[CentOS] CentOS 6.3 as Firewall/Router

Tim Evans tkevans at tkevans.com
Fri Jan 4 17:01:06 UTC 2013

I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new 
CentOS 6.3 system.  In the olden days, I successfully used the attached 
iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this 
doesn't seem to be quite working on the new system.

Specifically, while it seems to be routing ok, you cannot connect to 
anything on the inside net (e.g., with ssh or a browser) and cannot 
connect to the system with ssh or anything else from elsewhere on the 
inside net. Yet arp shows this system active.

Is there obsolete stuff here, and/or anything missing that would cause this?

Tim Evans			|   5 Chestnut Court
UNIX System Admin Consulting	|   Owings Mills, MD 21117
http://www.tkevans.com/		|   443-394-3864
http://www.come-here.com/News/	|   tkevans at tkevans.com
-------------- next part --------------
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
#/sbin/insmod e100
#/sbin/ifup eth1
ROUTER=`grep routers /var/lib/dhclient/dhclient-eth0.leases | head -1 | awk \
'{print $NF}' | sed 's/;//g'`
route add default gw "$ROUTER"
# Sun Apr  3 09:11:44 EDT 2005
INET_IP=`ifconfig eth0 | grep 'inet addr' | awk -F":" '{print $2}' | sed 's/  Bcast//'`
DHCP_SERVER=`grep dhcp-server-identifier /var/lib/dhclient/dhclient-eth0.leases \
| head -1 | awk '{print $NF}' | sed 's/;//g'`

# 2. Module loading.
/sbin/depmod -a
# 2.1 Required modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
# 2.2 Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

# 3. /proc set up.
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# 3.2 Non-Required proc configuration
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# 4. rules set up.
# 4.1 Filter table
# 4.1.1 Set policies

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

# 4.1.2 Create userspecified chains
# Create chain for bad tcp packets

/sbin/iptables -N bad_tcp_packets

# Create separate chains for ICMP, TCP and UDP to traverse

/sbin/iptables -N allowed
/sbin/iptables -N tcp_packets
/sbin/iptables -N udpincoming_packets
/sbin/iptables -N icmp_packets

# 4.1.3 Create content in userspecified chains
# bad_tcp_packets chain

/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
/sbin/iptables -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A allowed -p TCP -j DROP

# UDP ports
/sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 /sbin/iptables -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT

# ICMP rules
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain
# Bad TCP packets we don't want.
/sbin/iptables -A INPUT -p tcp -j bad_tcp_packets

# Rules for special networks not part of the Internet
/sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Special rule for DHCP requests from LAN, which are not caught properly 
# otherwise.
/sbin/iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

# Rules for incoming packets from the internet.
/sbin/iptables -A INPUT -p ALL -i $INET_IFACE -m state --state \
/sbin/iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
/sbin/iptables -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
/sbin/iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Log weird packets that don't match the above.
/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

# 4.1.5 FORWARD chain
# Bad TCP packets we don't want
/sbin/iptables -A FORWARD -p tcp -j bad_tcp_packets

# Accept the packets we actually want to forward
/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -o $INET_IFACE -s $OSPREY -p tcp --sport 22 \

# Log weird packets that don't match the above.
/sbin/iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# 4.1.6 OUTPUT chain

# Bad TCP packets we don't want.
/sbin/iptables -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
/sbin/iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log weird packets that don't match the above.
/sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# 4.2 nat table
/sbin/iptables -t nat -A OUTPUT -p tcp -d $INET_IP --dport 22 -j DNAT \
--to-destination $OSPREY

# 4.2.4 PREROUTING chain
/sbin/iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 22 -j DNAT \
--to-destination $OSPREY
# 4.2.5 POSTROUTING chain
# Enable simple IP Forwarding and Network Address Translation
/sbin/iptables -t nat -A POSTROUTING -p tcp --dst $OSPREY --dport 22 -j \
SNAT --to-source $LAN_IP
/sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE 
# turn on packet forwarding last of all
echo "1" > /proc/sys/net/ipv4/ip_forward

More information about the CentOS mailing list