Building a Linux firewall

Learn about the three types of firewalls—application proxy gateway, circuit level relay, and packet filter—and how they are used to protect your network from unauthorized access.

The growth of the Internet has prompted many organizations to become security-conscious. Documented and undocumented incidents of security violations, expanded research about security issues, and even media hype have brought about the potential for at least partial solutions for securing a networked environment—without completely isolating the network from the outside world. Leading the pack of solutions is the firewall. Just about everyone has defined what a firewall is, so I won't be any different. A firewall is a device or collection of devices that restricts the access of “outside” networks to “inside” networks. Not surprisingly, Linux can play a part in this arena.

There are currently three models used to classify firewalls. Fundamentally, the current industry classifications are application proxy gateway, circuit level relay, and packet filter.

An application proxy gateway is what most people think of when they talk about firewalls. Also known as a bastion host, it is used to completely sever the connectivity between outside and inside networks. Connections are made via proxy processes to the bastion host. The bastion host in turn will establish a connection to the real destination and handle communications between the two connections.

There are several advantages to a proxy gateway. First, because the proxies are at the application level, they can take advantage of application protocols. For example, protocols providing authentication—such as TELNET, FTP, and HTTP—can be intercepted at the proxy and stronger authentication mechanisms applied (such as S/Key) without adversely affecting the remote client. Also, protocol-specific rules can be applied by the proxy. A rule can be established that allows FTP GETs through the gateway, but not FTP PUTs. Another advantage is the extensive logging that can be provided at the application level. It is important to note that the bastion performs no IP routing functions. All communications are through proxy processes. The firewall toolkit FWTK, available as freeware from TIS, is an example of a firewall application level gateway.

A circuit-level relay functions in a manner similar to an application proxy gateway, except the proxies employed for a circuit relay are normally not application-aware. Because of this, you lose many of the detailed logging capabilities and precise rule definitions you have in an application proxy gateway. The important concept remains the same in that a connection is established via proxies and IP packets are not forwarded through the firewall. SOCKS is an implementation of a circuit level relay based firewall.

Packet filtering is the most common type of firewall available. It works on the concept of forwarding packets based on rules. Those rules typically take into consideration source and destination IP address, source and destination port numbers, the protocol being transported, TCP flags, IP flags or options, and other information, such as the interface, over which the packet arrived. The primary difference between a packet filtering firewall and the others is IP forwarding. A packet filtering firewall is usually a router, and its function in life is to forward packets. This means that while you can control what machines on the outside can talk to certain machines on the inside (and which applications), you now rely on the application to protect itself from harm. For some applications, this isn't a particularly wise decision. Nonetheless, packet filtering can be very useful, is widely available and typically inexpensive.

A Linux machine can function as any one or as all three (i.e., as a hybrid) of these firewall types) of the firewall types. Without add-ons however, the Linux kernel has the ability to function as a packet filter routing device, using the ipfirewall code written by Daniel Boulet and Ugen J.S. Antsilevich. For most 1.2.x and 1.3.x kernels, the firewall code (ip_fw.c) is based on the port by Alan Cox and Jos Vos. Boulet has released version 2.0e (as of this writing) of his ipfirewall code as shareware. I have yet to install the new release, so any discussion I have is based on the ip_fw.c code—specifically kernel 1.2.13.

Caution

In order to use this built-in firewall capability, you need to understand a bit about how TCP/IP works. Trying to set up a firewall from scratch without understanding networking is a sure route to disaster. If you want a “plug and play” firewall solution for Linux, one is mentioned at the end of this article. To learn more about TCP and IP, recommended reading is TCP/IP Illustrated, Volume 1 by W. Richard Stevens. Also, the 3rd edition of Douglas Comer's Internetworking with TCP/IP is excellent bedtime reading.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

code

prat's picture

i m working on firewall on linux platform....could you please send me ypur code for assistance..on
prat.wap@gmail.com

linux firewall code needed.. urgent!

Anonymous's picture

has anyone out there got a complete working code on linux based firewall?? plz help!!

complete firewall code for linux...

Anonymous's picture

Hi... v r dng a project on firewall for linux... can u please give d code of a simple packet filter firewall for linux... my mail id is ramyavastrad@gmail.com

linux firewall

anonymous's picture

hey ,
we r doing project on a network security.. we r going to build a DMZ for a private network. In which we r supposed to build our own firewall on linux. so could u plz guide us regarding how to start with the project.. we would be very thankful to u if u provide us with the complete soursecode ..my id is rati_flyhigh@rediffmail.com

firewall code needed

thomas's picture

hey friends am planning to do a project on linux firewall.but dont hav any idea on how to do it.so pls if any1 has any info about the logic and got the complete code ,pls do mail it to me at so_thoms@yahoo.co.in pls HELP ME..i want it early

Re: Building a Linux firewall

Anonymous's picture

i'm building a linux firewall in bash en a configuration file can somebody help me with a complete code so i can have an idea how i can began,my e-mail is mgend_@hotmail.com

Re: Building a Linux firewall

Anonymous's picture

Can you provide a complete source code

My Mail ID : george_s_kalarikal@yahoo.co.uk

Re: Building a Linux firewall

Anonymous's picture

# cat set_policy.c

#include <stdio.h>

#include <string.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <linux/ip.h>

#include <linux/tcp.h>

#include <linux/udp.h>

#include <linux/ip_fw.h>

main(int argc, char **argv)

{

int p, sfd;

struct ip_fw fw;

fw.fw_flg = 0;

if (strcmp(argv[1], "accept") == 0) {

p = IP_FW_F_ACCEPT;

}

else if (strcmp(argv[1], "reject") == 0) {

p = IP_FW_F_ICMPRPL;

}

else if (strcmp(argv[1], "deny") == 0) {

p = 0;

}

sfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

setsockopt(sfd, IPPROTO_IP, IP_FW_POLICY_FWD,

&p, sizeof(int));

}

Need a bit help

Shobhit Kumar's picture

This is Shobhit here....i m trying to build a kind of firewall in C...actually i m looking for specific URL blocking for a bandwidth manager box....i mean to say a program that can recognize the packet information from the network....and that sort them and then block the required packets.....if u ould help me with this....more over if u could send me the full ode than atleast i will get some idea...thanx

netfilter

Anonymous's picture

Can anyone help me to code a firewall using netfilter which will support multiple rules

can you provide me a complete code?

Anonymous's picture

hi,

i am developing a firewall for my system and i would like to look at you code for that purpose.

i would appreciate if u would email me the same at folowing id: guy_from_rolla@yahoo.com

thanks!

john.

need help

Anonymous's picture

hi,
we have a LAN and a gateway in it. We want to hold all the packets coming into the gateway for compression /modification. we want help for this.
thank you.
dhaubaji@yahoo.com

Give a complete code not just a part of it

Anonymous's picture

Would you please give a complete code not a part.

My email id:- avi_comp@rediffmail.com

Re: Building a Linux firewall

Anonymous's picture

Would you please give a complete code not a part.

My email id:- avi_comp@rediffmail.com

Building a Linux firewall

juno's picture

hi there..we are currently working on a firewall for our thesis..i was hoping if anybody can help me.. can you send me the complete source code..here's my email: juno_king2000@yahho.com..

thank you..

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState