Packet firewalling under Linux with IP-Chains

The easiest and most useful type of firewalling under Linux is packet firewalling using IP-Chains. The latest copy of IP-Chains can be obtained from the project's homepage: To best understand this Here's How, it should be read in conjunction with the NET-3-HOWTO (which is usually installed by default in /usr/doc/faq/howto).

Installation is standard: compile and install using "make". You will have to make sure that your current kernel supports IP-Chains. I suggest a 2.1 kernel (or more recent) to ensure this. Also, you will have to compile "Network Firewalling" and "IP: Firewalling" into the kernel. I also suggest compiling in "IP: Always Defragment", as it solves a potential remote exploit to which your machine can be vulnerable if running a firewall.

So, what is a packet exactly? Information is sent across computer networks in the form of packets. These packets are pieces of the whole body of data being sent plus a header containing important information such as the protocol, source, length and number of the packet. The IP-Chains firewall filters packets which come into the firewall based on the information in this header. The firewall tries to match headers to a "rule" within a chain. A rule describes a certain condition, such as the source address, the protocol type and the packet destination. When a packet matches a rule, the firewall follows a certain policy to decide what to do with it (the types of policies I will cover are DENY, REJECT and ACCEPT). DENY and REJECT are very similar, except that DENY ignores the packet whilst REJECT returns an ICMP (Internet control message protocol - this is the protocol used when you ‘ping' someone) packet saying that the destination was unreachable. The ACCEPT policy is implicit.

By default, three different chains exist. They are "input", "output" and "forward". I will look at the first one. In order to perform firewalling, we want to append rules to a certain chain using the "-A" flag. For example: "ipchains -A input -s localhost -p ICMP -j DENY" will deny all ping packets from your localhost (specified by -s) to your localhost (specified by -d). Try pinging yourself. To delete this rule, type ipchains -D input 1 (1 being the first rule for the input chain). The flag "-s" specifies the source address, "-p" the protocol and "-j" the policy.

Now, recalling our past efforts with strict security, let's see how firewalling can increase it. The first policy should be as follows: "ipchains -P input DENY". This denies all packets to the host. You should, however, at least allow connections from the localhost to itself, as follows: "ipchains -A input -i lo -j ACCEPT". Complications are introduced, however, by connection to the Internet. Most people will be using ftp, and under active ftp the remote server will be making a connection to your host to send data (which is disallowed by the above rule). So, we must make an exception which allows for the remote ftp connection to your localhost. We also want to allow connections from any host to ssh (secure shell).

This requires the introduction of a new chain. To do this, use the "-N" flag, as follows: "ipchains -N pppinput". We need to ‘link' it to the input chain, by making it a policy under the input chain. This is how we do it: "ipchains -A input -i ppp0 -j pppinput", where "-i ppp0" is specifying all input from the ppp interface (usually your modem connection to the Internet). Now, we must apply some rules to ‘pppinput' to allow that remote ftp connection. We cannot be sure of the port to which it will be connecting, so we must specify a range, in the format lowerport:upperport, inclusive. Something like this would work: ipchains -A pppinput -p TCP -s ftp-data -d 1024:5999 -j ACCEPTipchains -A pppinput -p TCP -s ftp-data -d 6010: -j ACCEPTipchains -A pppinput -p TCP -s 22 -d -j ACCEPTThe missing upperport after ‘6010:' means that all ports after 6010 should be included in the rule. The reason why 10 ports are excluded is that ftp-data will not be connected to those (they are reserved for X). The last rule allows connections to port 22, ssh.

Instead of typing your configuration each time you can save it and restore it using scripts also provided by the IP-Chains author. They are to be found on the same homepage as IP-Chains, a package called "ipchains-scripts".

To save a correct configuration, you should run "ipchains-save > firewall". The file ‘firewall' now contains your complete configuration. If you need to restore this configuration, run "ipchains-restore

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gavin Sherry

PC World
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?