LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   all in one centos machine (https://www.linuxquestions.org/questions/linux-newbie-8/all-in-one-centos-machine-4175511267/)

johnmaxwell 07-16-2014 06:36 AM
all in one centos machine
 
2 Attachment(s)
I want to have a router, a dhcp, ftp, DNS, Proxy, Gateway, Samba, and mail server in my same machine. Budget issue.

With iptables default policy Drop.

Attachment 15914

Attachment 15915

Code:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 115.127.27.59; 192.168.100.1; };
        listen-on-v6 port 53 { ::1; };
        directory        "/var/named";
        dump-file        "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query    { localhost; 192.168.100.0/24; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Code:
#!/bin/bash

#Declare interfaces, ip-address, and other things
wan="p4p1"
lan="p4p2"
wanip="115.127.27.59"
lanip="192.168.100.1"

#Cleaning previous chains, rules
iptables -t filter -F                        # -t for table to go here 'filter' -F is to flash all rules
iptables -t filter -X                        # -X is to delete rules
iptables -t filter -Z                        # -Z is to zero counters

iptables -t nat -F                        # for NAT table
iptables -t nat -X
iptables -t nat -Z

iptables -t mangle -F                        # for mangle table
iptables -t mangle -X
iptables -t mangle -Z

#Basic policy set to drop in filter
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Basic policy set to drop in mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT


#SSH
# Allow incoming ssh only for wan
iptables -A INPUT -i $wan -p tcp -d $wanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $wan -p tcp -s $wanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming ssh only for lan
iptables -A INPUT -i $lan -p tcp -d $lanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
# Allow outgoing ssh only for wan
iptables -A OUTPUT -o $wan -p tcp -s $wanip --sport 22 --dport 513:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $wan -p tcp -d $wanip --sport 513:65535 --dport 22  -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing ssh only for lan
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $lan -p tcp -s $lanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
#rDesktop
# Allow outgoing rDesktop only for lan
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 513:65535 --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $lan -p tcp -d $lanip --sport 3389 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
## WWW
# Allow www outbound to 80.
iptables -A OUTPUT -o $wan -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i $wan -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow www outbound to 443.
iptables -A OUTPUT -o $wan -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i $wan -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
#DNS
# Allow incoming DNS only
iptables -A INPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
##############################################################################################################

service iptables save
service iptables restart
service iptables status
Sombody please help

Tim Abracadabra 07-17-2014 12:52 AM
Hi johnmaxwell,

Thanks for placing the config files in code tags!

I'm not sure if you asked a question??
Please be clear on what you are asking.

Did you implement this configuration and are having issues?
If so, please state what are they are in detail. Include
any error messages.

Just my two cents: From an administrative point of view I
would tend to configure systems per responsibilities and not
make an "All in one" system. While you can do that, you will find
that all subsystems are software components that may have dependencies.
When these components and/or their dependencies need to be updated
(As often they do) you may need to restart services or even reboot the server.

The more you have going on, the more often this is likely to happen.
Also then you have consider co-dependencies where more than one software
component depends on a certain module or code and what do you do if they need
different versions? Yes, there are ways but that just adds to the admin overhead.

If this is for personal use, OK, you have been warned.
If this is for production, tread carefully and do your research and test, test, test;-)
Or better yet, reconsider dividing responsibilities up between systems. A single point
of failure is never a good thing;-)


So, ... to reiterate, What was your question?

All the best,
Tim

TenTenths 07-17-2014 01:53 AM
My 2cents worth is similar to what Tim is saying. Segmentation and separation of function is always best.

If you can't do this for budget reasons then consider using your hardware as a virtualization host.

Create a small "guest" server and use this just as an ip-tables router/firewall and then have other "guest" servers handling different functions.


All times are GMT -5. The time now is 02:04 PM.