LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-16-2014, 07:36 AM   #1
johnmaxwell
LQ Newbie
 
Registered: Feb 2014
Posts: 20

Rep: Reputation: Disabled
Unhappy all in one centos machine


I want to have a router, a dhcp, ftp, DNS, Proxy, Gateway, Samba, and mail server in my same machine. Budget issue.

With iptables default policy Drop.

dhcp.txt

ifconfig.txt

Code:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { 115.127.27.59; 192.168.100.1; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; 192.168.100.0/24; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Code:
#!/bin/bash

#Declare interfaces, ip-address, and other things
wan="p4p1"
lan="p4p2"
wanip="115.127.27.59"
lanip="192.168.100.1"

#Cleaning previous chains, rules
iptables -t filter -F			# -t for table to go here 'filter' -F is to flash all rules
iptables -t filter -X			# -X is to delete rules 
iptables -t filter -Z			# -Z is to zero counters

iptables -t nat -F			# for NAT table
iptables -t nat -X
iptables -t nat -Z

iptables -t mangle -F			# for mangle table
iptables -t mangle -X
iptables -t mangle -Z

#Basic policy set to drop in filter
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Basic policy set to drop in mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT


#SSH
# Allow incoming ssh only for wan 
iptables -A INPUT -i $wan -p tcp -d $wanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $wan -p tcp -s $wanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming ssh only for lan 
iptables -A INPUT -i $lan -p tcp -d $lanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
# Allow outgoing ssh only for wan 
iptables -A OUTPUT -o $wan -p tcp -s $wanip --sport 22 --dport 513:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $wan -p tcp -d $wanip --sport 513:65535 --dport 22  -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing ssh only for lan 
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $lan -p tcp -s $lanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
#rDesktop
# Allow outgoing rDesktop only for lan 
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 513:65535 --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $lan -p tcp -d $lanip --sport 3389 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
## WWW
# Allow www outbound to 80.
iptables -A OUTPUT -o $wan -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i $wan -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow www outbound to 443.
iptables -A OUTPUT -o $wan -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i $wan -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
#DNS
# Allow incoming DNS only
iptables -A INPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
##############################################################################################################

service iptables save
service iptables restart
service iptables status
Sombody please help
 
Old 07-17-2014, 01:52 AM   #2
Tim Abracadabra
Member
 
Registered: May 2014
Location: USA, Wherever I may Roam
Distribution: Debian w/Xfce, LFS 7.9, ++
Posts: 117

Rep: Reputation: Disabled
Hi johnmaxwell,

Thanks for placing the config files in code tags!

I'm not sure if you asked a question??
Please be clear on what you are asking.

Did you implement this configuration and are having issues?
If so, please state what are they are in detail. Include
any error messages.

Just my two cents: From an administrative point of view I
would tend to configure systems per responsibilities and not
make an "All in one" system. While you can do that, you will find
that all subsystems are software components that may have dependencies.
When these components and/or their dependencies need to be updated
(As often they do) you may need to restart services or even reboot the server.

The more you have going on, the more often this is likely to happen.
Also then you have consider co-dependencies where more than one software
component depends on a certain module or code and what do you do if they need
different versions? Yes, there are ways but that just adds to the admin overhead.

If this is for personal use, OK, you have been warned.
If this is for production, tread carefully and do your research and test, test, test;-)
Or better yet, reconsider dividing responsibilities up between systems. A single point
of failure is never a good thing
;-)


So, ... to reiterate, What was your question?

All the best,
Tim

Last edited by Tim Abracadabra; 07-17-2014 at 01:56 AM. Reason: fix typo "an", add ","
 
Old 07-17-2014, 02:53 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,303

Rep: Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816
My 2cents worth is similar to what Tim is saying. Segmentation and separation of function is always best.

If you can't do this for budget reasons then consider using your hardware as a virtualization host.

Create a small "guest" server and use this just as an ip-tables router/firewall and then have other "guest" servers handling different functions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos 6 - machine does not know it's own hostname yanom Red Hat 1 07-18-2012 01:21 AM
Centos on standalone machine sorvad Linux - Distributions 3 05-18-2012 04:41 PM
CentOS rename machine KimWill Linux - Newbie 3 09-12-2011 03:44 PM
Can't Ping Linux CentOS 5.3 Machine to XP SP2 Windows Machine Moderns Linux - Networking 20 11-04-2009 01:33 AM
CentOS machine + XP machine = XP invisible for Linux achtung_linux Linux - Networking 10 08-18-2006 04:16 AM


All times are GMT -5. The time now is 05:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration