Linux Networking/IP Firewall (for Linux-2.0)

IP Firewall (for Linux-2.0) edit

IP Firewall and Firewalling issues are covered in more depth in the Firewall-HOWTO. IP Firewalling allows you to secure your machine against unauthorized network access by filtering or allowing datagrams from or to IP addresses that you nominate. There are three different classes of rules, incoming filtering, outgoing filtering and forwarding filtering. Incoming rules are applied to datagrams that are received by a network device. Outgoing rules are applied to datagrams that are to be transmitted by a network device. Forwarding rules are applied to datagrams that are received and are not for this machine, i.e. datagrams that would be routed.

Kernel Compile Options:

            Networking options  --->
                [*] Network firewalls
                ....
                [*] IP: forwarding/gatewaying
                ....
                [*] IP: firewalling
                [ ] IP: firewall packet logging

Configuration of the IP firewall rules is performed using the ipfwadm command. As I mentioned earlier, security is not something I am expert at, so while I will present an example you can use, you should do your own research and develop your own rules if security is important to you.

Probably the most common use of IP firewall is when you are using your linux machine as a router and firewall gateway to protect your local network from unauthorized access from outside your network.

The following configuration is based on a contribution from Arnt Gulbrandsen, <agulbra@troll.no>.

The example describes the configuration of the firewall rules on the Linux firewall/router machine illustrated in this diagram:


     -                                   -
      \                                  | 172.16.37.0
       \                                 |   /255.255.255.0
	\                 ---------      |
	 |  172.16.174.30 | Linux |      |
     NET =================|  f/w  |------|    ..37.19
	 |    PPP         | router|      |  --------
	/                 ---------      |--| Mail |
       /                                 |  | /DNS |
      /                                  |  --------
     -                                   -

The following commands would normally be placed in an rc file so that they were automatically started each time the system boots. For maximum security they would be performed after the network interfaces are configured, but before the interfaces are actually brought up to prevent anyone gaining access while the firewall machine is rebooting.


       #!/bin/sh
       # Flush the 'Forwarding' rules table
       # Change the default policy to 'accept'
       #
       /sbin/ipfwadm -F -f
       /sbin/ipfwadm -F -p accept
       #
       # .. and for 'Incoming'
       #
       /sbin/ipfwadm -I -f
       /sbin/ipfwadm -I -p accept
       # First off, seal off the PPP interface
       # I'd love to use '-a deny' instead of '-a reject -y' but then it
       # would be impossible to originate connections on that interface too.
       # The -o causes all rejected datagrams to be logged. This trades
       # disk space against knowledge of an attack of configuration error.
       #
       /sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30
       # Throw away certain kinds of obviously forged packets right away:
       # Nothing should come from multicast/anycast/broadcast addresses
       #
       /sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24
       #
       # and nothing coming from the loopback network should ever be
       # seen on a wire
       #
       /sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24
       # accept incoming SMTP and DNS connections, but only
       # to the Mail/Name Server
       #
       /sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53
       #
       # DNS uses UDP as well as TCP, so allow that too
       # for questions to our name server
       #
       /sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
       #
       # but not "answers" coming to dangerous ports like NFS and
       # Larry McVoy's NFS extension.  If you run squid, add its port here.
       #
       /sbin/ipfwadm -F -a deny -o -P udp -S 0/0 53 \
               -D 172.16.37.0/24 2049 2050
       # answers to other user ports are okay
       #
       /sbin/ipfwadm -F -a accept -P udp -S 0/0 53 \
               -D 172.16.37.0/24 53 1024:65535
       # Reject incoming connections to identd
       # We use 'reject' here so that the connecting host is told
       # straight away not to bother continuing, otherwise we'd experience
       # delays while ident timed out.
       #
       /sbin/ipfwadm -F -a reject -o -P tcp -S 0/0 -D 172.16.37.0/24 113
       # Accept some common service connections from the 192.168.64 and
       # 192.168.65 networks, they are friends that we trust.
       #
       /sbin/ipfwadm -F -a accept -P tcp -S 192.168.64.0/23 \
               -D 172.16.37.0/24 20:23
       # accept and pass through anything originating inside
       #
       /sbin/ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0
       # deny most other incoming TCP connections and log them
       # (append 1:1023 if you have problems with ftp not working)
       #
       /sbin/ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24
       # ... for UDP too
       #
       /sbin/ipfwadm -F -a deny -o -P udp -S 0/0 -D 172.16.37.0/24


Good firewall configurations are a little tricky. This example should be a reasonable starting point for you. The ipfwadm manual page offers some assistance in how to use the tool. If you intend to configure a firewall, be sure to ask around and get as much advice from sources you consider reliable and get someone to test/sanity check your configuration from the outside.