Building a Firewall with IP Chains

December 1st, 1999 by Pedro Paulo Bueno in

A quick introduction to the program ipchains.
Your rating: None

Today, one of the most important topics in the computation world is security. How to improve security in a single or interconnected machine is sometimes hard to understand and difficult to implement. In this article, I will discuss how to implement a simple firewall on a Linux machine using IP chains.

History

IP chains could be new to users who upgraded their 2.0.36 kernels to the 2.2.x series, but old to those who worked in the 2.1.x series. ipchains is a rewrite of the well-known ipfwadm, which was a rewrite of BSD's ipfw, and was used to build firewalls in 2.0.x kernels. The are many reasons for this rewrite but perhaps the most important is ipfwadm couldn't allow protocols other than TCP, UDP or ICMP and it didn't handle fragments.

What It Is

Linux IP firewall chaining software is a program that uses the kernel IP packet filtering capability. A packet filter looks at the header of a packet and decides the fate of the entire packet. It can decide to DENY the packet (discard the packet as if it had never received it), ACCEPT (let the packet pass through), or REJECT (like deny, but notify the source of the packet).

Why You Want It

When you build your firewall you are looking for control and security of your network, and good firewall scripts are the key to this objective's success. If you are constantly receiving a ping flood from a specific IP address, you can deny all packets received from that IP, by creating a chain with this policy. ipchains is able to read the policies of the scripts and give instructions to the IP packet filtering as to how to handle the incoming/outcoming packets.

Implementation

First, your kernel must be able to use IP chains. Look for the file /proc/net/ip_fwchains, if it exists, everything is okay. If not, you need to recompile your kernel and set these options:

CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y

Next you need to know the syntax of ipchains necessary to create functional scripts. Let's imagine a hypothetical file called scriptf with some rules :

ipchains -N ippolicy
ipchains -I input -j ippolicy
ipchains -A ippolicy -p icmp -s 198.162.1.2 -j\
   DENY
ipchains -A ippolicy -p TCP -t 200.241.233.1
-j\
   DENY
This script will DENY every packet with the ICMP protocol from the specific source addresses (in our example: 192.168.1.2) and also DENY every packet with the TCP protocol where the target is the choosen address (again in our example: 200.241.233.1). Here's a step-by-step explanation:
  • ipchains -N ippolicy: this line creates a new chain with the name ippolicy.

  • ipchains -I input -j ippolicy: this line says all packets will be verified by ippolicy rules.

  • ipchains -A ippolicy -p icmp -s 198.162.1.2 -j DENY: this line appends the rule ippolicy to the ICMP protocol packets, with a source address of 192.162.1.2 and denies them. Options are:

  • -A: append one or more rules to the selected chain.

  • -p: specify the protocol.

  • -s: specify the source address (0/0 means all addresses).

  • -j: specify the target of the rule, i.e., what to do if the packet matches it.

  • ipchains -A ippolicy -p TCP -t 200.241.233.1 -j DENY: This line will append the rule ippolicy to the TCP protocol packets with a target address of 200.241.233.1 and denies them.

Now, you will want to inform the system that these rules are to be initialized at boot time. Remembering all information about system initialization is in the /etc/rc.d/init.d directory, copy the scriptf file to this directory and add a line like:
/etc/rc.d/init.d/scritpf
in the file /etc/rc.d/rc.sysinit to start it. An important option that could help you in the future is the -F flag, which is used when you want to create new rules and override all previous rules, that is:
ipchains -F ippolicy

Final Considerations

Ip chains is a very powerful tool that allows you to create many complex rules in order to protect your network. Just for fun, I built a small C program to build simple firewall scripts and simplify the rc.d process. It is open source and available at linuxgo.persogo.com.br/ipchains.html. Good places to get more information on how to build great scripts are the HOWTOs (see Resources). Read them before you start to build your own firewall scripts.

Resources

Pedro Paulo Ferreira Bueno, Science Computer Student from Catholic University of Goias (UCG- Brazil), is the manager of LinuxGO, the Goias Linux User Group and the network card moderator at Linux Knowledge base. He is a maniac linux user since he started with Linux in Kernel 2.0.7 . When he is not in front of his linux machine he is probability playing soccer. He can be reached at pedro.bueno@persogo.com.br.

__________________________


Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
enigma evolution mp3 download's picture

linux

On October 2nd, 2007 enigma evolution mp3 download (not verified) says:

the requirements What Wine? system are for . Bye.

Post new comment

Please note that comments may not appear immediately, so there is no need to repost your comment.
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd> <i> <b>
  • Lines and paragraphs break automatically.

More information about formatting options

Newsletter

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.
Sign up for our Email Newsletter

Featured Videos

Setting up an https server in Apache is easy. This tutorial covers how to create and sign your ssl certificate as well as how to configure the web server.

From the Magazine

January 2009, #177

It's a battle as old as time: good vs. evil. Fortunately, Linux and FOSS are on our side as we wage the battle against those who try to steal our secrets and invade our systems.

Checking your system's security is best done sooner rather than later. Test the locks with our article on security verification; find out how to use PAM to help secure your systems; use MinorFS and AppArmor to implement discretionary access control; learn more about Samba security in part III of our series; use Darknet to help detect bots and secure your systems; use the Yubikey to increase your site's security; and don't forget to lock the doors, because a cold boot attack could render your security useless if somebody has physical access to your computer.

But, we're not just about sowing the seeds of fear. We also show you how to use memcached in Rails, how to manage multiple servers efficiently, how to deploy applications easily with Capistrano, how to manage your videos with MythVideo, how to mix it up a bit (your audio that is), and even play a few games.

Read this issue