Using Linux as a firewall

This month we discuss how to secure an Internet gateway (or any Linux computer connected to the Internet, for that matter) using a firewall. A firewall is essentially a barrier between a computer and the network to which it is connected: it inspects data travelling in both directions and only permits certain data to pass, according to a set of rules given to the firewall when it is set up. The most basic firewall strategy, and the one we will implement in this article, is to deny all connections from the outside network, while allowing the local computer to access the outside network without restriction. With this configuration we can access the Internet as we always have, while at the same time being protected against nasties such as hacking attempts. Two tools are used to configure a firewall; which tool you use is dependent on the kernel your Linux system runs. To determine your kernel version, type the following in a shell:

$ uname -r

On my computer, this returns "2.4.17". The second number in this version is important. If your kernel version is of the form 2.2.x, follow the instructions under the heading IP Chains. If your kernel is like mine, and of the form 2.4.x, follow the instructions under the heading IP Tables.

IP Chains

The following script will set up a basic firewall on your computer. Open up your text editor and type in the script below. You will then have to save the script as /etc/rc.d/rc.firewall. Change in the script to the IP range of your LAN; for example, my LAN uses IP addresses in the range 192.168.0.1-255, so I replace with 192.168.0.0/24.

#!/bin/sh

IP=$1
IPCHAINS=/usr/local/sbin/ipchains

# flush existing rules
$IPCHAINS -F input
# allow traffic from the LAN to pass.
$IPCHAINS -A input -s <LAN IP> -j ACCEPT
# allow high numbered TCP ports from the Internet # to pass
$IPCHAINS -A input -p TCP ! -y -d $IP 1024:65535 \"-j ACCEPT
# allow FTP transfers to pass
$IPCHAINS -A input -p TCP -y -s 0.0.0.0/0 20 -d $IP \ "1024:65535 -J ACCEPT
# allow DNS requests to pass
$IPCHAINS -A input -p UDP -s 0.0.0.0/0 53 -d $IP \ 1024.65535 -j ACCEPT
# allow ICMP (ping) requests to pass
$IPCHAINS -A input -p ICMP -j ACCEPT
# deny everything else from the Internet
$IPCHAINS -A input -i ! lo -l -j DENY

IP Tables

The following script will set up a basic firewall on your computer. Open up your text editor and type in the script below. You will then need to save the script as /etc/rc.d/rc.firewall. Change <LAN IP> in the script to the IP range of your LAN; for example, my LAN uses IP addresses in the range 192.168.0.1-255, so I replace <LAN IP> with 192.168.0.0/24.

#!/bin/sh

IP=$1
IPTABLES=/usr/local/sbin/iptables

# flush existing rules
$IPTABLES -F INPUT
# allow traffic from the LAN to pass
$IPTABLES -A INPUT -s <LAN IP> -j ACCEPT
# allow high numbered TCP ports from the Internet # to pass
$IPTABLES -A INPUT -p tcp ! --syn -d $IP --dport \"1024:65535 -j ACCEPT
# allow FTP transfers to pass
$IPTABLES -A INPUT -p tcp --syn --sport 20 -d $IP \ --dport 1024:65535 -j ACCEPT
# allow DNS requests to pass
$IPTABLES -A INPUT -p udp -s 0.0.0.0/0 --sport 53 -d \ $IP --dport 1024:65535 -j ACCEPT
# allow ICMP (ping) requests to pass
$IPTABLES -A INPUT -p icmp -j ACCEPT
# drop all other data
$IPTABLES -A INPUT -i ! lo -j DROP

Running the firewall

Once saved, the script will need to be made executable by typing:

$ chmod 700 /etc/rc.d/rc.firewall

If you are a modem user, add the following to the end of /etc/ppp/ip-up:

/etc/rc.d/rc.firewall $4

If you use a service such as cable or DSL, you will need to call this script after you have established your Internet connection by typing the following:

$ /etc/rc.d/rc.firewall <YOUR IP>

replacing <YOUR IP> with the IP of your cable or DSL connection. Testing the firewall There are a number of free Web-based services on the Internet with which you can test your firewall. These services will try to connect to your computer in a number of common ways to test for servers and holes in your firewall. They will then return the results for your inspection. Some good free testing services are www.auditmypc.com and www.dslreports.com/secureme_go.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Alastair Cousins

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?