Of course, one of the building blocks of network security is a good firewall. Although many companies pay top dollar for commercial firewall solutions, Linux has long been a popular option for those who want to save some big money and who don't mind rolling up their sleeves and building the firewall configuration themselves.
Fortunately, the Linux firewall solution has continued to improve and the netfilter/iptables system now provides a robust and supremely flexible solution. netfilter/iptables(netfilter is the name of the project, and iptables is the name of the Linux software itself) is a system integrated into the Linux 2.4.x kernel for the handling of packet filtering. It is the successor to the ipchains and ipfwadm systems and is the first to be incorporated directly into the kernel. Here's a look at how you can build a strong Linux firewall with iptables.
Understanding firewalls
Although there are many ways to design a firewall system, the basics remain the same. Set up a server with two network interface cards, one that connects to the Internet and one that connects to the private, internal network. (And if you want a DMZ for your hosted services, you set up a third NIC.) Then, you set up the firewall to filter packets to allow or deny certain traffic, creating a secured environment and freeing up bandwidth and processor cycles for more important work.
The main point of the firewall is to open up to the traffic that you need and close out everything else. The terms open and close refer to the actual ports, usually TCP, UDP, or ICMP, that allow connections to be established on a server. Communication between systems on the Internet can be looked at generally on a packet level. A packet contains information in its header such as source address, destination address, and protocol type, which iptables can then use to make filtering decisions.
Unlike ipchains and ipfwadm, iptables can be configured as a stateful firewall, rather than being stateless. Also known as connection tracking, being stateful means the firewall will remember previous decisions involving the handling of packets instead of treating each one as new event. Valid states include INVALID, ESTABLISHED, and NEW.
Installing iptables
The netfilter/iptables system is part of the 2.4.x kernel, as mentioned above; however, the actual firewalling software, also called iptables, is not part of the kernel. Netfilter is often used to refer to the kernel portion, while the iptables tool is used to actually insert and delete rules in the kernel's packet filtering table. While many distributions such as Red Hat include iptables as part of their standard install, you may need to download it separately from Netfilter.org. If installing from source, the following commands should get you up and running:
# bzip2 -d iptables-1.2.6a.tar.bz2
# tar -xpf iptables-1.2.6a.tar
# cd iptables-1.2.6a
# make
# make install
Support will most likely be preconfigured for the more recent kernels, but it may be necessary to compile it yourself. You'll need to do this if you receive an error such as -iptables is incompatible with your kernel." First, verify that you're running a 2.4.x kernel (with uname -a, for instance) and compile a new kernel. Be sure to set the CONFIG_NETFILTER option to Y.
Once iptables is running on your system, it's time to look at configuring the firewall.
1%
2%
Great stuff!
More, please.