Packet firewalling under Linux with IP-Chains

The easiest and most useful type of firewalling under Linux is packet firewalling using IP-Chains. The latest copy of IP-Chains can be obtained from the project's homepage: To best understand this Here's How, it should be read in conjunction with the NET-3-HOWTO (which is usually installed by default in /usr/doc/faq/howto).

Installation is standard: compile and install using "make". You will have to make sure that your current kernel supports IP-Chains. I suggest a 2.1 kernel (or more recent) to ensure this. Also, you will have to compile "Network Firewalling" and "IP: Firewalling" into the kernel. I also suggest compiling in "IP: Always Defragment", as it solves a potential remote exploit to which your machine can be vulnerable if running a firewall.

So, what is a packet exactly? Information is sent across computer networks in the form of packets. These packets are pieces of the whole body of data being sent plus a header containing important information such as the protocol, source, length and number of the packet. The IP-Chains firewall filters packets which come into the firewall based on the information in this header. The firewall tries to match headers to a "rule" within a chain. A rule describes a certain condition, such as the source address, the protocol type and the packet destination. When a packet matches a rule, the firewall follows a certain policy to decide what to do with it (the types of policies I will cover are DENY, REJECT and ACCEPT). DENY and REJECT are very similar, except that DENY ignores the packet whilst REJECT returns an ICMP (Internet control message protocol - this is the protocol used when you ‘ping' someone) packet saying that the destination was unreachable. The ACCEPT policy is implicit.

By default, three different chains exist. They are "input", "output" and "forward". I will look at the first one. In order to perform firewalling, we want to append rules to a certain chain using the "-A" flag. For example: "ipchains -A input -s localhost -p ICMP -j DENY" will deny all ping packets from your localhost (specified by -s) to your localhost (specified by -d). Try pinging yourself. To delete this rule, type ipchains -D input 1 (1 being the first rule for the input chain). The flag "-s" specifies the source address, "-p" the protocol and "-j" the policy.

Now, recalling our past efforts with strict security, let's see how firewalling can increase it. The first policy should be as follows: "ipchains -P input DENY". This denies all packets to the host. You should, however, at least allow connections from the localhost to itself, as follows: "ipchains -A input -i lo -j ACCEPT". Complications are introduced, however, by connection to the Internet. Most people will be using ftp, and under active ftp the remote server will be making a connection to your host to send data (which is disallowed by the above rule). So, we must make an exception which allows for the remote ftp connection to your localhost. We also want to allow connections from any host to ssh (secure shell).

This requires the introduction of a new chain. To do this, use the "-N" flag, as follows: "ipchains -N pppinput". We need to ‘link' it to the input chain, by making it a policy under the input chain. This is how we do it: "ipchains -A input -i ppp0 -j pppinput", where "-i ppp0" is specifying all input from the ppp interface (usually your modem connection to the Internet). Now, we must apply some rules to ‘pppinput' to allow that remote ftp connection. We cannot be sure of the port to which it will be connecting, so we must specify a range, in the format lowerport:upperport, inclusive. Something like this would work: ipchains -A pppinput -p TCP -s ftp-data -d 1024:5999 -j ACCEPTipchains -A pppinput -p TCP -s ftp-data -d 6010: -j ACCEPTipchains -A pppinput -p TCP -s 22 -d -j ACCEPTThe missing upperport after ‘6010:' means that all ports after 6010 should be included in the rule. The reason why 10 ports are excluded is that ftp-data will not be connected to those (they are reserved for X). The last rule allows connections to port 22, ssh.

Instead of typing your configuration each time you can save it and restore it using scripts also provided by the IP-Chains author. They are to be found on the same homepage as IP-Chains, a package called "ipchains-scripts".

To save a correct configuration, you should run "ipchains-save > firewall". The file ‘firewall' now contains your complete configuration. If you need to restore this configuration, run "ipchains-restore

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gavin Sherry

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?