Linux firewalling with ipchains
Almost everyone knows that Linux makes an excellent firewall. Whether you use it in conjunction with serving your Web pages or FTP site, or as a standalone front-end to your internal LAN, Linux provides the tools necessary to build a firewall to meet your specific needs.
Built into the Linux kernel is ipchains, the basic firewall utility needed to deny, accept, and route packets across your system. Because of this utility and the inherent low cost of the operating system, Linux makes a cost-effective choice for a firewall for your LAN or Internet-connected company.
The Linux kernel specifies three categories of filters for firewall traffic. Different rules apply to each type of traffic, yielding an extremely versatile firewall. These basic categories are as follows:
You can also specify your own rules (also called chains), which act as extensions to the three basic firewall rules.
All three rule categories--and any additional rules that you define--have a default policy. These default policies control how the system will react to any particular packet that reaches the firewall. You can use the standard policies for any given rule, or you can jump to another user-defined rule for further processing. The standard policies are:
Constructing rule-chainsThe ipchains utility constructs rule-chains in a way that is quite simple and very flexible. With any chain, you can specify a number of options that must be matched in order for the chain to process. These options include:
Other options are available that let you specify priority levels for different types of Transmission Control Protocol (TCP) packets For example, giving FTP packets a higher priority than Internet Relay Chat (IRC) packets; provide logging for certain chains; and set more specific options detailing packet types, sizes, and so forth.
Because of the versatility of ipchains and the number of options available, building a firewall can be simple or extremely complex, depending on your needs. A simple firewall can consist of four or five ipchains commands. A complex firewall can consist of hundreds of ipchains commands, locking down everything and opening up specific ports and services as you require them.
Because of the complexity in building good firewalls, I highly recommend visiting the Linux Firewall Design Toolkit at www.linux-firewall-tools.com/linux/firewall. It provides a clean and comprehensive Web interace that you can use to design your firewall online, without having to know how to use ipchains. It also outputs a firewall script that you can save and use.
Sample firewall scriptA very simple firewall script might look something like this:
ipchains -A input -i eth0 -s 192.168.0.0/16 -j REJECT ipchains -A input -d 192.168.1.5 25 -j ACCEPT ipchains -A input -d 192.168.1.5.110 -j ACCEPT ipchains -A input -d 192.168.0.0/16 -syn -j REJECT
This script simply appends the rules to the input rule-chain. The first rule says that any packets arriving on the external interface with a source address pretending to come from our internal network (192.168) should be discarded, because someone is trying to spoof us. The next two rules say that any traffic destined for 192.168.1.5--our mail server, providing SMTP (port 25) and POP3 (port 110) services--should be accepted. The final rule rejects all other inbound TCP connections with the SYN bit set (meaning they are attempting to initiate a connection).
As you can see, ipchains provides powerful filtering capabilities for your Linux system, whether you are using it as a firewall for your Linux server or a firewall/router for your internal LAN. The protection a properly configured firewall can provide your company is invaluable. Linux provides the flexibility and strength that anyone thinking of setting up a firewall will require--and only the Linux solution is this cost effective. //Vincent Danen is a self-employed Linux consultant and freelance writer native to Edmonton, Canada. He has been using Linux exclusively since mid-1997. Vincent is a firm believer in the philosophy behind the Linux "revolution" and attempts to contribute to the Linux cause in as many ways as possible, from his Freezer Burn Web site to building custom RPMs for the Linux Mandrake project.