-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marko A. Jennings Sent: Thursday, January 03, 2008 7:29 AM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration
On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote:
Steven Haigh wrote:
On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
Christopher Chan wrote:
I spent much of the past 24 hours trying to find out
how to set up
iptables for firewall routing WITHOUT NATing. Could not find anything.
Eh? You just need to enable ip forwarding to enable
routing. After
that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the
boxes on the
intranet(s).
iptables does not handle routing.
No, but iptables controls what is allowed to route,
I think this is where you are getting confused and causing
yourself
issues. iptables has ZERO effect on what is allowed to
route. It is a
simple YES or NO as to if it should be allowed to pass or
be filtered.
I have been tested as having a significant language usage
problem, and
am working on it. 'what is allowed to route', was a poor choice of wording. What you wrote above is much closer to what I
wanted to say.
ip src/dest is used for routing decisions by the kernel.
The IP state
machine (check the RFC or any decent TCP/IP textbook) is
really quite
simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop).
So in my mind's eye of the IP state machine (my MSU CPS 410
prof was
death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route.
Those little words, "put up the firewall rules as necessary" are equivalent to "and magic happens here."
It's actually not magical at all... Work with the mindset
of "I want
to allow X, Y, and Z, then deny everything else". This translates easily into iptables rules -j ACCEPT and then your last rule (or policy) should be a deny/drop/reject.
That is exactly what I tried to do. I just used the wrong
bit of pixie
dust (during some of the 'heated' IPsec meeting debates one fellow would try to sneak up a speaker 'that just did not get it' and sprinkle some glitter on them. He had labeled his tube of
glitter as
'security pixie dust').
If you are interested in learning how iptables work, I suggest reading this book:
Linux Firewalls, Second Edition by Robert L. Ziegler ISBN 0-7357-1099-6
It covers everything from packet filtering concepts to practical examples.
Marko
Thanks, I was just going to ask.... Dennis