[CentOS] Firewall frustration

Thu Jan 3 17:28:09 UTC 2008
Dennis McLeod <dmcleod at foranyauto.com>

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Marko A. Jennings
> Sent: Thursday, January 03, 2008 7:29 AM
> To: centos at centos.org
> Subject: Re: [CentOS] Firewall frustration
> 
> On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote:
> > Steven Haigh wrote:
> >> On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
> >>> Christopher Chan wrote:
> >>>>
> >>>>> I spent much of the past 24 hours trying to find out 
> how to set up 
> >>>>> iptables for firewall routing WITHOUT NATing. Could not find 
> >>>>> anything.
> >>>>>
> >>>>
> >>>> Eh? You just need to enable ip forwarding to enable 
> routing. After 
> >>>> that, it is put up the firewall rules as is necessary, build the 
> >>>> appropriate routing tables on the firewall box and the 
> boxes on the 
> >>>> intranet(s).
> >>>>
> >>>> iptables does not handle routing.
> >>> No, but iptables controls what is allowed to route,
> >>
> >> I think this is where you are getting confused and causing 
> yourself 
> >> issues. iptables has ZERO effect on what is allowed to 
> route. It is a 
> >> simple YES or NO as to if it should be allowed to pass or 
> be filtered.
> > I have been tested as having a significant language usage 
> problem, and 
> > am working on it. 'what is allowed to route', was a poor choice of 
> > wording. What you wrote above is much closer to what I 
> wanted to say.
> >
> > ip src/dest is used for routing decisions by the kernel. 
> The IP state 
> > machine (check the RFC or any decent TCP/IP textbook) is 
> really quite 
> > simple. But iptables sticks its nose into the center of that state 
> > machine and can mangle addresses to change how packets flow through 
> > the machine, or just simplely yank packets right out of the machine 
> > with a simple NO (drop).
> >
> > So in my mind's eye of the IP state machine (my MSU CPS 410 
> prof was 
> > death on state machines; turn in a perfectly executing assignment 
> > without one and there went half your grade. See HIP for its state
> > machine) is dictated by iptables as to what it is allowed to route.
> >>
> >>> Those little words, "put up the firewall rules as necessary" are 
> >>> equivalent to "and magic happens here."
> >>
> >> It's actually not magical at all... Work with the mindset 
> of "I want 
> >> to allow X, Y, and Z, then deny everything else". This translates 
> >> easily into iptables rules -j ACCEPT and then your last rule (or
> >> policy) should be a deny/drop/reject.
> > That is exactly what I tried to do. I just used the wrong 
> bit of pixie 
> > dust (during some of the 'heated' IPsec meeting debates one fellow 
> > would try to sneak up a speaker 'that just did not get it' and 
> > sprinkle some glitter on them. He had labeled his tube of 
> glitter as 
> > 'security pixie dust').
> 
> If you are interested in learning how iptables work, I 
> suggest reading this book:
> 
> Linux Firewalls, Second Edition
> by Robert L. Ziegler
> ISBN 0-7357-1099-6
> 
> It covers everything from packet filtering concepts to 
> practical examples.
> 
> Marko



Thanks, I was just going to ask....
Dennis