[CentOS] CentOS 6.3 as Firewall/Router
Tim Evans
tkevans at tkevans.com
Fri Jan 4 21:04:52 UTC 2013
On 01/04/2013 03:03 PM, Dale Dellutri wrote:
> On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans <tkevans at tkevans.com> wrote:
>> I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new
>> CentOS 6.3 system. In the olden days, I successfully used the attached
>> iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't
>> seem to be quite working on the new system.
>>
>> Specifically, while it seems to be routing ok, you cannot connect to
>> anything on the inside net (e.g., with ssh or a browser) and cannot connect
>> to the system with ssh or anything else from elsewhere on the inside net.
>> Yet arp shows this system active.
>>
>> Is there obsolete stuff here, and/or anything missing that would cause this?
>
> You found the error, but I have a question about running this in rc.local.
>
> Aren't you opening a very short time security hole by running this from
> rc.local? Service network starts up early in the startup sequence
> (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end.
>
> Wouldn't it be better to run the iptables rules once, then do:
> service iptables save
> This way, iptables rules would be in place (S08iptables) before
> netowrk startup.
>
Thanks, Dale. I'm trying to remember why I did it this way (nearly 10
years ago, when I did this first.) Seems it had to do with not turning
on routing until the very end (instead of enabling it in
/etc/sysctl.conf), relying on the out-of-the-box iptables rules in the
interim (iptables still starts normally). This script overlays its
rules, then turns on NAT and routing.
--
Tim Evans | 5 Chestnut Court
UNIX System Admin Consulting | Owings Mills, MD 21117
http://www.tkevans.com/ | 443-394-3864
http://www.come-here.com/News/ | tkevans at tkevans.com
More information about the CentOS
mailing list