Page 2 of 3

Re: I want to install a firewall on centOS 6

Posted: 2019/10/22 16:23:15
by imadeira
Good afternoon. I have no program to manage the firewall, I was thinking of creating the rules through iptables. I have a server with CentOS 6 installed and due to the old hardware it does not support newer CentOS versions. But me, I have installed CentOS (command line, not the desktop version), and can I install a firewall manager? Which, you could tell me, would have to be one at 32 bits, ok? As for the question, who should be able to print is who belongs to the internal domain (xpto.local).

Re: I want to install a firewall on centOS 6

Posted: 2019/10/22 17:06:44
by jlehtone
imadeira wrote:
2019/10/22 16:23:15
I was thinking of creating the rules through iptables
In other words:
Q: What program is used to connect to the server to do the management?
A: ssh
(At least I hope that is the answer you would give.)
imadeira wrote:
2019/10/22 16:23:15
As for the question, who should be able to print is who belongs to the internal domain (xpto.local).
What subnet(s) is that?

Re: I want to install a firewall on centOS 6

Posted: 2019/10/23 08:46:06
by imadeira
I said xpto.local at the example level. My machine's hostname is BMFW and the management console should respond to the internal domain which is: cm-olb.local.
How can I use ssh to manage my firewall?

Re: I want to install a firewall on centOS 6

Posted: 2019/10/23 10:38:11
by imadeira
Hello, I already know that SSH is a network protocol and is used to manage servers remotely, I can then use OpenSSH or Putty. I ran the command on my server: # iptables -S, and the result was as follows:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT.
I also ran the #ip ro command to see the default routes on my server, and the result was as follows:
192.168.4.0/27 dev eth0 proto kernel scope link src 192.168.4.20
192.168.250.0/24 dev eth1 proto kernal scope link src 192.168.250.254
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
default via 192.168.250.254 dev eth1.
This was the result of the ip ro command, and I don't understand where it will get the address from those 169 lines .... and the last line should be with the address 192.168.1.209, how do I change it? Is it through iptables rules?

Re: I want to install a firewall on centOS 6

Posted: 2019/10/23 15:14:14
by TrevorH
The subnets under 169.254 are all special and are known as zerconf networks. They're local to your machines in the same LAN and are not routable so they cannot be used for internet access. If you want to disable them on CentOS 7 you can edit /etc/sysconfig/network and add the line NOZEROCONF=yes and they will go away when the network is restarted or rebooted.

If that was the entire output from iptables -S then you have NO FIREWALL AT ALL. Your machine is wide open to anyone. If you're lucky then you are behind a hardware firewall of some description. If not and this machine is directly exposed to the internet and has been for any reasonable period of time then I would seriously consider backing up all your data and reinstalling it as you have no idea who has had access to it.

Also, please note that iptables does not really work with domain names. It does sort of work but not in the way you think it does. The domain name is resolved to an ip address at the time you add the rule so if it subsequently changes after the rule is added, the rule will still refer to the old ip address. It will not be updated until the rule is removed and re-added which the name lookup is repeated and the new ip address is used.

Re: I want to install a firewall on centOS 6

Posted: 2019/10/23 16:33:36
by imadeira
Hello, I know I had not defined any iptables rules yet. That's why I was asking for help. My server is not yet physically connected to the network (abroad), so no problem. I will only connect it when I have all the rules and routes defined. I already defined some rules today, and when I ran the #iptables -S command, the result was as follows:
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 192.168.250.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
-A FORWARD -d 192.168.1.209/32 -j ACCEPT.
I still need to make some iptables rules. If you can help me, I'd appreciate it.
Regarding routes, I don't know how to change the default rule, could they help me?

Re: I want to install a firewall on centOS 6

Posted: 2019/10/23 17:34:06
by TrevorH
Start by using the default rules that would be set up on a new CentOS 6 install. Those would look like this:

Code: Select all

# Generated by iptables-save v1.4.7 on Wed Oct 23 17:31:29 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10107:902557]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Wed Oct 23 17:31:29 2019
Those allow only access (from anywhere!) to your ssh daemon. The rest of the rules there are recommended as a starting point as they allow all traffic from the localhost interface (many system things depend on that working). They also allow connection responses based on previous usage - so an existing connection will take the ESTABLISHED,RELATED rule at the top and will be faster than searching the rest of the rules for a match (which is why it's at the top).

Re: I want to install a firewall on centOS 6

Posted: 2019/10/23 18:01:25
by jlehtone
imadeira wrote:
2019/10/23 10:38:11

Code: Select all

192.168.4.0/27 dev eth0 proto kernel scope link src 192.168.4.20
192.168.250.0/24 dev eth1 proto kernal scope link src 192.168.250.254
default via 192.168.250.254 dev eth1
That makes no sense.
* Talking to other members of 192.168.4.0/27 via eth0 is ok
* Talking to other members of 192.168.250.0/24 via eth1 is ok
BUT
* If you want to talk anyone else (not member of 192.168.4.0/27, 192.168.250.0/24, or 169.254.0.0/16) then you forward the packet to "router" 192.168.250.254.
THAT IS YOU.
Your machine is 192.168.250.254. If it does not know where to send a packet, it will send it to 192.168.250.254. To itself. It still won't know what to do.

You have mentioned subnets 192.168.0.64/26 and 192.168.1.0/24.
Your server is not connected to those networks.
Your server does not know how to send anything to those networks.

You have (presumably) said that default gateway should be 192.168.1.209.
How could it be, when your machine has no idea where that is?
The gateway must be either in 192.168.4.0/27 or in 192.168.250.0/24.


Please, show:

Code: Select all

sudo /sbin/chkconfig --list iptables
(Service iptables loads ruleset to kernel during boot. If it is not on, then firewall stays off.)


The default ruleset in CentOS 6 is (most likely):

Code: Select all

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Note that there are some traffic that should not be blocked, and almost everything from outside is blocked.

You might still have the default ruleset in file for iptables service, unless you have overwritten it.
It would be good to start from the default, rather than from scratch.

Re: I want to install a firewall on centOS 6

Posted: 2019/10/24 11:11:18
by imadeira
Hello, that's why I'm here in the forum, so you can help me. I mentioned the networks 192.168.0.64/26 and 192.168.1.0/24 and my server is not connected to these networks, how do I get it to connect to these networks?
I have not defined any routes yet those routes that I showed, after executing the command: #ip ro, are the default ones. I would like them to help me define routes, for firewalls, which I said in the reply back. Can you help me?
I have a server with Centos 6 installed, and I have to set / configure the following firewall rules: (hostname of machine is BMFW, and management console responds to our internal domain)

RedeA 192.168.4.0/27
NetworkB 192.168.250.0/24

The eth0 card's IP has IP 192.168.4.20
The eth1 card's IP has IP 192.168.250.254

Firewall rules should allow RedeB source traffic to ip 192.168.1.209 only (all ports in the first phase send the necessary ports later on this route);
Management of the firewall should only be possible from network 192.168.0.64/26 and network 192.168.1.0/24.

Re: I want to install a firewall on centOS 6

Posted: 2019/10/24 13:12:38
by imadeira
I ran the command: sudo / sbin / chkconfig --list iptables, and suggested the following:
iptables 0: no 1: no 2: yes 3: yes 4: yes 5: yes 6: no.
What does it mean?