Using Linux as a firewall

This month we discuss how to secure an Internet gateway (or any Linux computer connected to the Internet, for that matter) using a firewall. A firewall is essentially a barrier between a computer and the network to which it is connected: it inspects data travelling in both directions and only permits certain data to pass, according to a set of rules given to the firewall when it is set up.

The most basic firewall strategy, and the one we will implement in this article, is to deny all connections from the outside network, while allowing the local computer to access the outside network without restriction. With this configuration we can access the Internet as we always have, while at the same time being protected against nasties such as hacking attempts. Two tools are used to configure a firewall; which tool you use is dependent on the kernel your Linux system runs. To determine your kernel version, type the following in a shell:

$ uname -r

On my computer, this returns "2.4.17". The second number in this version is important. If your kernel version is of the form 2.2.x, follow the instructions under the heading IP Chains. If your kernel is like mine, and of the form 2.4.x, follow the instructions under the heading IP Tables.

IP Chains

The following script will set up a basic firewall on your computer. Open up your text editor and type in the script below. You will then have to save the script as /etc/rc.d/rc.firewall. Change <LAN IP> in the script to the IP range of your LAN; for example, my LAN uses IP addresses in the range 192.168.0.1-255, so I replace <LAN IP> with 192.168.0.0/24.

#!/bin/sh

IP=$1
IPCHAINS=/usr/local/sbin/ipchains

# flush existing rules
$IPCHAINS -F input
# allow traffic from the LAN to pass.
$IPCHAINS -A input -s <LAN IP> -j ACCEPT
# allow high numbered TCP ports from the Internet # to pass
$IPCHAINS -A input -p TCP ! -y -d $IP 1024:65535 \"-j ACCEPT
# allow FTP transfers to pass
$IPCHAINS -A input -p TCP -y -s 0.0.0.0/0 20 -d $IP \ "1024:65535 -J ACCEPT
# allow DNS requests to pass
$IPCHAINS -A input -p UDP -s 0.0.0.0/0 53 -d $IP \ 1024.65535 -j ACCEPT
# allow ICMP (ping) requests to pass
$IPCHAINS -A input -p ICMP -j ACCEPT
# deny everything else from the Internet
$IPCHAINS -A input -i ! lo -l -j DENY

IP Tables

The following script will set up a basic firewall on your computer. Open up your text editor and type in the script below. You will then need to save the script as /etc/rc.d/rc.firewall. Change <LAN IP> in the script to the IP range of your LAN; for example, my LAN uses IP addresses in the range 192.168.0.1-255, so I replace <LAN IP> with 192.168.0.0/24.

#!/bin/sh

IP=$1
IPTABLES=/usr/local/sbin/iptables

# flush existing rules
$IPTABLES -F INPUT
# allow traffic from the LAN to pass
$IPTABLES -A INPUT -s <LAN IP> -j ACCEPT
# allow high numbered TCP ports from the Internet # to pass
$IPTABLES -A INPUT -p tcp ! --syn -d $IP --dport \"1024:65535 -j ACCEPT
# allow FTP transfers to pass
$IPTABLES -A INPUT -p tcp --syn --sport 20 -d $IP \ --dport 1024:65535 -j ACCEPT
# allow DNS requests to pass
$IPTABLES -A INPUT -p udp -s 0.0.0.0/0 --sport 53 -d \ $IP --dport 1024:65535 -j ACCEPT
# allow ICMP (ping) requests to pass
$IPTABLES -A INPUT -p icmp -j ACCEPT
# drop all other data
$IPTABLES -A INPUT -i ! lo -j DROP

Running the firewall

Once saved, the script will need to be made executable by typing:

$ chmod 700 /etc/rc.d/rc.firewall

If you are a modem user, add the following to the end of /etc/ppp/ip-up:

/etc/rc.d/rc.firewall $4

If you use a service such as cable or DSL, you will need to call this script after you have established your Internet connection by typing the following:

$ /etc/rc.d/rc.firewall <YOUR IP>

replacing <YOUR IP> with the IP of your cable or DSL connection. Testing the firewall There are a number of free Web-based services on the Internet with which you can test your firewall. These services will try to connect to your computer in a number of common ways to test for servers and holes in your firewall. They will then return the results for your inspection. Some good free testing services are www.auditmypc.com and www.dslreports.com/secureme_go.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Alastair Cousins

PC World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?