FireWall can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering.
If you need a decent iptables firewall for your Linux box, you probably want to give PerrysFirewallingScript a try.
There are distributions that exist only to provide firewalling; PerryLorier is working on a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.
To create a rule that will send back an ICMP message, use
iptables -A chain [...? --jump REJECT --reject-with icmp-port-unreachable
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate ICMP error message (port-unreachable is the default).
iptables -D chain [rule number? iptables -D chain [rule description?
Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try
iptables -L --line-numbers
Then you can just use iptables -D FORWARD 1 to remove it.
This removes all rules from the specified table and chain, or all the chains in the table if none is specified.
Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, tho, should.
iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT
(Substitute ppp0/tcp/10.69.etc/4661 with whatever you need)
You might want to read HowToIPCHAINSHOWTO?, HowToBridgeFirewall?, HowToBridgeFirewallDSL?, HowToFirewallHOWTO?, HowToFirewallPiercing?, HowToSentryFirewallCDHOWTO? or HowToTermFirewall?. (They're all really, REALLY old.)
Can't access the NZ Herald? (http://www.nzherald.co.nz) (or other sites).
Make sure you have Explicit Congestion Notification disabled (see the ECN page) and don't have any TOS (TermsOfService?) settings in your firewall script (iptables -t mangle -F PREROUTING might clean up any you have: don't try this without knowing what you are doing.)
Alternatively, you can go with the "Don't fix good science to work with a bad implementation", or manually add rules allowing access to the NZ Herald IPs.
Also, it should be noted that some home routers don't seem to like ECNs either. If you're having problems accessing the internet with a home ADSL router, and tcpdump output is mentioning packets with SWE, try turning ECNs off as seen in the ECN page.
Have a NAT firewall that only allows one person behind it to make a VPN connection at once? See PPTPConnectionTracking
Part of CategoryNetworking and CategorySecurity