Linux 2.4 stateful firewall design

Linux 2.4 stateful firewall design Daniel Robbins Łukasz Damentko This tutorial shows you how to use netfilter to set up a powerful Linux stateful firewall. 1.0 2005-07-28 About this tutorial

Should I take this tutorial? The original version of this article was published on IBM developerWorks, and is property of Westtech Information Services. This document is an updated version of the original article, and contains various improvements made by the Gentoo Linux Documentation team.

This tutorial shows you how to use netfilter to set up a powerful Linux stateful firewall. All you need is an existing Linux system that's currently using a Linux 2.4 kernel. A laptop, workstation, router or server with a Linux 2.4 kernel will do.

You should be reasonably familiar with standard network terminology like IP addresses, source and destination port numbers, TCP, UDP and ICMP, etc. By the end of the tutorial, you'll understand how Linux stateful firewalls are put together and you'll have several example configurations to use in your own projects.

About the author

For technical questions about the content of this tutorial, contact the author, Daniel Robbins, at drobbins@gentoo.org.

Residing in Albuquerque, New Mexico, Daniel Robbins was the President/CEO of Gentoo Technologies, Inc., the creator of Gentoo Linux, an advanced Linux for the PC, and the Portage system, a next-generation ports system for Linux. He has also served as a contributing author for the Macmillan books Caldera OpenLinux Unleashed, SuSE Linux Unleashed, and Samba Unleashed. Daniel has been involved with computers in some fashion since the second grade, when he was first exposed to the Logo programming language as well as a potentially dangerous dose of Pac Man. This probably explains why he has since served as a Lead Graphic Artist at SONY Electronic Publishing/Psygnosis. Daniel enjoys spending time with his wife, Mary, and his new baby daughter, Hadassah.

First steps

Defining our goal

In this tutorial, we're going to put together a Linux stateful firewall. Our firewall is going to run on a Linux laptop, workstation, server, or router; its primary goal is to allow only certain types of network traffic to pass through. To increase security, we're going to configure the firewall to drop or reject traffic that we're not interested in, as well as traffic that could pose a security threat.

Getting the tools

Before we start designing a firewall, we need to do two things. First, we need to make sure that the iptables command is available. As root, type iptables and see if it exists. If it doesn't, then we'll need to get it installed first. Here's how: head over to the netfilter/iptables project page (http://www.netfilter.org/) and grab the most recent version of iptables.tar.gz (currently iptables-1.1.2.tar.gz) you can find. Then, install it by typing in the following commands (output omitted for brevity):

# tar xzvf iptables-1.1.2.tar.gz
# cd iptables-1.1.2
# make
# make install

Kernel configuration

Once installed, you should have an iptables command available for use, as well as the handy iptables man page (man iptables). Great; now all we need is to make sure that we have the necessary functionality built into the kernel. This tutorial assumes that you compile your own kernels. Head over to /usr/src/linux, and type make menuconfig or make xconfig; we're going to enable some kernel network functionality.

Under the "Networking options" section, make sure that you enable at least the following options:

<*> Packet socket
[*] Network packet filtering (replaces ipchains)
<*> Unix domain sockets
[*] TCP/IP networking
[*]   IP: advanced router
[*]   IP: policy routing
[*]    IP: use netfilter MARK value as routing key
[*]    IP: fast network address translation
[*]   IP: use TOS value as routing key

Then, under the "IP: Netfilter Configuration ->" menu, enable every option so that we'll have full netfilter functionality. We won't use all the netfilter features, but it's good to enable them so that you can do some experimentation later on.

There's one networking option under the "Networking options" category that you shouldn't enable: explicit congestion notification. Leave this option disabled:

[ ]   IP: TCP Explicit Congestion Notification support

If this option is enabled, your Linux machine won't be able to carry on network communications with 8% of the Internet. When ECN is enabled, some packets that your Linux box sends out will have the ECN bit set; however, this bit freaks out a number of Internet routers, so it's very important that ECN is disabled.

OK, now that the kernel's configured correctly for our needs, compile a new one, install it, and reboot. Time to start playing with netfilter :)

Firewall design basics

In putting together our firewall, the iptables command is our friend. It's what we use to interact with the network packet filtering rules in the kernel. We'll use the iptables command to create new rules, list existing rules, flush rules, and set default packet handling policies. This means that to create our firewall, we're going to enter a series of iptables commands, and here's the first one we're going to take a look at (please don't type this in just yet!)...

-- gentoo-doc-cvs@gentoo.org mailing list