I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Thanks.
Why not try reconfiguring using /usr/bin/system-config-firewall-tui instead of a manually created configuration.
Mike
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Thanks.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
I once ran a Centos firewall/router. I used Shorewall for the heavy lifting on maintaining the tables properly. I recommend you find such a tool as they tend to get things like below sorted out for you.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Thanks.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
On 1/4/2013 12:21 PM, Tim Evans wrote:
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
Use Firewall Builder. It makes things so much easier. And it's free.
steve campbell
----- Original Message ----- | | On 1/4/2013 12:21 PM, Tim Evans wrote: | > On 01/04/2013 12:01 PM, Tim Evans wrote: | >> I'm replacing an ancient Solaris 'ipf' firewall/router with a | >> brand new | >> CentOS 6.3 system. In the olden days, I successfully used the | >> attached | >> iptables script (as /etc/rc.local) on Red Hat 5.x systems, but | >> this | >> doesn't seem to be quite working on the new system. | >> | >> Specifically, while it seems to be routing ok, you cannot connect | >> to | >> anything on the inside net (e.g., with ssh or a browser) and | >> cannot | >> connect to the system with ssh or anything else from elsewhere on | >> the | >> inside net. Yet arp shows this system active. | >> | >> Is there obsolete stuff here, and/or anything missing that would | >> cause | >> this? | > | > Nevermind... Temporary IP address in the script was wrong; | > corrected | > and now working. Will be glad to see comments, though. | > | > | Use Firewall Builder. It makes things so much easier. And it's free. | | http://www.fwbuilder.org/ | | steve campbell
Or don't use CentOS at all and try OpenBSD & PF. The syntax is much cleaner and easier to maintain than Netfilter/IPTables and it works pretty darn well. ;)
On Fri, Jan 4, 2013 at 12:31 PM, James A. Peltier jpeltier@sfu.ca wrote:
----- Original Message ----- | | On 1/4/2013 12:21 PM, Tim Evans wrote: | > On 01/04/2013 12:01 PM, Tim Evans wrote: | >> I'm replacing an ancient Solaris 'ipf' firewall/router with a | >> brand new | >> CentOS 6.3 system. In the olden days, I successfully used the | >> attached | >> iptables script (as /etc/rc.local) on Red Hat 5.x systems, but | >> this | >> doesn't seem to be quite working on the new system. | >> | >> Specifically, while it seems to be routing ok, you cannot connect | >> to | >> anything on the inside net (e.g., with ssh or a browser) and | >> cannot | >> connect to the system with ssh or anything else from elsewhere on | >> the | >> inside net. Yet arp shows this system active. | >> | >> Is there obsolete stuff here, and/or anything missing that would | >> cause | >> this? | > | > Nevermind... Temporary IP address in the script was wrong; | > corrected | > and now working. Will be glad to see comments, though. | > | > | Use Firewall Builder. It makes things so much easier. And it's free. | | http://www.fwbuilder.org/ | | steve campbell
Or don't use CentOS at all and try OpenBSD & PF. The syntax is much cleaner and easier to maintain than Netfilter/IPTables and it works pretty darn well. ;)
If you want to stick with linux look at Vyatta. I have 5 production installs (3 physical and 3 VMs) and upgrades have been flawless. The config resides in one file and the console has a Juniper style syntax.
Ryan
On 05/01/2013 15:25, Ryan Wagoner wrote:
Or don't use CentOS at all and try OpenBSD & PF. The syntax is much cleaner and easier to maintain than Netfilter/IPTables and it works pretty darn well. ;)
If you want to stick with linux look at Vyatta. I have 5 production installs (3 physical and 3 VMs) and upgrades have been flawless. The config resides in one file and the console has a Juniper style syntax.
On a similar vein, I use pfsense as a Firewall (FreeBSD derivative)
Has many features and Web GUI configuration. Seems to really do the trick for me.
I tend to only use the iptables firewall in Centos for host based firewalling (basically I only edit the INPUT table), for multi-homed dedicated firewalls (i.e. using the FORWARD'ing table) something like pfsense really does it nicely.
On Fri, 4 Jan 2013, Steve Campbell wrote:
On 1/4/2013 12:21 PM, Tim Evans wrote:
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
Use Firewall Builder. It makes things so much easier. And it's free.
+1000 for fwbuilder.
Raw iptables commands are not only error prone but will make your brain hurt.
Regards,
On 01/05/2013 10:13 AM, me@tdiehl.org wrote:
On Fri, 4 Jan 2013, Steve Campbell wrote:
On 1/4/2013 12:21 PM, Tim Evans wrote:
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
Use Firewall Builder. It makes things so much easier. And it's free.
+1000 for fwbuilder.
Raw iptables commands are not only error prone but will make your brain hurt.
As the original poster, I welcome these suggestions, but point out my ruleset was already written and working. Last I looked (a long time ago, I admit), fwbuilder could not import an existing set of rules and turn it into the necessary fwbuilder abstractions, which meant I'd have to re-invent the working wheel, just to get it into fwbuilder.
On Sat, 5 Jan 2013, Tim Evans wrote:
On 01/05/2013 10:13 AM, me@tdiehl.org wrote:
On Fri, 4 Jan 2013, Steve Campbell wrote:
On 1/4/2013 12:21 PM, Tim Evans wrote:
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
Use Firewall Builder. It makes things so much easier. And it's free.
+1000 for fwbuilder.
Raw iptables commands are not only error prone but will make your brain hurt.
As the original poster, I welcome these suggestions, but point out my ruleset was already written and working. Last I looked (a long time ago, I admit), fwbuilder could not import an existing set of rules and turn it into the necessary fwbuilder abstractions, which meant I'd have to re-invent the working wheel, just to get it into fwbuilder.
That is no longer true. fwb has a tool to import existing rules although I have never used it.
Regards,
fwbuilder+quagga is a great choice.
------------ Banyan He Blog: http://www.rootong.com Email: banyan@rootong.com
On 1/5/2013 11:13 PM, me@tdiehl.org wrote:
On Fri, 4 Jan 2013, Steve Campbell wrote:
On 1/4/2013 12:21 PM, Tim Evans wrote:
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
Use Firewall Builder. It makes things so much easier. And it's free.
+1000 for fwbuilder.
Raw iptables commands are not only error prone but will make your brain hurt.
Regards,
Tim Evans wrote:
On 01/04/2013 12:01 PM, Tim Evans wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though.
Glad you found that. As a followup, though, when I was running a RH system as a firewall router, I ran Bastille Linux on it first, and to the best of my knowledge, never had an intrusion on my home network in about 10 years.
But then, I *also* had almost *nothing* on it: no xorg, no compilers....
mark
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkevans@tkevans.com wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
You found the error, but I have a question about running this in rc.local.
Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup.
On 01/04/2013 03:03 PM, Dale Dellutri wrote:
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkevans@tkevans.com wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
You found the error, but I have a question about running this in rc.local.
Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup.
Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing.
On Fri, Jan 4, 2013 at 3:04 PM, Tim Evans tkevans@tkevans.com wrote:
On 01/04/2013 03:03 PM, Dale Dellutri wrote:
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkevans@tkevans.com wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
You found the error, but I have a question about running this in rc.local.
Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup.
Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing.
Do the out-of-the-box iptables rules allow all entry to the system?
What's in /etc/sysconfig/iptables ?
I understand that the script does more than simply set iptables rules. However, you could set the rules you want, then just turn on NAT and routing in rc.local.
I'm not trying to criticize, just curious.
On 01/04/2013 04:11 PM, Dale Dellutri wrote:
On Fri, Jan 4, 2013 at 3:04 PM, Tim Evans tkevans@tkevans.com wrote:
On 01/04/2013 03:03 PM, Dale Dellutri wrote:
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans tkevans@tkevans.com wrote:
I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
You found the error, but I have a question about running this in rc.local.
Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup.
Thanks, Dale. I'm trying to remember why I did it this way (nearly 10 years ago, when I did this first.) Seems it had to do with not turning on routing until the very end (instead of enabling it in /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the interim (iptables still starts normally). This script overlays its rules, then turns on NAT and routing.
Do the out-of-the-box iptables rules allow all entry to the system?
What's in /etc/sysconfig/iptables ?
I understand that the script does more than simply set iptables rules. However, you could set the rules you want, then just turn on NAT and routing in rc.local.
I'm not trying to criticize, just curious.
Thanks, again, Dale. I'm curious, too, now, and will try to find any documentation I did back in '05 when I did this.
-
Banyan He -
Dale Dellutri -
Giles Coochey -
James A. Peltier -
m.roth@5-cent.us -
me@tdiehl.org -
Mike McCarthy -
Robert Moskowitz -
Ryan Wagoner -
Steve Campbell -
Tim Evans