I'm replacing an ancient Solaris 'ipf' firewall/router with a brand
new
CentOS 6.3 system. In the olden days, I successfully used the attached
iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this
doesn't seem to be quite working on the new system.
Specifically, while it seems to be routing ok, you cannot connect to
anything on the inside net (e.g., with ssh or a browser) and cannot
connect to the system with ssh or anything else from elsewhere on the
inside net. Yet arp shows this system active.
Is there obsolete stuff here, and/or anything missing that would cause this?
Thanks.
--
Tim Evans | 5 Chestnut Court
UNIX System Admin Consulting | Owings Mills, MD 21117
http://www.tkevans.com/ | 443-394-3864
http://www.come-here.com/News/ | tkevans at tkevans.com
-------------- next part --------------
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
#/sbin/insmod e100
#/sbin/ifup eth1
ROUTER=`grep routers /var/lib/dhclient/dhclient-eth0.leases | head -1 | awk \
'{print $NF}' | sed 's/;//g'`
route add default gw "$ROUTER"
#
# Sun Apr 3 09:11:44 EDT 2005
##############################
#
IPTABLES="/sbin/iptables"
INET_IFACE="eth0"
OSPREY="192.168.252.3"
INET_IP=`ifconfig eth0 | grep 'inet addr' | awk -F":"
'{print $2}' | sed 's/ Bcast//'`
LAN_IP="192.168.252.5"
DHCP="yes"
DHCP_SERVER=`grep dhcp-server-identifier /var/lib/dhclient/dhclient-eth0.leases
\
| head -1 | awk '{print $NF}' | sed 's/;//g'`
LAN_IP_RANGE="192.168.252.0/24"
LAN_BROADCAST_ADDRESS="192.168.252.255"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
# 2. Module loading.
/sbin/depmod -a
# 2.1 Required modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
# 2.2 Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
# 3. /proc set up.
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# 3.2 Non-Required proc configuration
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# 4. rules set up.
# 4.1 Filter table
# 4.1.1 Set policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
# 4.1.2 Create userspecified chains
# Create chain for bad tcp packets
/sbin/iptables -N bad_tcp_packets
# Create separate chains for ICMP, TCP and UDP to traverse
/sbin/iptables -N allowed
/sbin/iptables -N tcp_packets
/sbin/iptables -N udpincoming_packets
/sbin/iptables -N icmp_packets
# 4.1.3 Create content in userspecified chains
# bad_tcp_packets chain
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# allowed chain
/sbin/iptables -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A allowed -p TCP -j DROP
# UDP ports
/sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
/sbin/iptables -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
fi
# ICMP rules
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# 4.1.4 INPUT chain
# Bad TCP packets we don't want.
/sbin/iptables -A INPUT -p tcp -j bad_tcp_packets
# Rules for special networks not part of the Internet
/sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
/sbin/iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
# Rules for incoming packets from the internet.
/sbin/iptables -A INPUT -p ALL -i $INET_IFACE -m state --state \
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
/sbin/iptables -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
/sbin/iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Log weird packets that don't match the above.
/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
# 4.1.5 FORWARD chain
# Bad TCP packets we don't want
/sbin/iptables -A FORWARD -p tcp -j bad_tcp_packets
# Accept the packets we actually want to forward
/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -o $INET_IFACE -s $OSPREY -p tcp --sport 22 \
-j ACCEPT
# Log weird packets that don't match the above.
/sbin/iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
# 4.1.6 OUTPUT chain
# Bad TCP packets we don't want.
/sbin/iptables -A OUTPUT -p tcp -j bad_tcp_packets
# Special OUTPUT rules to decide which IP's to allow.
/sbin/iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log weird packets that don't match the above.
/sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# 4.2 nat table
/sbin/iptables -t nat -A OUTPUT -p tcp -d $INET_IP --dport 22 -j DNAT \
--to-destination $OSPREY
# 4.2.4 PREROUTING chain
/sbin/iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 22 -j DNAT \
--to-destination $OSPREY
#
# 4.2.5 POSTROUTING chain
# Enable simple IP Forwarding and Network Address Translation
#
/sbin/iptables -t nat -A POSTROUTING -p tcp --dst $OSPREY --dport 22 -j \
SNAT --to-source $LAN_IP
/sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
# turn on packet forwarding last of all
echo "1" > /proc/sys/net/ipv4/ip_forward
Why not try reconfiguring using /usr/bin/system-config-firewall-tui instead of a manually created configuration. Mike On 01/04/2013 12:01 PM, Tim Evans wrote:> I'm replacing an ancient Solaris 'ipf' firewall/router with a brand > new CentOS 6.3 system. In the olden days, I successfully used the > attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, > but this doesn't seem to be quite working on the new system. > > Specifically, while it seems to be routing ok, you cannot connect to > anything on the inside net (e.g., with ssh or a browser) and cannot > connect to the system with ssh or anything else from elsewhere on the > inside net. Yet arp shows this system active. > > Is there obsolete stuff here, and/or anything missing that would cause > this? > > Thanks. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
On 01/04/2013 12:01 PM, Tim Evans wrote:> I'm replacing an ancient Solaris 'ipf' firewall/router with a brand > new CentOS 6.3 system. In the olden days, I successfully used the > attached iptables script (as /etc/rc.local) on Red Hat 5.x systems, > but this doesn't seem to be quite working on the new system.I once ran a Centos firewall/router. I used Shorewall for the heavy lifting on maintaining the tables properly. I recommend you find such a tool as they tend to get things like below sorted out for you.> > Specifically, while it seems to be routing ok, you cannot connect to > anything on the inside net (e.g., with ssh or a browser) and cannot > connect to the system with ssh or anything else from elsewhere on the > inside net. Yet arp shows this system active. > > Is there obsolete stuff here, and/or anything missing that would cause > this? > > Thanks. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
On 01/04/2013 12:01 PM, Tim Evans wrote:> I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new > CentOS 6.3 system. In the olden days, I successfully used the attached > iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this > doesn't seem to be quite working on the new system. > > Specifically, while it seems to be routing ok, you cannot connect to > anything on the inside net (e.g., with ssh or a browser) and cannot > connect to the system with ssh or anything else from elsewhere on the > inside net. Yet arp shows this system active. > > Is there obsolete stuff here, and/or anything missing that would cause > this?Nevermind... Temporary IP address in the script was wrong; corrected and now working. Will be glad to see comments, though. -- Tim Evans | 5 Chestnut Court UNIX System Admin Consulting | Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | tkevans at tkevans.com
On Fri, Jan 4, 2013 at 11:01 AM, Tim Evans <tkevans at tkevans.com> wrote:> I'm replacing an ancient Solaris 'ipf' firewall/router with a brand new > CentOS 6.3 system. In the olden days, I successfully used the attached > iptables script (as /etc/rc.local) on Red Hat 5.x systems, but this doesn't > seem to be quite working on the new system. > > Specifically, while it seems to be routing ok, you cannot connect to > anything on the inside net (e.g., with ssh or a browser) and cannot connect > to the system with ssh or anything else from elsewhere on the inside net. > Yet arp shows this system active. > > Is there obsolete stuff here, and/or anything missing that would cause this?You found the error, but I have a question about running this in rc.local. Aren't you opening a very short time security hole by running this from rc.local? Service network starts up early in the startup sequence (/etc/rc.d/rc3.d/S10network), and rc.local is at the very end. Wouldn't it be better to run the iptables rules once, then do: service iptables save This way, iptables rules would be in place (S08iptables) before netowrk startup. -- Dale Dellutri