Firewall capabilities are usually built into the Linux kernel. The firewall rule set is created with the program /sbin/ipchains.
The best philosophy for a firewall rule set is to be as defensive as possibly. The rule set should block everything first, then only allow the services needed.
Use
First, to use ipchains, running as root is required. Here is an example first rule that blocks all input from ports 0 to 7000./sbin/ipchains -A input -s 0.0.0.0/32 0:7000 -j DENY
Now, allow the services that are needed. In this example, connections to port 80 on Ethernet card "eth1" will be allowed and also logged.
/sbin/ipchains -A input -s 0.0.0.0/32 80 -p TCP --interface eth1 -j ACCEPT -l
Also, blocking output might be necessary. To block the infamous Napster:
/sbin/ipchains -A output -d 0.0.0.0/32 4444 -j DENY -l /sbin/ipchains -A output -d 0.0.0.0/32 5555 -j DENY -l /sbin/ipchains -A output -d 0.0.0.0/32 6666 -j DENY -l /sbin/ipchains -A output -d 0.0.0.0/32 7777 -j DENY -l /sbin/ipchains -A output -d 0.0.0.0/32 8888 -j DENY -l
To see the complete rule set for ipchains, run:
/sbin/ipchains --list
For more information, read man ipchains.
Once a rule set is created, it is stored in the memory. Because of this, a rule set will not survive a reboot. To keep a rule set after a reboot, run:
/sbin/ipchains-save > $IPCHAINS_CONFG
where $IPCHAINS_CONFIG is the same as it is in /etc/rc.d/init.d/ipchains, usually /etc/security/ipchains. Another way to automatically reset the rule set after a reboot is to add this to /etc/rc.d/rc.local.
/sbin/ipchains-restore < /etc/security/ipchains
This is assuming that /etc/security/ipchains is where the rule set file made with ipchains-save is.
More Information
Many excellent documents exist on setting up firewalls using ipchains.
- The first place to look is the Firewall-HOWTO.
- Another document worth looking at is IPChains and Firewalling.
- Finally, O'Reilly has an excellent book on firewalls called "Building Internet Firewalls," available here.
