The easiest and most useful type of firewalling under Linux is packet firewalling using IP-Chains. The latest copy of IP-Chains can be obtained from the project's homepage: www.rustcorp.com/linux/ipchains. To best understand this Here's How, it should be read in conjunction with the NET-3-HOWTO (which is usually installed by default in /usr/doc/faq/howto).
Installation is standard: compile and install using "make". You will have to make sure that your current kernel supports IP-Chains. I suggest a 2.1 kernel (or more recent) to ensure this. Also, you will have to compile "Network Firewalling" and "IP: Firewalling" into the kernel. I also suggest compiling in "IP: Always Defragment", as it solves a potential remote exploit to which your machine can be vulnerable if running a firewall.
So, what is a packet exactly? Information is sent across computer networks in the form of packets. These packets are pieces of the whole body of data being sent plus a header containing important information such as the protocol, source, length and number of the packet. The IP-Chains firewall filters packets which come into the firewall based on the information in this header. The firewall tries to match headers to a "rule" within a chain. A rule describes a certain condition, such as the source address, the protocol type and the packet destination. When a packet matches a rule, the firewall follows a certain policy to decide what to do with it (the types of policies I will cover are DENY, REJECT and ACCEPT). DENY and REJECT are very similar, except that DENY ignores the packet whilst REJECT returns an ICMP (Internet control message protocol - this is the protocol used when you ping' someone) packet saying that the destination was unreachable. The ACCEPT policy is implicit.
By default, three different chains exist. They are "input", "output" and "forward". I will look at the first one. In order to perform firewalling, we want to append rules to a certain chain using the "-A" flag. For example: "ipchains -A input -s localhost -p ICMP -j DENY" will deny all ping packets from your localhost (specified by -s) to your localhost (specified by -d). Try pinging yourself. To delete this rule, type ipchains -D input 1 (1 being the first rule for the input chain). The flag "-s" specifies the source address, "-p" the protocol and "-j" the policy.
Now, recalling our past efforts with strict security, let's see how firewalling can increase it. The first policy should be as follows: "ipchains -P input DENY". This denies all packets to the host. You should, however, at least allow connections from the localhost to itself, as follows: "ipchains -A input -i lo -j ACCEPT". Complications are introduced, however, by connection to the Internet. Most people will be using ftp, and under active ftp the remote server will be making a connection to your host to send data (which is disallowed by the above rule). So, we must make an exception which allows for the remote ftp connection to your localhost. We also want to allow connections from any host to ssh (secure shell).
This requires the introduction of a new chain. To do this, use the "-N" flag, as follows: "ipchains -N pppinput". We need to link' it to the input chain, by making it a policy under the input chain. This is how we do it: "ipchains -A input -i ppp0 -j pppinput", where "-i ppp0" is specifying all input from the ppp interface (usually your modem connection to the Internet). Now, we must apply some rules to pppinput' to allow that remote ftp connection. We cannot be sure of the port to which it will be connecting, so we must specify a range, in the format lowerport:upperport, inclusive. Something like this would work: ipchains -A pppinput -p TCP -s 0.0.0.0/0 ftp-data -d
Instead of typing your configuration each time you can save it and restore it using scripts also provided by the IP-Chains author. They are to be found on the same homepage as IP-Chains, a package called "ipchains-scripts".
To save a correct configuration, you should run "ipchains-save > firewall". The file firewall' now contains your complete configuration. If you need to restore this configuration, run "ipchains-restore