[CentOS] Build a Firewall (Can I learn to do this...)
florin at andrei.myip.org
Thu Oct 1 23:27:31 UTC 2009
> I used to work with PIX 525's so I have knowledge, I just dont quite
> know how to do this with CentOS and such.
But if you've configured the PIX in command-line mode, iptables is not
that hard. You could setup a local firewall right on your webserver and
it's going to be rock-solid. It's not an "enterprise" type of setup, but
for a small installation I see no problem whatsoever with it. Trust
iptables, it's a very good firewall. I use it all the time, even for
purposes that firewalls are normally not intended to serve. :-)
There's a lot of info there, but you don't need everything. This is the
10% info that you will use 90% of the time:
- the main tables (filter, nat), what can they do
- the built-in chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING)
- the main targets (ACCEPT, DROP, REJECT)
- user-defined chains and how to insert them into the built-ins.
Also, hardcopy this diagram and put it on the wall, it will make things
very clear for you:
For a former PIXer, the learning curve should be peachy. By the way,
netfilter/iptables is a lot more expressive and flexible than PIX.
You'll be amazed by what you can do with it.
"man iptables" also helps.
Go ahead, do "service iptables stop" to clean everything up, then apply
some rules of your own. Do "service iptables save" to save them.
"service iptables restart" to restart from the saved version (if you
mess up the running one). All rules are saved in /etc/sysconfig/iptables
(you may want to backup the original version before you start messing
with the firewall).
See current running state:
iptables [-t nat] -L -n [-v] # I do recommend using -v often
service iptables status
See current saved state:
Flush and delete everything, fall back to a "permit all" firewall:
iptables [-t nat] -F; iptables [-t nat] -X
service iptables stop
See if the iptables service is enabled:
chkconfig --list iptables
Tip: if the FORWARD chain doesn't seem to work, check
net.ipv4.ip_forward in /etc/sysctl.conf, it's probably set to 0.
That's it, you're good to go.
More information about the CentOS