Building a Firewall with IP Chains
Today, one of the most important topics in the computation world is security. How to improve security in a single or interconnected machine is sometimes hard to understand and difficult to implement. In this article, I will discuss how to implement a simple firewall on a Linux machine using IP chains.
IP chains could be new to users who upgraded their 2.0.36 kernels to the 2.2.x series, but old to those who worked in the 2.1.x series. ipchains is a rewrite of the well-known ipfwadm, which was a rewrite of BSD's ipfw, and was used to build firewalls in 2.0.x kernels. The are many reasons for this rewrite but perhaps the most important is ipfwadm couldn't allow protocols other than TCP, UDP or ICMP and it didn't handle fragments.
Linux IP firewall chaining software is a program that uses the kernel IP packet filtering capability. A packet filter looks at the header of a packet and decides the fate of the entire packet. It can decide to DENY the packet (discard the packet as if it had never received it), ACCEPT (let the packet pass through), or REJECT (like deny, but notify the source of the packet).
When you build your firewall you are looking for control and security of your network, and good firewall scripts are the key to this objective's success. If you are constantly receiving a ping flood from a specific IP address, you can deny all packets received from that IP, by creating a chain with this policy. ipchains is able to read the policies of the scripts and give instructions to the IP packet filtering as to how to handle the incoming/outcoming packets.
First, your kernel must be able to use IP chains. Look for the file /proc/net/ip_fwchains, if it exists, everything is okay. If not, you need to recompile your kernel and set these options:
Next you need to know the syntax of ipchains necessary to create functional scripts. Let's imagine a hypothetical file called scriptf with some rules :
ipchains -N ippolicy ipchains -I input -j ippolicy ipchains -A ippolicy -p icmp -s 126.96.36.199 -j\ DENY ipchains -A ippolicy -p TCP -t 188.8.131.52 -j\ DENYThis script will DENY every packet with the ICMP protocol from the specific source addresses (in our example: 192.168.1.2) and also DENY every packet with the TCP protocol where the target is the choosen address (again in our example: 184.108.40.206). Here's a step-by-step explanation:
ipchains -N ippolicy: this line creates a new chain with the name ippolicy.
ipchains -I input -j ippolicy: this line says all packets will be verified by ippolicy rules.
ipchains -A ippolicy -p icmp -s 220.127.116.11 -j DENY: this line appends the rule ippolicy to the ICMP protocol packets, with a source address of 18.104.22.168 and denies them. Options are:
-A: append one or more rules to the selected chain.
-p: specify the protocol.
-s: specify the source address (0/0 means all addresses).
-j: specify the target of the rule, i.e., what to do if the packet matches it.
ipchains -A ippolicy -p TCP -t 22.214.171.124 -j DENY: This line will append the rule ippolicy to the TCP protocol packets with a target address of 126.96.36.199 and denies them.
/etc/rc.d/init.d/scritpfin the file /etc/rc.d/rc.sysinit to start it. An important option that could help you in the future is the -F flag, which is used when you want to create new rules and override all previous rules, that is:
ipchains -F ippolicy
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Back to Backups
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Google's Abacus Project: It's All about Trust
- Secure Desktops with Qubes: Introduction
- Fancy Tricks for Changing Numeric Base
- Seeing Red and Getting Sleep
- Secure Desktops with Qubes: Installation
- Working with Command Arguments
- Linux Mint 18
- CentOS 6.8 Released
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide