FireWall can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering.
If you need a decent iptables firewall for your Linux box, you probably want to give PerrysFirewallingScript a try.
There are distributions that exist only to provide firewalling; PerryLorier is working on a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.
(This following bit is under construction and needs to be moved to another page soon.)
Packet filtering is provided as part of the Linux kernel. You need to ensure your kernel is compiled with CONFIG_NETFILTER enabled (and that you're running 2.3.15 onwards.) Then you'll need to make sure that CONFIG_IP_NF_IPTABLES is modular and/or compiled into the kernel.
The tool that influences the kernel's filtering rules is called iptables(8). (You may have seen other documentation referencing ipchains or ipfwadm. In 2.2 series kernels you used ipchains(8), in 2.0 series kernels you used ipfwadm(8). Documents that talk of either are too old to help specifically, but the concepts will still apply. If you really have to use ipchains/ipfwadm rules, you can compile support for them into the kernel, but not alongside iptables. It's one or the other.)
Packet filtering also provides transparent proxying, masquerading (NetworkAddressTranslation), and anything else related to rewriting packets.
The kernel boots up with no firewalling rules. If you manually add a rule with iptables(8), it will not be there next time you boot. You will need a firewall script that runs on boot.
iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
- Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block iptables -A FORWARD -j block
To create a rule that will send back an ICMP message, use
iptables -A chain [...? --jump REJECT --reject-with icmp-port-unreachable
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate ICMP error message (port-unreachable is the default).
iptables -D chain [rule number? iptables -D chain [rule description?
Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try
iptables -L --line-numbers
Then you can just use iptables -D FORWARD 1 to remove it.
You might want to read HowToIPCHAINSHOWTO?, HowToBridgeFirewall?, HowToBridgeFirewallDSL?, HowToFirewallHOWTO?, HowToFirewallPiercing?, HowToSentryFirewallCDHOWTO? or HowToTermFirewall?. (They're all really, REALLY old.)