[CentOS] [CentOS6] Manually configured Firewall (WLAN-AP plus Router)

Sat Aug 13 18:27:50 UTC 2016
Walter H. <Walter.H at mathemainzel.info>


I've got this Mini-PC

everything is fine ->  latest 6.8 kernel works;
both Ethernet-Interfaces work and also the WLAN-Interface works;

the two Ethernet-Interfaces are eth0 and eth1
the WLAN-Interface is wlan0

eth1 is connected on ISP side
eth0 is connected on my LAN side to a switch;
and wlan0 shall also be on my LAN side für wireless and work as an Access-Point
(this works)

I want both LAN interfaces (eth0 and wlan0) have the same IP subnet
so I did this:

also the DHCP works fine: both DHCP and DHCPv6; RADVd also works fine;

in /etc/sysconfig/network-scripts/
I added ifcfg-sit1 with the configuration for my IPv6 tunnel at Hurricane Electric
there is the following entry:  IPV6TUNNELIPV4LOCAL=ipv4addr
here the 1st question:
does this have to be the IPv4 address of br0 (LAN) or the one of eth1 (WAN)?
(before I had this on a virtual machine, there was only one interface, but here ...?)

and now the bigger problem:

here just the IP addresses for better troubleshooting;

the ISP installed a box (NAT router), that is a medium converter (coaxial cable to ethernet twisted-pair cable), too;
this box has on WAN side, my public IP
an LAN side it has

this box which should be installed instead of my old NAT-router has the following IP addresses
on device br0 (LAN) and on device eth1 (WAN)
the old router has on LAN side and on WAN side
now both the new box and the old router are connected "parallel" which means, each is connected with its WAN interfaces to the built-in switch of ISP-box and with its LAN interfaces to my switch;

on the old NAT-router I have defined the LAN-IP of the new box as DHCP relay; this works fine;
(the new box is the only DHCP server in LAN)

<begin /etc/sysconfig/iptables>
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.

# ICMP: extra chain
-A ALLOWED-ICMP -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT

# Allow anything out on the localnet
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in
-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP
-A INPUT -p udp -i br0 --dport 67:68 --sport 67:68 -j ACCEPT

# Enable IPv6
-A INPUT -p ipv6 -i eth1 -s -j ACCEPT

# Allow SSH from LAN and redirected from internet
# from WLAN there should be no SSH possible, so I used eth0
-A INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -d -m tcp -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 115 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -i eth1 -d -m tcp -p tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Allow anything out on the internet
-A OUTPUT -o eth1 -j ACCEPT
# Allow established, related packets back in
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow multicast

# Allow Forwarding on LAN interfaces
-A FORWARD -i br0 -o br0 -d -j ACCEPT
# Allow Forwarding to WAN interface
-A FORWARD -i eth0 -o eth1 -s -j ACCEPT
-A FORWARD -i wlan0 -o eth1 -s -j ACCEPT
# Allow established, related packets back through
-A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j LOG  --log-prefix "IP[FWD-Reply]: " --log-level 7
-A FORWARD -i eth1 -o wlan0 -j LOG  --log-prefix "IP[FWD-Reply]: " --log-level 7

# Only pings with restricted icmp are allowed
-A INPUT -i eth1 -p icmp -j ALLOWED-ICMP

# Enable TRACEroute to me
-I INPUT -i eth1 -p udp -d --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Enable SSH to me
-I INPUT -i eth1 -p tcp -d --dport 22 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

<end /etc/sysconfig/iptables>

I have several virtual machines which have configured the old NAT-router als gateway; they all work fine; one virtual machine (OS = Win7) has the new box configured as gateway with IP address

I have a old notebook (OS = WinXP) that is "connected" via WLAN to the new box and this has as IP address; both can ping each other the VM and this notebook;

here the questions:
should I use eth0 and wlan0 or br0 in the iptables and ip6tables roules?
why is it possible to ping the VM or the notebook from the new box, but not the other way?

Thanks for any help;