You don't need to have Comcast route all traffic to that IP. You just need to put two NICs in the server and place it between Comcast and your servers. Then using iptables you can configure CentOS to deny / allow traffic to IPs on specific ports. I know this is a CentOS list, but if you want something with a webGUI have a look at pfSense. I use this in front of my CentOS servers.

Ryan

On Thu, Oct 1, 2009 at 4:56 PM, ML mailinglists@mailnewsrss.com wrote:

Hi All,

I have a home business circuit and I am gearing up to host my business affairs in my place. I have Comcast and 13 static IP's.

I have an extra PIII 1U, 2 9gb SCSI, 1gb RAMm dual NICS.

So I am wanting to build a firewall to front end my traffic. Assign one of my statics to it and have Comcast statically route my traffic to this IP. Then when traffic comes have it decide if it is allowed or not and if allowed pass it to the right server based upon the rules.

I used to work with PIX 525's so I have knowledge, I just dont quite know how to do this with CentOS and such.

Can anyone offer advice?

Best, -Jason _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

ML wrote:

Can anyone offer advice?

pfSense.

can even boot it off a CD and use a USB flash stick for configuration storage so you don't need a hard drive. or boot it off a 128MB CF card. doesn't need a display after initial setup (actually, can even be configured with a serial terminal in a truly embeded configuration). once its up and running, its configured via web browser.

On 1 Oct 2009, at 21:56, ML wrote:

So I am wanting to build a firewall to front end my traffic. Assign one of my statics to it and have Comcast statically route my traffic to this IP.

You don't need to do this. You can run all the IPs on the firewall box, and route them to machines on a private subnet behind the firewall.

Can anyone offer advice?

I've had good results doing what you describe - but it's fairly slow to get it up and running and the process is very detail oriented, and you end up having to do quite a bit of spadework to get a config that is as hardened and reliable as a commercial firewall product. There are some reasonable graphical tools that can help you. The one I've used is fwbuilder (http://www.fwbuilder.org/).

I've also looked at Vyatta, and heard good things about pfsense.

S.

ML wrote:

I used to work with PIX 525's so I have knowledge, I just dont quite know how to do this with CentOS and such.

Firewall Builder.

http://www.fwbuilder.org/

But if you've configured the PIX in command-line mode, iptables is not that hard. You could setup a local firewall right on your webserver and it's going to be rock-solid. It's not an "enterprise" type of setup, but for a small installation I see no problem whatsoever with it. Trust iptables, it's a very good firewall. I use it all the time, even for purposes that firewalls are normally not intended to serve. :-)

http://www.netfilter.org/documentation/index.html#documentation-howto

There's a lot of info there, but you don't need everything. This is the 10% info that you will use 90% of the time: - the main tables (filter, nat), what can they do - the built-in chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) - the main targets (ACCEPT, DROP, REJECT) - user-defined chains and how to insert them into the built-ins.

Also, hardcopy this diagram and put it on the wall, it will make things very clear for you:

http://developer.gauner.org/doc/iptables/images/nfk-traversal.png

For a former PIXer, the learning curve should be peachy. By the way, netfilter/iptables is a lot more expressive and flexible than PIX. You'll be amazed by what you can do with it.

"man iptables" also helps.

Go ahead, do "service iptables stop" to clean everything up, then apply some rules of your own. Do "service iptables save" to save them. "service iptables restart" to restart from the saved version (if you mess up the running one). All rules are saved in /etc/sysconfig/iptables (you may want to backup the original version before you start messing with the firewall).

Other commands:

See current running state: iptables [-t nat] -L -n [-v] # I do recommend using -v often or service iptables status

See current saved state: less /etc/sysconfig/iptables

Flush and delete everything, fall back to a "permit all" firewall: iptables [-t nat] -F; iptables [-t nat] -X or service iptables stop

See if the iptables service is enabled: chkconfig --list iptables

Tip: if the FORWARD chain doesn't seem to work, check net.ipv4.ip_forward in /etc/sysctl.conf, it's probably set to 0.

That's it, you're good to go.