[CentOS] CentOS 6.3 as Firewall/Router

Fri Jan 4 21:28:04 UTC 2013
Tim Evans <tkevans at tkevans.com>

On 01/04/2013 04:11 PM, Dale Dellutri wrote:
> On Fri, Jan 4, 2013 at 3:04 PM, Tim Evans <tkevans at tkevans.com> wrote:
>> On 01/04/2013 03:03 PM, Dale Dellutri wrote:
>>> On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans <tkevans at tkevans.com> wrote:
>>>> I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new
>>>> CentOS 6.3 system.  In the olden days, I successfully used the attached
>>>> iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't
>>>> seem to be quite working on the new system.
>>>>
>>>> Specifically, while it seems to be routing ok, you cannot connect to
>>>> anything on the inside net (e.g., with ssh or a browser) and cannot connect
>>>> to the system with ssh or anything else from elsewhere on the inside net.
>>>> Yet arp shows this system active.
>>>>
>>>> Is there obsolete stuff here, and/or anything missing that would cause this?
>>>
>>> You found the error, but I have a question about running this in rc.local.
>>>
>>> Aren't you opening a very short time security hole by running this from
>>> rc.local?  Service network starts up early in the startup sequence
>>> (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
>>>
>>> Wouldn't it be better to run the iptables rules once, then do:
>>>     service iptables save
>>> This way, iptables rules would be in place (S08iptables) before
>>> netowrk startup.
>>>
>>
>> Thanks, Dale.  I'm trying to remember why I did it this way (nearly 10
>> years ago, when I did this first.)  Seems it had to do with not turning
>> on routing until the very end (instead of enabling it in
>> /etc/sysctl.conf), relying on the out-of-the-box iptables rules in the
>> interim (iptables still starts normally). This script overlays its
>> rules, then turns on NAT and routing.
>
> Do the out-of-the-box iptables rules allow all entry to the system?
>
> What's in /etc/sysconfig/iptables ?
>
> I understand that the script does more than simply set iptables rules.
> However, you could set the rules you want, then just turn on
> NAT and routing in rc.local.
>
> I'm not trying to criticize, just curious.
>
Thanks, again, Dale.  I'm curious, too, now, and will try to find any 
documentation I did back in '05 when I did this.

-- 
Tim Evans			|   5 Chestnut Court
UNIX System Admin Consulting	|   Owings Mills, MD 21117
http://www.tkevans.com/		|   443-394-3864
http://www.come-here.com/News/	|   tkevans at tkevans.com