Differences between version 11 and predecessor to the previous major change of FirewallNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 11 | Last edited on Friday, September 20, 2002 6:44:42 pm | by CraigBox | Revert |
| Older page: | version 10 | Last edited on Thursday, September 12, 2002 11:50:03 am | by CraigBox | Revert |
@@ -1,39 +1,11 @@
__FireWall__ can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering.
+
+!!Before you read anything else, make sure you have read and understood HowFirewallingWorks.
If you need a decent iptables firewall for your Linux box, you probably want to give PerrysFirewallingScript a try.
There are distributions that exist only to provide firewalling; PerryLorier is working on a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.
-
-(This following bit is under construction and needs to be moved to another page soon.)
-
-!Packet filtering
-
-Packet filtering is provided as part of the Linux kernel. You need to ensure your kernel is compiled with CONFIG_NETFILTER enabled (and that you're running 2.3.15 onwards.) Then you'll need to make sure that CONFIG_IP_NF_IPTABLES is modular and/or compiled into the kernel.
-
-The tool that influences the kernel's filtering rules is called iptables(8). (You may have seen other documentation referencing ipchains or ipfwadm. In 2.2 series kernels you used ipchains(8), in 2.0 series kernels you used ipfwadm(8). Documents that talk of either are too old to help specifically, but the concepts will still apply. If you really have to use ipchains/ipfwadm rules, you can compile support for them into the kernel, but not alongside iptables. It's one or the other.)
-
-Packet filtering also provides transparent proxying, masquerading (NetworkAddressTranslation), and anything else related to rewriting packets.
-
-!Permanence of rules
-
-The kernel boots up with __no firewalling rules__. If you manually add a rule with iptables(8), it will not be there next time you boot. You will need a firewall script that runs on boot.
-
-!What are chains?
-
-!The world's simplest firewall
-
- ## Create chain which blocks new connections, except if coming from inside.
- iptables -N block
- iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
- iptables -A block -j DROP
-
- ## Jump to that chain from INPUT and FORWARD chains.
- iptables -A INPUT -j block
- iptables -A FORWARD -j block
-
-
!Adding a rule
To create a rule that will send back an ICMP message, use
