Linux Firewall


IP chains is used as packet filtering, while IP masquerading is used for address translation (NAT or PAT.) IP chains uses three basic rulesets (INPUT, FORWARD, OUTPUT), called chains, to which you can add user-defined rulesets. A rule indicates whether a packet is allowed in (ACCEPT), or denied access (REJECT or DENY; DENY means that the packet is silently sent to /dev/null while REJECT returns an error message. REJECT is a safer method as hackers cannot tell whether the target daemon is running or is being protected through a packet-filtering firewall.

Question: As added security, is using IP chains for a regular host (ie. not a firewall, so only has one NIC) a good idea, or is performance a problem?


for file in /proc/sys/net/ipV4/conf/*/rp_filter
	echo "1" > $file

IP Forward
echo "1" > /proc/sys/net/ipv4/ip_forward

If using Red Hat, just edit /etc/sysconfig/network:
Note: eth0 is the public interface, and eth1 is the private interface
ipchains -F input
ipchains -F forward
ipchains -F output

ipchains -I input 1 -j REJECT
//KISS: bad packets are blocked in the input chain
ipchains -I forward 1 -j ACCEPT 
//You don't care about outgoing packets, only incoming...
ipchains -I output 1 -j ACCEPT

ipchains -P input REJECT
ipchains -P forward ACCEPT
ipchains -P output ACCEPT

//Fine-tune the input chain to allow outgoing packets
ipchains -A input -i eth1 -j ACCEPT
ipchains -A input -i lo -j ACCEPT

//Fine-tune the input chain to allow incoming packets

ipchains -A input -p icmp --icmp-type echo-reply -i eth0 -j ACCEPT
ipchains -A input -i eth0 -d smtp -j ACCEPT
ipchains -A input -i eth0 -d www -j ACCEPT

//Do we need this for replies from the Net ? -y = SYNC and ! -y = ACK?
ipchains -A input -i eth0 ! -y -j ACCEPT
Things to check # Give ports you wish to open to the entire internet using tcp: # 1023:4999 are unprivileged ports and used by clients such as rlogin ftp # 61000+ is used by masquerading openPortsTcp="ssh smtp www auth ntp 1024:4999 6100:" # Give ports you wish to open to the entire internet using udp: # 33434 is used by traceroute openPortsUdp="ntp 1024:4999 6100:"