Penguin
Note: You are viewing an old revision of this page. View the current version.

FireWall can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering.

Before you read anything else, make sure you have read and understood HowFirewallingWorks.

If you need a decent iptables firewall for your Linux box, you probably want to give PerrysFirewallingScript a try.

There are distributions that exist only to provide firewalling; PerryLorier is working on a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.

Adding a rule

To create a rule that will send back an ICMP message, use

iptables -A chain [...? --jump REJECT --reject-with icmp-port-unreachable

The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate ICMP error message (port-unreachable is the default).

Deleting a rule

iptables -D chain [rule number? iptables -D chain [rule description?

Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try

iptables -L --line-numbers

Then you can just use iptables -D FORWARD 1 to remove it.

Deleting all rules

iptables [-t <table>? -F [chain?

This removes all rules from the specified table and chain, or all the chains in the table if none is specified.

Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, tho, should.

iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT

Hints, tips and traps

  • Having a default DENY or REJECT policy is a good idea
  • But don't start with that rule if you're working remotely
  • DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a rate limited (using -m limit) REJECT is much much safer.
  • You probably want to rate limit log messages too otherwise a good portscan can flood syslogd(8) for ages.
  • If you are having problems using -m owner with iptables 1.2.6a and kernel 2.4.x try IptablesNotes

Pinholing

If you have a firewall running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). Experiment with this command line
iptables -t nat -A PREROUTING -i ppp0 -j DNAT -p tcp --to=10.69.1.200 --dport 4661

(Substitute ppp0/tcp/10.69.etc/4661 with whatever you need)

You might want to read HowToIPCHAINSHOWTO?, HowToBridgeFirewall?, HowToBridgeFirewallDSL?, HowToFirewallHOWTO?, HowToFirewallPiercing?, HowToSentryFirewallCDHOWTO? or HowToTermFirewall?. (They're all really, REALLY old.)


Can't access the NZ Herald? (http://www.nzherald.co.nz) (or other sites).

Make sure you have Explicit Congestion Notification disabled (see the ECN page) and don't have any TOS (TermsOfService?) settings in your firewall script (iptables -t mangle -F PREROUTING might clean up any you have: don't try this without knowing what you are doing.)

Alternatively, you can go with the "Don't fix good science to work with a bad implementation", or manually add rules allowing access to the NZ Herald IPs.


Part of CategoryNetworking and CategorySecurity