[CentOS] Build a Firewall (Can I learn to do this...)

Thu Oct 1 23:27:31 UTC 2009
Florin Andrei <florin at andrei.myip.org>

ML wrote:
> 
> I used to work with PIX 525's so I have knowledge, I just dont quite  
> know how to do this with CentOS and such.

Firewall Builder.

http://www.fwbuilder.org/

But if you've configured the PIX in command-line mode, iptables is not 
that hard. You could setup a local firewall right on your webserver and 
it's going to be rock-solid. It's not an "enterprise" type of setup, but 
for a small installation I see no problem whatsoever with it. Trust 
iptables, it's a very good firewall. I use it all the time, even for 
purposes that firewalls are normally not intended to serve. :-)

http://www.netfilter.org/documentation/index.html#documentation-howto

There's a lot of info there, but you don't need everything. This is the 
10% info that you will use 90% of the time:
- the main tables (filter, nat), what can they do
- the built-in chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING)
- the main targets (ACCEPT, DROP, REJECT)
- user-defined chains and how to insert them into the built-ins.

Also, hardcopy this diagram and put it on the wall, it will make things 
very clear for you:

http://developer.gauner.org/doc/iptables/images/nfk-traversal.png

For a former PIXer, the learning curve should be peachy. By the way, 
netfilter/iptables is a lot more expressive and flexible than PIX. 
You'll be amazed by what you can do with it.

"man iptables" also helps.

Go ahead, do "service iptables stop" to clean everything up, then apply 
some rules of your own. Do "service iptables save" to save them. 
"service iptables restart" to restart from the saved version (if you 
mess up the running one). All rules are saved in /etc/sysconfig/iptables 
(you may want to backup the original version before you start messing 
with the firewall).

Other commands:

See current running state:
iptables [-t nat] -L -n [-v]	# I do recommend using -v often
or
service iptables status

See current saved state:
less /etc/sysconfig/iptables

Flush and delete everything, fall back to a "permit all" firewall:
iptables [-t nat] -F; iptables [-t nat] -X
or
service iptables stop

See if the iptables service is enabled:
chkconfig --list iptables

Tip: if the FORWARD chain doesn't seem to work, check 
net.ipv4.ip_forward in /etc/sysctl.conf, it's probably set to 0.

That's it, you're good to go.

-- 
Florin Andrei

http://florin.myip.org/