Linux firewalling with ipchains

Almost everyone knows that Linux makes an excellent firewall. Whether you use it in conjunction with serving your Web pages or FTP site, or as a standalone front-end to your internal LAN, Linux provides the tools necessary to build a firewall to meet your specific needs.

Built into the Linux kernel is ipchains, the basic firewall utility needed to deny, accept, and route packets across your system. Because of this utility and the inherent low cost of the operating system, Linux makes a cost-effective choice for a firewall for your LAN or Internet-connected company.

Firewall categories

The Linux kernel specifies three categories of filters for firewall traffic. Different rules apply to each type of traffic, yielding an extremely versatile firewall. These basic categories are as follows:

  • Input firewall–All incoming traffic is tested against the input firewall rules prior to being accepted.

  • Output firewall–All outgoing traffic is tested against the output firewall rules prior to being sent.

  • Forwarding firewall–All traffic that is being forwarded through the Linux system is tested against the forwarding firewall rules prior to being forwarded.

    You can also specify your own rules (also called chains), which act as extensions to the three basic firewall rules.

    Firewall policies

    All three rule categories–and any additional rules that you define–have a default policy. These default policies control how the system will react to any particular packet that reaches the firewall. You can use the standard policies for any given rule, or you can jump to another user-defined rule for further processing. The standard policies are:

  • ACCEPT–Let the packet pass through the firewall.

  • REJECT–Discard the packet and return an Internet Control Message Protocol (ICMP) “host unreachable” error message to the sender of the packet.

  • DENY–Silently discard the packet without returning an error message to the sender.

  • MASQ–Masquerade the packet to make it appear as though it originated from the local system. This policy is especially useful when Linux is being used as a router.

  • REDIRECT–Send the packet to a defined port on the local system, regardless of the packet destination.

  • RETURN–This policy is valid only in user-defined rules. It simply returns to the calling chain. If it is used in one of the three kernel chain categories, it means to exit the chain and use the default policy for the chain, instead.

    Constructing rule-chains

    The ipchains utility constructs rule-chains in a way that is quite simple and very flexible. With any chain, you can specify a number of options that must be matched in order for the chain to process. These options include:

  • Protocol type (TCP, UDP, ICMP, or ALL)
  • Packet source address (in the format address[/mask] [port[:port]])
  • Packet destination address (in the same format as the source address)
  • Destination port number (in the format port[:port]])
  • ICMP packet type (there are many ICMP message types, and you can match rules to a specific one)
  • Interface to which the rule should apply (such as lo or eth0)

    Other options are available that let you specify priority levels for different types of Transmission Control Protocol (TCP) packets For example, giving FTP packets a higher priority than Internet Relay Chat (IRC) packets; provide logging for certain chains; and set more specific options detailing packet types, sizes, and so forth.

    Because of the versatility of ipchains and the number of options available, building a firewall can be simple or extremely complex, depending on your needs. A simple firewall can consist of four or five ipchains commands. A complex firewall can consist of hundreds of ipchains commands, locking down everything and opening up specific ports and services as you require them.

    Because of the complexity in building good firewalls, I highly recommend visiting the Linux Firewall Design Toolkit at It provides a clean and comprehensive Web interace that you can use to design your firewall online, without having to know how to use ipchains. It also outputs a firewall script that you can save and use.

    Sample firewall script

    A very simple firewall script might look something like this:

    ipchains -A input -i eth0 -s -j REJECT
    ipchains -A input -d 25 -j ACCEPT
    ipchains -A input -d -j ACCEPT
    ipchains -A input -d -syn -j REJECT

    This script simply appends the rules to the input rule-chain. The first rule says that any packets arriving on the external interface with a source address pretending to come from our internal network (192.168) should be discarded, because someone is trying to spoof us. The next two rules say that any traffic destined for–our mail server, providing SMTP (port 25) and POP3 (port 110) services–should be accepted. The final rule rejects all other inbound TCP connections with the SYN bit set (meaning they are attempting to initiate a connection).


    As you can see, ipchains provides powerful filtering capabilities for your Linux system, whether you are using it as a firewall for your Linux server or a firewall/router for your internal LAN. The protection a properly configured firewall can provide your company is invaluable. Linux provides the flexibility and strength that anyone thinking of setting up a firewall will require–and only the Linux solution is this cost effective. //

    Vincent Danen is a self-employed Linux consultant and freelance writer native to Edmonton, Canada. He has been using Linux exclusively since mid-1997. Vincent is a firm believer in the philosophy behind the Linux “revolution” and attempts to contribute to the Linux cause in as many ways as possible, from his Freezer Burn Web site to building custom RPMs for the Linux Mandrake project.

  • Latest Articles

    Follow Us On Social Media

    Explore More