CentOS - Jun 2015 - Using a CentOS 6 Machine as a gateway/router/home server

On Sun, 28 Jun 2015, Brian Miller wrote:
> On Sun, 2015-06-28 at 14:50 -0400, Max Pyziur wrote:
>
>> I haven't setup the firewall yet (dangerous, I know) until I get
the
>> connectivity working.
>>
>> I'm obviously overlooking some other configuration settings
required for
>> machines inside the network being able to connect through the
>> gateway/router.
>
> As others have pointed out, you're either missing a NAT layer or you
got
> a large enough IP allocation to subnet and you haven't set up routing.
> Probably safe to assume it's NAT.
>
> I'd suggest at a minimum you install something like shorewall to assist
> in managing your firewall and IP masquerading tasks.  It's available in
> EPEL, is very well documented, and provides enough built in sanity
> checks to protect you against making some silly (and some not so silly)
> mistakes in your firewall management.
Thanks to all for pointing me in the direction of iptables and IP 
masquerading.
>From several sources, code, the stock CentOS iptables I've cobbled the 
following 
/etc/sysconfig/iptables; while it works, I suspect that there are holes:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING  -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
COMMIT

I also seem to need to load
iptable_nat
nf_nat_ftp

via rc.local

Is this correct?

Thank you again,

Max

On 6/28/2015 3:49 PM, Max Pyziur wrote:
> I also seem to need to load
> iptable_nat
> nf_nat_ftp
>
> via rc.local
>
> Is this correct? 
only if you're running some Linux build from the 1990s.

nothing on RHEL/CentOS should need anything in rc.local



-- 
john r pierce, recycling bits in santa cruz

On Sun, 28 Jun 2015, John R Pierce wrote:
> On 6/28/2015 3:49 PM, Max Pyziur wrote:
>>  I also seem to need to load
>>  iptable_nat
>>  nf_nat_ftp
>>
>>  via rc.local
>>
>>  Is this correct? 
>
> only if you're running some Linux build from the 1990s.
>
> nothing on RHEL/CentOS should need anything in rc.local

Then what is the appropriate way to ensure that these modules are loaded?

Should they be placed in the /etc/init.d/iptables script?
IPTABLES_MODULES="iptable_nat ip_nat_ftp ip_conntrack
ip_conntrack_ftp"

or somewhere else?

Thanks

Max

On 06/28/2015 03:49 PM, Max Pyziur wrote:
> From several sources, code, the stock CentOS iptables I've cobbled the 
> following /etc/sysconfig/iptables; while it works, I suspect that 
> there are holes:
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING  -j MASQUERADE
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0] 
Some holes, yes.  I'd recommend that your FORWARD table be similar to 
INPUT.  It should DROP by default, and ACCEPT on traffic coming in the 
LAN interface and going out the WAN interface (and ESTABLISHED data).  
As it is now, a host on your WAN interface could use your system as its 
gateway, and you'd MASQ its traffic.

Possibly:

:FORWARD DROP [0:0]
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o eth1 -j ACCEPT

Best practice is to apply both egress and ingress filters as well. You 
should only forward traffic to the WAN if the source address is one that 
you use on your LAN.  You should only forward traffic to your LAN if the 
source is *not* an address you use in your LAN.

I think that looks like this in iptables, but I might be wrong...

:FORWARD DROP [0:0]
-A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -s ! 
192.168.1.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o eth1 -s 192.168.1.0/24 -j ACCEPT