FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-19-2010, 08:30 AM
 
Default setup firewall with 3 nic cards

Hi Jerry,

Just a general remark.
When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...

Now the default is "allow", and only doing some SNAT and DNAT rules...

hw

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jerry Geis
Sent: Tuesday, May 11, 2010 12:10 AM
To: CentOS ML
Subject: [CentOS] setup firewall with 3 nic cards

I have a centos box with 3 nics. eth0 is internal, eth1 is T1 data and eth2 is cable data.
Everything is working on eth2 cable. External NAT is working just fine for eth2.
However external address 74.x.x.x on eth1 is not working.

Below is my iptables information.

I setup eth1 same as eth2 just a different IP address of course. What did I miss that
eth1 and NAT is not working?

Just looking for both public IP's incoming to NAT to the correct IP address. Only 1 is working at this time.


Thanks,

Jerry

---------------

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:22 to:192.168.1.209:22
DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:25 to:192.168.1.209:25
DNAT tcp -- 0.0.0.0/0 24.123.23.170 tcp dpt:80 to:192.168.1.209:80
DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:22 to:192.168.1.58:22
DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:25 to:192.168.1.58:25
DNAT tcp -- 0.0.0.0/0 74.223.8.179 tcp dpt:80 to:192.168.1.58:80


Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:24.123.23.170
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.209 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1
SNAT all -- 0.0.0.0/0 192.168.1.58 to:192.168.1.1


Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2
74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

__________________________________________________ ____________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-21-2010, 07:54 PM
"James A. Peltier"
 
Default setup firewall with 3 nic cards

On Wed, 19 May 2010, J.Witvliet@mindef.nl wrote:

> Hi Jerry,
>
> Just a general remark.
> When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...
>
> Now the default is "allow", and only doing some SNAT and DNAT rules...
>
> hw

And as a follow up remark, it would be advisable to have a network policy
in place that will help to define your rules. For example within a
university environment like mine, we allow everything in by default except
those services for which we want to explicitly block. Those that we want
to explicitly block are documented and we run tests to ensure that our
firewall is working as expected on a regular basis.

Define your "business rules" first and make your firewall rules follow
suit.

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@sfu.ca
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
http://blogs.sfu.ca/people/jpeltier
MSN : subatomic_spam@hotmail.com

TEAMWORK
There's power in numbers. Learn to work together.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org