Re: Firewall frustration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Steven Haigh wrote:
On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
Christopher Chan wrote:

I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything.


Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s).

iptables does not handle routing.
No, but iptables controls what is allowed to route,

I think this is where you are getting confused and causing yourself issues. iptables has ZERO effect on what is allowed to route. It is a simple YES or NO as to if it should be allowed to pass or be filtered.
I have been tested as having a significant language usage problem, and am working on it. 'what is allowed to route', was a poor choice of wording. What you wrote above is much closer to what I wanted to say.

ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop).

So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route.

Those little words, "put up the firewall rules as necessary" are equivalent to "and magic happens here."

It's actually not magical at all... Work with the mindset of "I want to allow X, Y, and Z, then deny everything else". This translates easily into iptables rules -j ACCEPT and then your last rule (or policy) should be a deny/drop/reject.
That is exactly what I tried to do. I just used the wrong bit of pixie dust (during some of the 'heated' IPsec meeting debates one fellow would try to sneak up a speaker 'that just did not get it' and sprinkle some glitter on them. He had labeled his tube of glitter as 'security pixie dust').


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux