Home

Building a Firewall with IP Chains

Issue 68

From Issue #68
December 1999

Dec 01, 1999  By Pedro Paulo Bueno
 in
A quick introduction to the program ipchains.

Today, one of the most important topics in the computation world is security. How to improve security in a single or interconnected machine is sometimes hard to understand and difficult to implement. In this article, I will discuss how to implement a simple firewall on a Linux machine using IP chains.

History

IP chains could be new to users who upgraded their 2.0.36 kernels to the 2.2.x series, but old to those who worked in the 2.1.x series. ipchains is a rewrite of the well-known ipfwadm, which was a rewrite of BSD's ipfw, and was used to build firewalls in 2.0.x kernels. The are many reasons for this rewrite but perhaps the most important is ipfwadm couldn't allow protocols other than TCP, UDP or ICMP and it didn't handle fragments.

What It Is

Linux IP firewall chaining software is a program that uses the kernel IP packet filtering capability. A packet filter looks at the header of a packet and decides the fate of the entire packet. It can decide to DENY the packet (discard the packet as if it had never received it), ACCEPT (let the packet pass through), or REJECT (like deny, but notify the source of the packet).

Why You Want It

When you build your firewall you are looking for control and security of your network, and good firewall scripts are the key to this objective's success. If you are constantly receiving a ping flood from a specific IP address, you can deny all packets received from that IP, by creating a chain with this policy. ipchains is able to read the policies of the scripts and give instructions to the IP packet filtering as to how to handle the incoming/outcoming packets.

Implementation

First, your kernel must be able to use IP chains. Look for the file /proc/net/ip_fwchains, if it exists, everything is okay. If not, you need to recompile your kernel and set these options:

CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y

Next you need to know the syntax of ipchains necessary to create functional scripts. Let's imagine a hypothetical file called scriptf with some rules : 

ipchains -N ippolicy
ipchains -I input -j ippolicy
ipchains -A ippolicy -p icmp -s 198.162.1.2 -j\
   DENY
ipchains -A ippolicy -p TCP -t 200.241.233.1
-j\
   DENY
This script will DENY every packet with the ICMP protocol from the specific source addresses (in our example: 192.168.1.2) and also DENY every packet with the TCP protocol where the target is the choosen address (again in our example: 200.241.233.1). Here's a step-by-step explanation:

  • ipchains -N ippolicy: this line creates a new chain with the name ippolicy.

  • ipchains -I input -j ippolicy: this line says all packets will be verified by ippolicy rules.

  • ipchains -A ippolicy -p icmp -s 198.162.1.2 -j DENY: this line appends the rule ippolicy to the ICMP protocol packets, with a source address of 192.162.1.2 and denies them. Options are:

  • -A: append one or more rules to the selected chain.

  • -p: specify the protocol.

  • -s: specify the source address (0/0 means all addresses).

  • -j: specify the target of the rule, i.e., what to do if the packet matches it.

  • ipchains -A ippolicy -p TCP -t 200.241.233.1 -j DENY: This line will append the rule ippolicy to the TCP protocol packets with a target address of 200.241.233.1 and denies them.

Now, you will want to inform the system that these rules are to be initialized at boot time. Remembering all information about system initialization is in the /etc/rc.d/init.d directory, copy the scriptf file to this directory and add a line like: 
/etc/rc.d/init.d/scritpf
in the file /etc/rc.d/rc.sysinit to start it. An important option that could help you in the future is the -F flag, which is used when you want to create new rules and override all previous rules, that is: 
ipchains -F ippolicy

______________________

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions