[CentOS] 2 questions on CentOS firewall

Tue Jul 19 14:55:30 UTC 2011
Robert Spangler <mlists at zoominternet.net>

On Tuesday 19 July 2011 09:11, the following was written:

>  Timothy Murphy wrote:
>  > I'm running CentOS-6 on an HP MicroServer
>  > with a Billion 5200S modem/router connecting to the internet.
>  > I'm running the standard CentOS-6 firewall on the server.
>  >
>  > (1) I can open port 22 on the Billion, allowing me to ssh in from
>  > outside. But for some reason I cannot ping the same address from
>  > outside. (I can ping it internally.)
>  > Why is this?
>  > I'm not sure if the problem lies with the router or the server?
>  > There does not seem to be any explicit rule on either
>  > to allow ICMP packets through.
>
>  This is due to modem refuses to answer to pings. You might have option
>  to allow it in modem config.

Modems cannot answer pings.  They are a bridge.  The most likely reason why 
the OP cannot ping is because the firewall is not allowing it.  Adding rules 
to allow pings should clear up this issue.

>  > (2) I have a Linksys WRT54GL WiFi router attached to the server,
>  > to allow access to the internet from laptops.
>  > This works fine.
>  > But I was surprised to find that when I turn OFF
>  > the firewall on the server this stops access to the internet on laptops.
>  > (I didn't test to see if re-booting the laptop would solve this.)
>  > Can disabling the firewall actually prevent some linkage?
>
>  When you turn off firewall, it stops routing packets so they can not be
>  passed to systems behind it.

IPTABLES does not route packets.  IPTABLES manipulate packet so that they can 
be routed to the proper destination.

The reason the OP could not connect to the internet is because the firewall 
was NAT'ing his packets that were leaving his network to his internet facing 
ip address.  Ounce the natting stopped the packets were sent to the internet 
with the address of his laptop which was most likely a private address.  
Since private addresses are not supposed to be routed on the internet the 
receiving router dropped the return packet.

>  Only option I can think of is to use shorewall as firewall and add
>  NAT/Masquerade and the rest of the rules to routestoped confgi file:

The OP can continue to use IPTABLES the rules just need to be setup properly.  
No need to install other software when what you have installed will do the 
job.

OP can start by reading this Tutorial. 

http://www.zoominternet.net/~lazydog/iptables-tutorial


-- 

Regards
Robert

Linux
The adventure of a lifetime.

Linux User #296285
Get Counted
http://counter.li.org/