I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new CentOS 6.3 system. In the olden days, I successfully used the attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't seem to be quite working on the new system. Specifically, while it seems to be routing ok, you cannot connect to anything on the inside net (e.g., with ssh or a browser) and cannot connect to the system with ssh or anything else from elsewhere on the inside net. Yet arp shows this system active. Is there obsolete stuff here, and/or anything missing that would cause this? Thanks. -- Tim Evans | 5 Chestnut Court UNIX System Admin Consulting | Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkevans at tkevans.com -------------- next part -------------- #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local #/sbin/insmod e100 #/sbin/ifup eth1 ROUTER=`grep routers /var/lib/dhclient/dhclient-eth0.leases | head -1 | awk \ '{print $NF}' | sed 's/;//g'` route add default gw "$ROUTER" # # Sun Apr 3 09:11:44 EDT 2005 ############################## # IPTABLES="/sbin/iptables" INET_IFACE="eth0" OSPREY="192.168.252.3" INET_IP=`ifconfig eth0 | grep 'inet addr' | awk -F":" '{print $2}' | sed 's/ Bcast//'` LAN_IP="192.168.252.5" DHCP="yes" DHCP_SERVER=`grep dhcp-server-identifier /var/lib/dhclient/dhclient-eth0.leases \ | head -1 | awk '{print $NF}' | sed 's/;//g'` LAN_IP_RANGE="192.168.252.0/24" LAN_BROADCAST_ADDRESS="192.168.252.255" LAN_IFACE="eth0" LO_IFACE="lo" LO_IP="127.0.0.1" # 2. Module loading. /sbin/depmod -a # 2.1 Required modules /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE # 2.2 Non-Required modules #/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT /sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc # 3. /proc set up. #Disabling IP Spoofing attacks. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # 3.2 Non-Required proc configuration #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # 4. rules set up. # 4.1 Filter table # 4.1.1 Set policies /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # 4.1.2 Create userspecified chains # Create chain for bad tcp packets /sbin/iptables -N bad_tcp_packets # Create separate chains for ICMP, TCP and UDP to traverse /sbin/iptables -N allowed /sbin/iptables -N tcp_packets /sbin/iptables -N udpincoming_packets /sbin/iptables -N icmp_packets # 4.1.3 Create content in userspecified chains # bad_tcp_packets chain /sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" /sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # allowed chain /sbin/iptables -A allowed -p TCP --syn -j ACCEPT /sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A allowed -p TCP -j DROP # UDP ports /sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT if [ $DHCP == "yes" ] ; then /sbin/iptables -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \ --dport 68 -j ACCEPT fi # ICMP rules /sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT /sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # 4.1.4 INPUT chain # Bad TCP packets we don't want. /sbin/iptables -A INPUT -p tcp -j bad_tcp_packets # Rules for special networks not part of the Internet /sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT /sbin/iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT /sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT # Special rule for DHCP requests from LAN, which are not caught properly # otherwise. /sbin/iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # Rules for incoming packets from the internet. /sbin/iptables -A INPUT -p ALL -i $INET_IFACE -m state --state \ ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets /sbin/iptables -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets /sbin/iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Log weird packets that don't match the above. /sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # 4.1.5 FORWARD chain # Bad TCP packets we don't want /sbin/iptables -A FORWARD -p tcp -j bad_tcp_packets # Accept the packets we actually want to forward /sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -o $INET_IFACE -s $OSPREY -p tcp --sport 22 \ -j ACCEPT # Log weird packets that don't match the above. /sbin/iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # 4.1.6 OUTPUT chain # Bad TCP packets we don't want. /sbin/iptables -A OUTPUT -p tcp -j bad_tcp_packets # Special OUTPUT rules to decide which IP's to allow. /sbin/iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT /sbin/iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT /sbin/iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # Log weird packets that don't match the above. /sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # 4.2 nat table /sbin/iptables -t nat -A OUTPUT -p tcp -d $INET_IP --dport 22 -j DNAT \ --to-destination $OSPREY # 4.2.4 PREROUTING chain /sbin/iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 22 -j DNAT \ --to-destination $OSPREY # # 4.2.5 POSTROUTING chain # Enable simple IP Forwarding and Network Address Translation # /sbin/iptables -t nat -A POSTROUTING -p tcp --dst $OSPREY --dport 22 -j \ SNAT --to-source $LAN_IP /sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # # turn on packet forwarding last of all echo "1" > /proc/sys/net/ipv4/ip_forward