Previous Page | Next Page

  1. Introduction
  2. About Linux
  3. Installation and getting started
  4. Logging in and out
  5. Basic Linux Commands
  6. Linux Files and File Permissions
  7. Linux Directory Structure
  8. Finding Files
  9. Linux Help
  10. Setting Time
  11. Devices
  12. Tips
  13. Accessing Other Filesystems
  14. Accessing Removable Media
  15. Making and Managing Filesystems
  16. Emergency Filesystems and Procedures
  17. LILO and Runlevels
  18. Init
  19. Environment, Shell Selection, and Startu
  20. Linux Kernel
  21. Package Installation and Printing
  22. Configuration, Logging and CRON
  23. Keys and Terminal Configuration
  24. Sound Configuration
  25. Managing Users
  26. Passwords
  27. Process Control
  28. Configuration and Diagnostic Tools
  29. Overall Configuration
  30. Using PAM
  31. Basic Network Setup
  32. Tools and Terms
  33. Novell and Printing
  34. Inetd Services
  35. Xinetd Services
  36. Other Network Services
  37. FTP and Telnet
  38. Samba
  39. Identd (auth)
  40. X Configuration
  41. X Use
  42. Using X Remotely
  43. X Documentation
  44. DNS
  45. DHCP and BOOTP
  46. Apache
  47. NFS
  48. PPP
  49. Mail
  50. Routing
  51. IP Masquerading
  52. Proxy Servers and ipchains
  53. UUCP
  54. News
  55. NIS
  56. Network Security
  57. Secure Shell
  58. Text Processing
  59. Shell Programming
  60. Emacs
  61. VI
  62. Recommended Reading
  63. Credits

Linux Proxy Servers

For complete information on the use of IP chains and setting up a firewall, see the following Linux how-tos:

  • IPCHAINS-HOWTO
  • Firewall-HOWTO
  • IP-Masquerade-HOWTO

Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up a firewall. It is not meant as a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies of these howtos. Also much of the information in this section is contained in the firewalls section of The CTDP Networking Guide in the networking section. If you do not know the various firewall types, you should read that section.

Packet Filtering Firewalls

In a packet filtering firewall, data is forwarded based on a set of firewall rules. This firewall works at the network level. Packets are filtered by type, source address, destination address, and port information. These rules are similar to the routing rules explained in The CTDP Networking Guide and may be thought of as a set of instructions similar to a case statement or if statement. This type of firewall is fast, but cannot allow access to a particular user since there is no way to identify the user except by using the IP address of the user's computer, which may be an unreliable method. Also the user does not need to configure any software to use a packet filtering firewall such as setting a web browser to use a proxy for access to the web. The user may be unaware of the firewall. This means the firewall is transparent to the client. The ipchains tool is commonly used to configure packet filtering or circuit level relay firewalls.

Circuit Level Relay Firewall

A circuit level relay firewall is also transparent to the client. It listens on a port such as port 80 for http requests and redirect the request to a proxy server running on the machine. Basically, the redirect function is set up using ipchains then the proxy will filter the package at the port that received the redirect.

Configuring a Proxy Server

The following packages are available in Linux:

  • Ipchains soon to be replaced by netfilter (Packet filtering supported by the Linux kernel). It comes with Linux and is used to modify the kernel packet routing tables.
  • SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is free.
  • Squid - A circuit switching proxy. Normally comes with Linux.
  • Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall. It uses transparent filtering, and is circuit switching. It is available as open source.
  • The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level proxies. The applications include telnet, rlogin, SMTP mail, ftp, http, and X windows. it can also perform as a transparent proxy for other services.

This section does not explain how to set up and install these packages.

Deny Ping

An easy way to deny ping on your Linux computer:

ipchains -A input -p ICMP -j DENY

Warning: Those not familiar with the ICMP protocol and its uses should be aware that this command will deny all ICMP message types including useful and important messages. The ICMP protocol performs many functions and this command may cause network problems depending on how the machine is used (especially if used for routing) on your network. Ping is only one feature supported by ICMP. You should not use this command unless you know what you are doing or you are using it on a system that is not important for network operation. See the "Internet Control Message Protocol (ICMP)" section in the The CTDP Networking Guide. Safer examples are shown below.

Deny Telnet Connections

This example will deny telnet functions to your machine.

ipchains -A input -p TCP -s 0/0 telnet -j DENY

Using this command to block telnet is worthwhile it you are interested in using a more secure means of providing remote sessions. Secure shell is a good substitute for telnet for those who require a secure environment.

Ipchains and Linux Packet filtering

The administration of data packet management is controlled by the kernel. Therefore to provide support for things like IP masquerading, packet forwarding, and port redirects, the support must be compiled into the kernel. The kernel contains a series of tables that each contain 0 or more rules. Each table is called a chain. A chain is a sequence of rules. Each rule contains two items.

  1. Characteristics - Characteristics such as source address, destination address, protocol type (UDP, TCP, ICMP), and port numbers.
  2. Instructions - Instructions are carried out if the rule characteristics match the data packet.

The kernel filters each data packet for a specific chain. For instance when a data packet is received, the "input" chain rules are checked to determine the acceptance policy for the data packet. The rules are checked starting with the first rule (rule 1). If the rule characteristics match the data packet, the associated rule instruction is carried out. If they don't match, the next rule is checked. The rules are sequentially checked, and if the end of the chain is reached, the default policy for the chain is returned.

Rules and Programming Comparison

For those who are familiar with programming the ipchains rule set can be compared to a sequence of if statements.

	if (packet=characteristics1) then perform action1;
	elseif (packet=characteristics2) then perform action2;
	elseif (packet=characteristics3) then perform action3;
	else perform default action4;

The comparisons are made depending on the type of packets, their source or destination or a variety of characteristics entered using the ipchains command. If the packet matches the established characteristics, the action specified by the ipchains command is carried out.

Chain Specification

Chains are specified by name. There are three chains that are available and can't be deleted. They are:

  1. Input - Regulates acceptance of incoming data packets.
  2. Forward - Defines permissions to forward packets that have another host as a destination.
  3. Output - Permissions for sending packets.

Each rule has a branch name or policy. Policies are listed below:

  • ACCEPT - Accept the data packet.
  • REJECT - Drop and the packet but send a ICMP message indicating the packet was refused.
  • DENY - Drop and ignore the packet.
  • REDIRECT - Redirect to a local socket with input rules only even if the packet is for a remote host. This applies to TCP or UDP packets.
  • MASQ - Sets up IP masquerading. Works on TCP or UDP packets.
  • RETURN - The next rule in the previous calling chain is examined.

You can create more chains then add rules to them. The commands used to modify chains are as follows:

  • -N Create a new chain
  • -X Delete an empty chain
  • -L List the rules in the chain
  • -P Change the policy for a chain
  • -F Flush=Delete all the rules in a chain
  • -Z Zero the packet and byte counters in all chains

Commands to manipulate rules inside the chain are:

  • -A Append a new rule to a chain.
  • -I Insert a new rule at some position in a chain.
  • -R Replace a rule at some position in a chain.
  • -D Delete a rule at some position in a chain.
  • Options for masquerading:
    • -M with -L to list the currently masqueraded connection.
    • -M with -S to set the masquerading timeout values.

IPchains Options for setting rule specifications:

  • -s Source
  • -d Destination
  • -p Protocol=tcp, upd, icmp, all or a name from /etc/protocols
  • -j Jump target, Specifies the target of the rule. The target can be a user defined chain, but not the one this rule is in.
  • -i Interface=Name of the interface the packet is received on or the interface where the packet will be sent
  • -t Mask used to modify the type of service (TOS) field in the IP header. This option is followed by two values, the first one is and'ed with the TOS field, and the second is exclusive or'ed. The masks are eight bit hexadecimal values. An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10" These bits are used to set priority. See the section on IP message formats.
  • -f Fragment

When making changes to firewall rules, it is a good idea to deny all packages prior to making changes with the following three commands:

ipchains -I input 1 -j DENY
ipchains -I output 1 -j DENY
ipchains -I forward 1 -j DENY

These commands inserts a rule at location 1 that denies all packages for input, output, or forwarding. This is done so no unauthorized packets are not let through while doing the changes. When your changes have been completed, you need to remove the rules at position 1 with the following commands:

ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1

Examples of the use of ipchains to allow various services

Create a new chain:

ipchains -N chainame

The option "-N" creates the chain.

Add the chain to the input chain:

ipchains -A input -j chainame

Allow connections to outside http servers from inside our network:

ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16 1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d 0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file) and the "-j ACCEPT" sets the rule to accept the traffic.

Allow connections from the internet to connect with your http server:

ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www" specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets the rule to accept the traffic.

Allow DNS to go through the firewall:

ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d 10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the traffic. This allows DNS queries from computers inside our network to be received.

Allow e-mail to go from our internal mail server to mailservers outside the network.

ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24" specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.

Allow e-mail to come from any location to our mail server:

ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp" specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.

Perform a HTTP port redirect for a transparent proxy server:

ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080

The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP. The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and the command "-j REDIRECT 8080" redirects the traffic to port 8080.

Give telnet transmissions a higher priority

ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"

The bits at the end of the line specified in hexadecimal format are used to set the priority of the IP message on the network. The first value is and'ed with the TOS field in the IP message header, and the second value is exclusive or'ed. See the section on IP message formats for more information.

Using ipchains-save and ipchains-restore to make rules permanent

When you are done setting your ipchains rules, use the following procedure while logged on as root to make them permanent:

  1. Type the command "ipchains-save > /etc/iprules.save".
  2. Create the following script named "packetfw":
    #! /bin/sh
    # Packet filtering firewall script to be used turn the firewall on or off
     
    if [ -f /etc/iprules.save ]
    then
       case "$1" in
          start)
              echo -n "Turning on packet filtering firewall:"
              /sbin/ipchains-restore < /etc/iprules.save
              echo 1 > /proc/sys/net/ipv4/ip_forward
              echo "."
              ;;
           stop)
              echo -n "Turning off packet filtering:"
              echo 0 > /proc/sys/net/ipv4/ip_forward
              /sbin/ipchains -X
              /sbin/ipchains -F
              /sbin/ipchains -P input ACCEPT
              /sbin/ipchains -P output ACCEPT
              /sbin/ipchains -P forward ACCEPT
              echo "."
              ;;
           *)
              echo "Usage: /etc/init.d/packetfw {start|stop}"
              exit 1
              ;;
       esac
       exit 0
    else
       echo the /etc/iprules.save file does not exist.
       exit 1
    fi
    
  3. Save the file in the /etc/rc.d/init.d directory.
  4. In the /etc/rc.d/rc3.d and the /etc/rc.d/rc5.d directories make a symbolic link called S07packetfw to the /etc/rc.d/init.d/packetfw file with the command "ln -s /etc/rc.d/rc3/S07packetfw /etc/rc.d/init.d/packetfw". This applies to runlevel 3. Do the same for the runlevel 5 initialization directory. Note: You may need to use a different number than the "S07" string to number your link file. Look in your /etc/rc.d/rc3.d and /etc/rc.d/rc5.d directories to determine what number is available to give this file. Try to give it a number just below your network number file. On my system the S10network file is used to start my network.