[CentOS] Firewall frustration

Thu Jan 3 13:18:36 UTC 2008
Robert Moskowitz <rgm at htt-consult.com>

Steven Haigh wrote:
> On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
>> Christopher Chan wrote:
>>>
>>>> I spent much of the past 24 hours trying to find out how to set up 
>>>> iptables for firewall routing WITHOUT NATing. Could not find anything.
>>>>
>>>
>>> Eh? You just need to enable ip forwarding to enable routing. After 
>>> that, it is put up the firewall rules as is necessary, build the 
>>> appropriate routing tables on the firewall box and the boxes on the 
>>> intranet(s).
>>>
>>> iptables does not handle routing.
>> No, but iptables controls what is allowed to route,
>
> I think this is where you are getting confused and causing yourself 
> issues. iptables has ZERO effect on what is allowed to route. It is a 
> simple YES or NO as to if it should be allowed to pass or be filtered.
I have been tested as having a significant language usage problem, and 
am working on it. 'what is allowed to route', was a poor choice of 
wording. What you wrote above is much closer to what I wanted to say.

ip src/dest is used for routing decisions by the kernel. The IP state 
machine (check the RFC or any decent TCP/IP textbook) is really quite 
simple. But iptables sticks its nose into the center of that state 
machine and can mangle addresses to change how packets flow through the 
machine, or just simplely yank packets right out of the machine with a 
simple NO (drop).

So in my mind's eye of the IP state machine (my MSU CPS 410 prof was 
death on state machines; turn in a perfectly executing assignment 
without one and there went half your grade. See HIP for its state 
machine) is dictated by iptables as to what it is allowed to route.
>
>> Those little words, "put up the firewall rules as necessary" are 
>> equivalent to "and magic happens here."
>
> It's actually not magical at all... Work with the mindset of "I want 
> to allow X, Y, and Z, then deny everything else". This translates 
> easily into iptables rules -j ACCEPT and then your last rule (or 
> policy) should be a deny/drop/reject.
That is exactly what I tried to do. I just used the wrong bit of pixie 
dust (during some of the 'heated' IPsec meeting debates one fellow would 
try to sneak up a speaker 'that just did not get it' and sprinkle some 
glitter on them. He had labeled his tube of glitter as 'security pixie 
dust').