CentOS - Dec 2010 - centos as a firewall help

Hello all,

first of all i'd like to wish you all happy holidays, and a merry belated
christmas.

Secondly, i'm trying to setup? a centos 5.4 to act as:

1. firewall # can you check my config below and tell me if i missed anything?
2. DHCP # already configured
3. transparent squid proxy #? already configured
4. http (virtual hosts) # in the near future
5. squirrelmail # in the near future

- Relevant info:

Two NICs:

eth0 LAN: with dhcp service: 192.168.57.1(255.255.255.0) # my lan users are
connected to this interface
eth1 WAN: static: 172.16.2.14 gw/172.16.2.13 (255.255.255.248) # My isp is
connected to this interface

I want my firewall to do the following:

1. get my box to be completely secure from outside access, in other words deny
all access from the outside world to my box &/or my LAN
2. allow my LAN users to access the internet/ box without any restrictions,
through a transparent squid installation

i've searched a bit online, i must admit i never used iptables before (i
thought of using firestarter as it's graphical and am no iptables guru, not
even a novice user though i've installed my box with no X? hence no
graphical applications)

i finally used bits an pieces and came up with the following:

Chain INPUT (policy DROP)
target???? prot opt source?????????????? destination???????? 
ACCEPT???? all? --? anywhere???????????? anywhere??????????? state
RELATED,ESTABLISHED
In_RULE_0? all? --? anywhere???????????? 172.16.2.14???????? 
In_RULE_2? udp? --? 192.168.57.1???????? anywhere??????????? udp multiport
dports bootpc,bootps state NEW

Chain FORWARD (policy DROP)
target???? prot opt source?????????????? destination???????? 
ACCEPT???? all? --? anywhere???????????? anywhere??????????? state
RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target???? prot opt source?????????????? destination???????? 
ACCEPT???? all? --? anywhere???????????? anywhere??????????? state
RELATED,ESTABLISHED
Cid1888X3970.0? udp? --? 192.168.57.1???????? anywhere??????????? udp multiport
dports bootpc,bootps state NEW
Out_RULE_3? all? --? 192.168.57.1???????? anywhere??????????? state
RELATED,ESTABLISHED
Cid1594X3970.0? all? --? 192.168.57.1???????? anywhere??????????? state NEW 

Chain Cid1594X3970.0 (1 references)
target???? prot opt source?????????????? destination???????? 
Out_RULE_4? all? --? anywhere???????????? 172.16.2.14???????? 
Out_RULE_4? all? --? anywhere???????????? 192.168.57.1??????? 

Chain Cid1888X3970.0 (1 references)
target???? prot opt source?????????????? destination???????? 
Out_RULE_2? all? --? anywhere???????????? 172.16.2.14???????? 
Out_RULE_2? all? --? anywhere???????????? 192.168.57.1??????? 

Chain In_RULE_0 (1 references)
target???? prot opt source?????????????? destination???????? 
LOG??????? all? --? anywhere???????????? anywhere??????????? LOG level info
prefix `RULE 0 -- DENY '
DROP?????? all? --? anywhere???????????? anywhere??????????? 

Chain In_RULE_2 (1 references)
target???? prot opt source?????????????? destination???????? 
LOG??????? all? --? anywhere???????????? anywhere??????????? LOG level info
prefix `RULE 2 -- ACCEPT '
ACCEPT???? all? --? anywhere???????????? anywhere??????????? 

Chain Out_RULE_2 (2 references)
target???? prot opt source?????????????? destination???????? 
LOG??????? all? --? anywhere???????????? anywhere??????????? LOG level info
prefix `RULE 2 -- ACCEPT '
ACCEPT???? all? --? anywhere???????????? anywhere??????????? 

Chain Out_RULE_3 (1 references)
target???? prot opt source?????????????? destination???????? 
LOG??????? all? --? anywhere???????????? anywhere??????????? LOG level info
prefix `RULE 3 -- ACCEPT '
ACCEPT???? all? --? anywhere???????????? anywhere??????????? 

Chain Out_RULE_4 (2 references)
target???? prot opt source?????????????? destination???????? 
LOG??????? all? --? anywhere???????????? anywhere??????????? LOG level info
prefix `RULE 4 -- ACCEPT '
ACCEPT???? all? --? anywhere???????????? anywhere???????????

On Fri, 31 Dec 2010, Roland RoLaNd wrote:
> I want my firewall to do the following:
I would recommend using shorewall:

 	http://www.shorewall.net/

As it says, iptables made easy.

-Steve

On Fri, Dec 31, 2010 at 10:19 AM, Roland RoLaNd <r_o_l_a_n_d at
hotmail.com> wrote:
> Secondly, i'm trying to setup? a centos 5.4 to act as:
>
> 1. firewall # can you check my config below and tell me if i missed
anything?
> 2. DHCP # already configured
> 3. transparent squid proxy #? already configured
> 4. http (virtual hosts) # in the near future
> 5. squirrelmail # in the near future
>
> - Relevant info:
>
> Two NICs:
>
> eth0 LAN: with dhcp service: 192.168.57.1(255.255.255.0) # my lan users are
connected to this interface
> eth1 WAN: static: 172.16.2.14 gw/172.16.2.13 (255.255.255.248) # My isp is
connected to this interface
>
> I want my firewall to do the following:
>
> 1. get my box to be completely secure from outside access, in other words
deny all access from the outside world to my box &/or my LAN
> 2. allow my LAN users to access the internet/ box without any restrictions,
through a transparent squid installation
So you are only allowing http and https transparently through squid?
The reason I ask is you only showed the firewall rules not the nat
table. Otherwise you need to setup nat masquerading to allow other
connections out.

Have you though of virtualizing your firewall with a purpose built
distribution like Vyatta or pfSense? I have taken this approach with
my setup. I find it makes updates easy and provides better uptime. I'm
running everything on ESXi and have a handful of virtual machines.

- Vyatta Firewall
- CentOS 5.5 Web Server and MySQL
- CentOS 5.5 Zimbra Email
- CentOS 5.5 DHCP and DNS