On Jul 2, 2004, at 2:57 PM, Bobby Knueven wrote:
Well... you need to set up a dhcp server.
I already have a DHCP server, but it's not on the firewall box. Does that cause a problem?
Not a problem, if you want to use DHCP to assign addresses to the systems behind the firewall, you'll need to do one of 2 things:
1. Install the dhcp package and configure the /etc/sysconfig/dhcrelay file, then:
chkconfig dhcrelay on service dhcrelay start
2. Don't supply DHCP addresses on the other server and run one behind your new firewall.
In your case, #1 seems preferable.
As for the firewall, it's really quite simple in your case:
# These flush any existing rules iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t mangle iptables -F -t nat iptables -X
# These set an initial drop everything policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
# For connections already deemed OK iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Setup stuff you're allowing to talk directly to the firewall
# eg - ssh to firewall from 10.1.1.0/24:
iptables -A INPUT -p tcp -m state --state NEW -s 10.1.1.0/24 --dport 22 -j ACCEPT
# Setup stuff you're allowing to talk outbound from the firewall
# eg - ssh to anywhere
iptables -A OUTPUT -p tcp -m state --state NEW -d 0/0 --dport 22 -j ACCEPT
# Setup stuff you're forwarding outbound
# eg - internal net == 192.168.1.0/24, allow everything out
iptables -A FORWARD -p all -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
# Setup stuff you're forwarding to a particular server
# eg - https to 192.168.1.50
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.50 --dport 443 -j ACCEPT
I'd maintain all that in a shell script for easy mods later down the line.
Then run the script to setup iptables, then:
service iptables save service iptables restart chkconfig iptables on
--j
