Hello all,
first of all i'd like to wish you all happy holidays, and a merry belated christmas.
Secondly, i'm trying to setup a centos 5.4 to act as:
1. firewall # can you check my config below and tell me if i missed anything? 2. DHCP # already configured 3. transparent squid proxy # already configured 4. http (virtual hosts) # in the near future 5. squirrelmail # in the near future
- Relevant info:
Two NICs:
eth0 LAN: with dhcp service: 192.168.57.1(255.255.255.0) # my lan users are connected to this interface eth1 WAN: static: 172.16.2.14 gw/172.16.2.13 (255.255.255.248) # My isp is connected to this interface
I want my firewall to do the following:
1. get my box to be completely secure from outside access, in other words deny all access from the outside world to my box &/or my LAN 2. allow my LAN users to access the internet/ box without any restrictions, through a transparent squid installation
i've searched a bit online, i must admit i never used iptables before (i thought of using firestarter as it's graphical and am no iptables guru, not even a novice user though i've installed my box with no X hence no graphical applications)
i finally used bits an pieces and came up with the following:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED In_RULE_0 all -- anywhere 172.16.2.14 In_RULE_2 udp -- 192.168.57.1 anywhere udp multiport dports bootpc,bootps state NEW
Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Cid1888X3970.0 udp -- 192.168.57.1 anywhere udp multiport dports bootpc,bootps state NEW Out_RULE_3 all -- 192.168.57.1 anywhere state RELATED,ESTABLISHED Cid1594X3970.0 all -- 192.168.57.1 anywhere state NEW
Chain Cid1594X3970.0 (1 references) target prot opt source destination Out_RULE_4 all -- anywhere 172.16.2.14 Out_RULE_4 all -- anywhere 192.168.57.1
Chain Cid1888X3970.0 (1 references) target prot opt source destination Out_RULE_2 all -- anywhere 172.16.2.14 Out_RULE_2 all -- anywhere 192.168.57.1
Chain In_RULE_0 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 0 -- DENY ' DROP all -- anywhere anywhere
Chain In_RULE_2 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 2 -- ACCEPT ' ACCEPT all -- anywhere anywhere
Chain Out_RULE_2 (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 2 -- ACCEPT ' ACCEPT all -- anywhere anywhere
Chain Out_RULE_3 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 3 -- ACCEPT ' ACCEPT all -- anywhere anywhere
Chain Out_RULE_4 (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 4 -- ACCEPT ' ACCEPT all -- anywhere anywhere
On Fri, 31 Dec 2010, Roland RoLaNd wrote:
I want my firewall to do the following:
I would recommend using shorewall:
As it says, iptables made easy.
-Steve
On Fri, Dec 31, 2010 at 10:19 AM, Roland RoLaNd r_o_l_a_n_d@hotmail.com wrote:
Secondly, i'm trying to setup a centos 5.4 to act as:
- firewall # can you check my config below and tell me if i missed anything?
- DHCP # already configured
- transparent squid proxy # already configured
- http (virtual hosts) # in the near future
- squirrelmail # in the near future
- Relevant info:
Two NICs:
eth0 LAN: with dhcp service: 192.168.57.1(255.255.255.0) # my lan users are connected to this interface eth1 WAN: static: 172.16.2.14 gw/172.16.2.13 (255.255.255.248) # My isp is connected to this interface
I want my firewall to do the following:
- get my box to be completely secure from outside access, in other words deny all access from the outside world to my box &/or my LAN
- allow my LAN users to access the internet/ box without any restrictions, through a transparent squid installation
So you are only allowing http and https transparently through squid? The reason I ask is you only showed the firewall rules not the nat table. Otherwise you need to setup nat masquerading to allow other connections out.
Have you though of virtualizing your firewall with a purpose built distribution like Vyatta or pfSense? I have taken this approach with my setup. I find it makes updates easy and provides better uptime. I'm running everything on ESXi and have a handful of virtual machines.
- Vyatta Firewall - CentOS 5.5 Web Server and MySQL - CentOS 5.5 Zimbra Email - CentOS 5.5 DHCP and DNS
On 12/31/2010 10:40 AM, Ryan Wagoner wrote:
On Fri, Dec 31, 2010 at 10:19 AM, Roland RoLaNdr_o_l_a_n_d@hotmail.com wrote:
Secondly, i'm trying to setup a centos 5.4 to act as:
- firewall # can you check my config below and tell me if i missed anything?
- DHCP # already configured
- transparent squid proxy # already configured
- http (virtual hosts) # in the near future
- squirrelmail # in the near future
- Relevant info:
Two NICs:
eth0 LAN: with dhcp service: 192.168.57.1(255.255.255.0) # my lan users are connected to this interface eth1 WAN: static: 172.16.2.14 gw/172.16.2.13 (255.255.255.248) # My isp is connected to this interface
I want my firewall to do the following:
- get my box to be completely secure from outside access, in other words deny all access from the outside world to my box&/or my LAN
- allow my LAN users to access the internet/ box without any restrictions, through a transparent squid installation
So you are only allowing http and https transparently through squid? The reason I ask is you only showed the firewall rules not the nat table. Otherwise you need to setup nat masquerading to allow other connections out.
Have you though of virtualizing your firewall with a purpose built distribution like Vyatta or pfSense? I have taken this approach with my setup. I find it makes updates easy and provides better uptime. I'm running everything on ESXi and have a handful of virtual machines.
- Vyatta Firewall
- CentOS 5.5 Web Server and MySQL
- CentOS 5.5 Zimbra Email
- CentOS 5.5 DHCP and DNS
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Smoothwall is another option, though not based on Centos. Very easy to configure. Vyatta is a bit more work to configure.
-
Roland RoLaNd -
Ryan Manikowski -
Ryan Wagoner -
Steve Thompson