Master iptables with GUI Firewall Builders

Configuring a Linux firewall can be a real chore, but with these graphical tools you can protect your network and learn by example at the same time.

 By Carla Schroder
Page 1 of 2
Print Article

I believe that any network or system administrator who wishes to maintain an iptables firewall should learn iptables well, and be able to easily whip up a basic firewall from scratch. But learning how to do this is the tricky part, so this is where firewall builder programs earn their beans. With a firewall building utility you can get a functioning firewall up and running, and have scripts and rulesets to study. There are gazillions of the things, so today we'll look at three that I think are pretty good: Lokkit, KMyFirewall, and Firewall Builder.

Netfilter/Iptables Woes
Netfilter/iptables is the basis for the vast majority of Linux-based firewalls. It filters on any of the fields in IP, TCP, and UDP packets, which gives the ace admin great flexibility and packet-filtering powers. The netfilter/iptables package is an amazing construct, and very effective. However, there is a rather steep learning curve, and the various Linux distributions do not make it any easier. Red Hat and its derivatives, and Debian and its spawn, make iptables way too complicated with large tangled scripts. Debian 3.1 does away with init scripts entirely, and now wants users to control iptables with ifupdown, so that iptables comes up and down with the networking interfaces. While I'm always game for good new ways of doing things, this one has me puzzled. I prefer to keep networking and iptables separate for easier debugging, and having iptables come up at boot means I don't have to worry about introducing an additional potential point of failure. It remains in whatever state I want it, up or down, regardless of whatever networking craziness might be happening.

You can still use traditional init scripts with Debian, or try out the newfangled method; see /usr/share/doc/iptables/examples/oldinitdscript.gz and /usr/share/doc/iptables/README.Debian.gzfor more information.


Lokkit is a decent choice for a personal firewall. Lokkit is not for the ace admin with a large complex network to protect. Lokkit uses an ncurses interface, so you don't need X windows. Users who want a nice X windows interface can use Gnome-Lokkit.

Debian users will find that the installer creates and activates a basic firewall, which may or may not suit your needs, so you should re-run Lokkit to make sure it has the correct settings. Using it is dead easy- just start it up and answer a few questions. Lokkit uses only the Filter table, and creates a custom chain named "RH-Lokkit." When you try writing your own rules, this makes it easy to separate what you did from Lokkit's rules. It's good practice, and if you irreversibly gum things up, just delete the iptables source script and reboot.

Red Hat and Fedora users can try the system-config-securitylevelcommand, which looks like Lokkit with a SELinux configuration menu.

Looking at Your New Rules

There are two ways to view iptables rules: read the source script, which for Lokkit is /etc/default/lokkit on Debian, and /etc/sysconfig/iptables on Red Hat, or use the iptablescommand. The Filter table is the default, so you must specify the NAT and Mangle tables to see them:

# iptables -L
# iptables -L -t nat
# iptables -L -t mangle


KMyFirewall is a recent addition to the world of firewall builders. It's still a bit rough about the edges, but it has a lot of good things going for it. It writes nice clean scripts, and it tries to be educational. It requires KDE to run, but the scripts it generates can be used in any environment. It sets up complex firewalls easily, and you have the choice of using the wizard, the menu interface, or editing the scripts directly. It's especially good at creating a strong, sensible workstation firewall with a few mouse clicks. This has some nice touches, like allowing ICMP echo_requests with a rate limit of five per minute. Blocking ICMP requests entirely is a popular thing these days, but it's a bad thing to do, as a lot of network services depend on it.

(courtesy KMyFireWall project)

Another nice feature is the wizard configures egress filtering- be a good Netizen and don't let bad packets leak out of your network. If you have any Windows hosts, be especially diligent with your egress filtering.

KMyFirewall is careful- you may preview your firewall script before activating it, and then you can test it before installing it. It lists all the files it creates, and gives you the commands you need to flush all rules and chains.

Its major drawback is it's difficult to set up a proper multi-homed NAT firewall with the wizard, which makes it difficult to build a firewall/gateway that shares an Internet connection. You can use it to create all the custom rules you want, but if you know how to do that, you probably don't need a firewall builder.

This article was originally published on Nov 20, 2007
Get the Latest Scoop with Networking Update Newsletter