[CentOS] DNS or firewall problem

Wed Jul 7 01:38:10 UTC 2010
Thomas Dukes <tdukes at sc.rr.com>

 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Christopher Chan
> Sent: Tuesday, July 06, 2010 9:13 PM
> To: centos at centos.org
> Subject: Re: [CentOS] DNS or firewall problem
> 
> 
> > # Firewall configuration written by system-config-securitylevel # 
> > Manual customization of this file is not recommended.
> 
> ugh...fwbuilder crap...oh well.
> 
> 
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :RH-Firewall-1-INPUT - [0:0]
> > -A INPUT -j RH-Firewall-1-INPUT
> > -A FORWARD -j RH-Firewall-1-INPUT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A 
> RH-Firewall-1-INPUT -p icmp 
> > --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A 
> > RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp 
> > --dport 5353 -d 224.0.0.251 -j ACCEPT -A 
> RH-Firewall-1-INPUT -p udp -m 
> > udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m 
> tcp --dport 
> > 631 -j ACCEPT
> 
> Seriously? Them two are redundant since you already accept 
> everything on lo.

I didn't do that.  :-)


> 
> > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED 
> -j ACCEPT 
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp 
> --dport 21 
> > -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp 
> > --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m 
> > udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state 
> > --state NEW -m udp -p udp --dport 138 -j ACCEPT -A 
> RH-Firewall-1-INPUT 
> > -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A 
> > RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp 
> --dport 445 -j 
> > ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp 
> > --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state 
> --state NEW -m 
> > tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT 
> > --reject-with icmp-host-prohibited COMMIT
> 
> Hmm...you do not appear to have a blanket accept for your 
> internal interface. What services are supposed to be open to 
> the internal lan?

Really just intersted in web, ftp and maybe samba

> 
> 
> >
> >
> >> 'netstat -ntlp'
> >
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address               Foreign Address
> > State       PID/Program name
> > tcp        0      0 0.0.0.0:20000               0.0.0.0:*
> > LISTEN      3580/perl
> > tcp        0      0 127.0.0.1:2208              0.0.0.0:*
> > LISTEN      2960/hpiod
> > tcp        0      0 0.0.0.0:3306                0.0.0.0:*
> > LISTEN      3138/mysqld
> > tcp        0      0 127.0.0.1:3310              0.0.0.0:*
> > LISTEN      3049/clamd
> > tcp        0      0 0.0.0.0:111                 0.0.0.0:*
> > LISTEN      2667/portmap
> > tcp        0      0 0.0.0.0:6000                0.0.0.0:*
> > LISTEN      3958/X
> > tcp        0      0 0.0.0.0:10000               0.0.0.0:*
> > LISTEN      3588/perl
> > tcp        0      0 192.168.1.101:53            0.0.0.0:*
> > LISTEN      2639/named
> > tcp        0      0 127.0.0.1:53                0.0.0.0:*
> > LISTEN      2639/named
> > tcp        0      0 127.0.0.1:631               0.0.0.0:*
> > LISTEN      2980/cupsd
> > tcp        0      0 0.0.0.0:25                  0.0.0.0:*
> > LISTEN      3218/sendmail: acce
> > tcp        0      0 127.0.0.1:953               0.0.0.0:*
> > LISTEN      2639/named
> > tcp        0      0 0.0.0.0:766                 0.0.0.0:*
> > LISTEN      2704/rpc.statd
> > tcp        0      0 0.0.0.0:3551                0.0.0.0:*
> > LISTEN      3032/apcupsd
> > tcp        0      0 127.0.0.1:2207              0.0.0.0:*
> > LISTEN      2965/python
> > tcp        0      0 :::80                       :::*
> > LISTEN      5464/httpd
> > tcp        0      0 :::6000                     :::*
> > LISTEN      3958/X
> > tcp        0      0 ::1:953                     :::*
> > LISTEN      2639/named
> > tcp        0      0 :::443                      :::*
> > LISTEN      5464/httpd
> >
> > Not sure what all this means. Hope someone can.
> >
> 
> You should be able to connect to the web service from the 
> internal lan 
> using the internal ip and also to the smtp service. But I 
> guess your web 
> service is probably apache doing proxy work unless you have a 
> different 
> meaning to 'internal boxes can access the internet'...
> 
> What services were internal boxes supposed to be able to 
> access again? 
> webmin? mysql? dns?

Not really relying on my server for dns for the local machines, just for
local services, ftp, webmin, local web. I'm not on a commercial account with
my isp so 'external' mail is not an issue.

I have most services turned off but can activate them , remotely, from
webmin if I need ssh or ftp.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos