Note: You are viewing an old revision of this page. View the current version.

FireWall can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering.

Before you read anything else, make sure you have read and understood HowFirewallingWorks.

If you need a decent iptables firewall for your Linux box, you probably want to give PerrysFirewallingScript a try.

There are distributions that exist only to provide firewalling; PerryLorier is working on a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.

Adding a rule

To create a rule that will send back an ICMP message, use

iptables -A chain [...? --jump REJECT --reject-with icmp-port-unreachable

The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate ICMP error message (port-unreachable is the default).

Deleting a rule

iptables -D chain [rule number? iptables -D chain [rule description?

Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try

iptables -L --line-numbers

Then you can just use iptables -D FORWARD 1 to remove it.

Hints, tips and traps

  • Having a default DENY or REJECT policy is a good idea
  • But don't start with that rule if you're working remotely
  • DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a rate limited (using -m limit) REJECT is much much safer.
  • You probably want to rate limit log messages too otherwise a good portscan can flood syslogd(8) for ages.

You might want to read HowToIPCHAINSHOWTO?, HowToBridgeFirewall?, HowToBridgeFirewallDSL?, HowToFirewallHOWTO?, HowToFirewallPiercing?, HowToSentryFirewallCDHOWTO? or HowToTermFirewall?. (They're all really, REALLY old.)