-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Christopher Chan Sent: Tuesday, July 06, 2010 9:13 PM To: centos@centos.org Subject: Re: [CentOS] DNS or firewall problem
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended.
ugh...fwbuilder crap...oh well.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A
RH-Firewall-1-INPUT -p icmp
--icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m
udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m
tcp --dport
631 -j ACCEPT
Seriously? Them two are redundant since you already accept everything on lo.
I didn't do that. :-)
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 21
-j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A
RH-Firewall-1-INPUT
-m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 445 -j
ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state
--state NEW -m
tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Hmm...you do not appear to have a blanket accept for your internal interface. What services are supposed to be open to the internal lan?
Really just intersted in web, ftp and maybe samba
'netstat -ntlp'
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 3580/perl tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2960/hpiod tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3138/mysqld tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 3049/clamd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2667/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3958/X tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 3588/perl tcp 0 0 192.168.1.101:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2639/named tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2980/cupsd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3218/sendmail: acce tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2639/named tcp 0 0 0.0.0.0:766 0.0.0.0:* LISTEN 2704/rpc.statd tcp 0 0 0.0.0.0:3551 0.0.0.0:* LISTEN 3032/apcupsd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2965/python tcp 0 0 :::80 :::* LISTEN 5464/httpd tcp 0 0 :::6000 :::* LISTEN 3958/X tcp 0 0 ::1:953 :::* LISTEN 2639/named tcp 0 0 :::443 :::* LISTEN 5464/httpd
Not sure what all this means. Hope someone can.
You should be able to connect to the web service from the internal lan using the internal ip and also to the smtp service. But I guess your web service is probably apache doing proxy work unless you have a different meaning to 'internal boxes can access the internet'...
What services were internal boxes supposed to be able to access again? webmin? mysql? dns?
Not really relying on my server for dns for the local machines, just for local services, ftp, webmin, local web. I'm not on a commercial account with my isp so 'external' mail is not an issue.
I have most services turned off but can activate them , remotely, from webmin if I need ssh or ftp.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos