CentOS - Oct 2009 - Build a Firewall (Can I learn to do this...)

Hi All,

I have a home business circuit and I am gearing up to host my business  
affairs in my place. I have Comcast and 13 static IP's.

I have an extra PIII 1U, 2 9gb SCSI, 1gb RAMm dual NICS.

So I am wanting to build a firewall to front end my traffic. Assign  
one of my statics to it and have Comcast statically route my traffic  
to this IP. Then when traffic comes have it decide if it is allowed or  
not and if allowed pass it to the right server based upon the rules.

I used to work with PIX 525's so I have knowledge, I just dont quite  
know how to do this with CentOS and such.

Can anyone offer advice?

Best,
-Jason

ML wrote:
> I used to work with PIX 525's so I have knowledge, I just dont quite  
> know how to do this with CentOS and such.
> 
> Can anyone offer advice?

Nothing against CentOS, but if this is going to be a dedicated firewall, 
have you thought of using an appliance type OS/application?

I've heard a lot of good things about IPCop. Here at my place of 
employment we run Vyatta. They have a community edition.

Just a thought.

Regards,
Max

You don't need to have Comcast route all traffic to that IP. You just
need to put two NICs in the server and place it between Comcast and
your servers. Then using iptables you can configure CentOS to deny /
allow traffic to IPs on specific ports. I know this is a CentOS list,
but if you want something with a webGUI have a look at pfSense. I use
this in front of my CentOS servers.

Ryan

On Thu, Oct 1, 2009 at 4:56 PM, ML <mailinglists at mailnewsrss.com>
wrote:
> Hi All,
>
> I have a home business circuit and I am gearing up to host my business
> affairs in my place. I have Comcast and 13 static IP's.
>
> I have an extra PIII 1U, 2 9gb SCSI, 1gb RAMm dual NICS.
>
> So I am wanting to build a firewall to front end my traffic. Assign
> one of my statics to it and have Comcast statically route my traffic
> to this IP. Then when traffic comes have it decide if it is allowed or
> not and if allowed pass it to the right server based upon the rules.
>
> I used to work with PIX 525's so I have knowledge, I just dont quite
> know how to do this with CentOS and such.
>
> Can anyone offer advice?
>
> Best,
> -Jason
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Not that it's incredibly difficult to do by hand, but it is a complex
undertaking fraught with some risk in doing it wrong.  I believe you'd
be much better served looking at some of the firewall applications out
there, such as IPCop or Smoothwall.  Another one to look at is Shorewall
(http://www.shorewall.net/), which is not configured via Web GUI, but is
purely text configuration.  I've used Shorewall for several years and
like it a lot...  Tom Eastep did a pretty good job.
-Alan


ML wrote:
> Hi All,
>
> I have a home business circuit and I am gearing up to host my business  
> affairs in my place. I have Comcast and 13 static IP's.
>
> I have an extra PIII 1U, 2 9gb SCSI, 1gb RAMm dual NICS.
>
> So I am wanting to build a firewall to front end my traffic. Assign  
> one of my statics to it and have Comcast statically route my traffic  
> to this IP. Then when traffic comes have it decide if it is allowed or  
> not and if allowed pass it to the right server based upon the rules.
>
> I used to work with PIX 525's so I have knowledge, I just dont quite  
> know how to do this with CentOS and such.
>
> Can anyone offer advice?
>
> Best,
> -Jason
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

ML wrote:
> Can anyone offer advice?
>   
pfSense. 

can even boot it off a CD and use a USB flash stick for configuration 
storage so you don't need a hard drive.  or boot it off a 128MB CF 
card.  doesn't need a display after initial setup (actually, can even be 
configured with a serial terminal in a truly embeded configuration).  
once its up and running, its configured via web browser.

On Thursday 01 October 2009 16:56, ML wrote:
>  I have a home business circuit and I am gearing up to host my business
>  affairs in my place. I have Comcast and 13 static IP's.
>
>  I have an extra PIII 1U, 2 9gb SCSI, 1gb RAMm dual NICS.
If you can, I would place a 3rd NIC into this device and use it for a DMZ and 
place all servers into that space keeping the internet facing server away 
from everything else.  A lot easier to control thing.  I have a box here with 
4 NICs working nicely.


-- 

Regards
Robert

Linux User #296285
http://counter.li.org

On 1 Oct 2009, at 21:56, ML wrote:
> So I am wanting to build a firewall to front end my traffic. Assign
> one of my statics to it and have Comcast statically route my traffic
> to this IP.
You don't need to do this.  You can run all the IPs on the firewall  
box, and route them to machines on a private subnet behind the firewall.
> Can anyone offer advice?
I've had good results doing what you describe - but it's fairly slow  
to get it up and running and the process is very detail oriented, and  
you end up having to do quite a bit of spadework to get a config that  
is as hardened and reliable as a commercial firewall product.  There  
are some reasonable graphical tools that can help you.  The one I've  
used is fwbuilder (http://www.fwbuilder.org/).

I've also looked at Vyatta, and heard good things about pfsense.

S.

ML wrote:
> 
> I used to work with PIX 525's so I have knowledge, I just dont quite  
> know how to do this with CentOS and such.
Firewall Builder.

http://www.fwbuilder.org/

But if you've configured the PIX in command-line mode, iptables is not 
that hard. You could setup a local firewall right on your webserver and 
it's going to be rock-solid. It's not an "enterprise" type of
setup, but
for a small installation I see no problem whatsoever with it. Trust 
iptables, it's a very good firewall. I use it all the time, even for 
purposes that firewalls are normally not intended to serve. :-)

http://www.netfilter.org/documentation/index.html#documentation-howto

There's a lot of info there, but you don't need everything. This is the 
10% info that you will use 90% of the time:
- the main tables (filter, nat), what can they do
- the built-in chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING)
- the main targets (ACCEPT, DROP, REJECT)
- user-defined chains and how to insert them into the built-ins.

Also, hardcopy this diagram and put it on the wall, it will make things 
very clear for you:

http://developer.gauner.org/doc/iptables/images/nfk-traversal.png

For a former PIXer, the learning curve should be peachy. By the way, 
netfilter/iptables is a lot more expressive and flexible than PIX. 
You'll be amazed by what you can do with it.

"man iptables" also helps.

Go ahead, do "service iptables stop" to clean everything up, then
apply
some rules of your own. Do "service iptables save" to save them. 
"service iptables restart" to restart from the saved version (if you 
mess up the running one). All rules are saved in /etc/sysconfig/iptables 
(you may want to backup the original version before you start messing 
with the firewall).

Other commands:

See current running state:
iptables [-t nat] -L -n [-v]	# I do recommend using -v often
or
service iptables status

See current saved state:
less /etc/sysconfig/iptables

Flush and delete everything, fall back to a "permit all" firewall:
iptables [-t nat] -F; iptables [-t nat] -X
or
service iptables stop

See if the iptables service is enabled:
chkconfig --list iptables

Tip: if the FORWARD chain doesn't seem to work, check 
net.ipv4.ip_forward in /etc/sysctl.conf, it's probably set to 0.

That's it, you're good to go.

-- 
Florin Andrei

http://florin.myip.org/

Go with a dedicated firewall distro like pfSense

CentOS can certainly do it, but why bother?


-- 
?Don't eat anything you've ever seen advertised on TV?
         - Michael Pollan, author of "In Defense of Food"