[CentOS] centos as a firewall help

Fri Dec 31 15:19:15 UTC 2010
Roland RoLaNd <r_o_l_a_n_d at hotmail.com>

Hello all,

first of all i'd like to wish you all happy holidays, and a merry belated christmas.

Secondly, i'm trying to setup  a centos 5.4 to act as:

1. firewall # can you check my config below and tell me if i missed anything?
2. DHCP # already configured
3. transparent squid proxy #  already configured
4. http (virtual hosts) # in the near future
5. squirrelmail # in the near future

- Relevant info:

Two NICs:

eth0 LAN: with dhcp service: 192.168.57.1(255.255.255.0) # my lan users are connected to this interface
eth1 WAN: static: 172.16.2.14 gw/172.16.2.13 (255.255.255.248) # My isp is connected to this interface

I want my firewall to do the following:

1. get my box to be completely secure from outside access, in other words deny all access from the outside world to my box &/or my LAN
2. allow my LAN users to access the internet/ box without any restrictions, through a transparent squid installation 

i've searched a bit online, i must admit i never used iptables before (i thought of using firestarter as it's graphical and am no iptables guru, not even a novice user though i've installed my box with no X  hence no graphical applications)

i finally used bits an pieces and came up with the following:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
In_RULE_0  all  --  anywhere             172.16.2.14         
In_RULE_2  udp  --  192.168.57.1         anywhere            udp multiport dports bootpc,bootps state NEW 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
Cid1888X3970.0  udp  --  192.168.57.1         anywhere            udp multiport dports bootpc,bootps state NEW 
Out_RULE_3  all  --  192.168.57.1         anywhere            state RELATED,ESTABLISHED 
Cid1594X3970.0  all  --  192.168.57.1         anywhere            state NEW 

Chain Cid1594X3970.0 (1 references)
target     prot opt source               destination         
Out_RULE_4  all  --  anywhere             172.16.2.14         
Out_RULE_4  all  --  anywhere             192.168.57.1        

Chain Cid1888X3970.0 (1 references)
target     prot opt source               destination         
Out_RULE_2  all  --  anywhere             172.16.2.14         
Out_RULE_2  all  --  anywhere             192.168.57.1        

Chain In_RULE_0 (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level info prefix `RULE 0 -- DENY ' 
DROP       all  --  anywhere             anywhere            

Chain In_RULE_2 (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level info prefix `RULE 2 -- ACCEPT ' 
ACCEPT     all  --  anywhere             anywhere            

Chain Out_RULE_2 (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level info prefix `RULE 2 -- ACCEPT ' 
ACCEPT     all  --  anywhere             anywhere            

Chain Out_RULE_3 (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level info prefix `RULE 3 -- ACCEPT ' 
ACCEPT     all  --  anywhere             anywhere            

Chain Out_RULE_4 (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level info prefix `RULE 4 -- ACCEPT ' 
ACCEPT     all  --  anywhere             anywhere