On Fri, Jan 4, 2013 at 3:04 PM, Tim Evans tkevans@tkevans.com wrote:
On 01/04/2013 03:03 PM, Dale Dellutri wrote:
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkevans@tkevans.com wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
You found the error, but I have a question about running this in rc.local.
Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup.
Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing.
Do the out-of-the-box iptables rules allow all entry to the system?
What's in /etc/sysconfig/iptables ?
I understand that the script does more than simply set iptables rules. However, you could set the rules you want, then just turn on NAT and routing in rc.local.
I'm not trying to criticize, just curious.