quite know how to do this with CentOS and such.
Firewall Builder.
But if you've configured the PIX in command-line mode, iptables is not that hard. You could setup a local firewall right on your webserver and it's going to be rock-solid. It's not an "enterprise" type of setup, but for a small installation I see no problem whatsoever with it. Trust iptables, it's a very good firewall. I use it all the time, even for purposes that firewalls are normally not intended to serve. :-)
http://www.netfilter.org/documentation/index.html#documentation-howto
There's a lot of info there, but you don't need everything. This is the 10% info that you will use 90% of the time: - the main tables (filter, nat), what can they do - the built-in chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) - the main targets (ACCEPT, DROP, REJECT) - user-defined chains and how to insert them into the built-ins.
Also, hardcopy this diagram and put it on the wall, it will make things very clear for you:
http://developer.gauner.org/doc/iptables/images/nfk-traversal.png
For a former PIXer, the learning curve should be peachy. By the way, netfilter/iptables is a lot more expressive and flexible than PIX. You'll be amazed by what you can do with it.
"man iptables" also helps.
Go ahead, do "service iptables stop" to clean everything up, then apply some rules of your own. Do "service iptables save" to save them. "service iptables restart" to restart from the saved version (if you mess up the running one). All rules are saved in /etc/sysconfig/iptables (you may want to backup the original version before you start messing with the firewall).
Other commands:
See current running state: iptables [-t nat] -L -n [-v] # I do recommend using -v often or service iptables status
See current saved state: less /etc/sysconfig/iptables
Flush and delete everything, fall back to a "permit all" firewall: iptables [-t nat] -F; iptables [-t nat] -X or service iptables stop
See if the iptables service is enabled: chkconfig --list iptables
Tip: if the FORWARD chain doesn't seem to work, check net.ipv4.ip_forward in /etc/sysctl.conf, it's probably set to 0.
That's it, you're good to go.