How to Create Linux Computer Firewalls

iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT

Open up all other needed ports in a similar way.

INPUT Policy

To allow inbound traffic to the firewall server add an INPUT rule. To allow TCP on port 22 inbound type the following:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

To allow inbound icmp protocol for ping/pong add the following to the script:

iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT

It makes sense that for a computer to ping and be pinged the firewall will need to allow both ping and pong inbound and outbound.

Open up all other needed ports in a similar way.

FORWARD Policy

The FORWARD policy allows connections through the firewall.

In order for users to be able to connect to the Internet (another computer the other side of the firewall) add a FORWARD rule to the firewall. Specify the port, protocol and interface to allow.that flush any previously loaded firewall, closes all ports by default and logs

iptables -A FORWARD -i $INT -o $EXT -p tcp –dport 110 -j ACCEPT

In this example the firewall is allowing traffic coming in on $INT connecting through to, and out on $EXT, using port 110 with protocol tcp. “-i” = incoming interface and “-o” = outbound interface.

To allow pings, specify the icmp protocol as follows:

iptables -A FORWARD -i $INT -o $EXT -p icmp -j ACCEPT

It is possible to specify multiple ports with one rule as follows:

iptables -A FORWARD -i $INT -o $EXT -s 192.168.0.0/24 -p tcp -m multiport –dports 80,53,22 -j ACCEPT

Open up all other needed ports in a similar way

Concerns would be how the users and other servers connect to the Internet, and how they are connected to. This involves setting up POST and PREROUTING NAT

POSTROUTING NAT (Masquerade)

All LAN Internet browsers should appear as if they are browsing from one “Public” IP address. POSTROUTING, or SNAT, changes the source address of the connection to a different IP address.

To accomplish this, add a rule similar to the following to the firewall:

iptables -t nat -A POSTROUTING -o $EXT -s 192.168.0.0/24 -j MASQUERADE

PREROUTING NAT

Keep the servers that should be available to the Internet in the DMZ. Normally the mail sever and web server are located in the DMZ. LAN users will also need access to the DMZ to collect their mail.

If the company’s mail server is in the DMZ it will have a private IP address. On the other hand, if one were to do a “dig” on the company domain name one would find that all zone records point to the company's public IP address, the IP address of the external network card of the firewall. This means any connection to the DMZ servers will stop at the firewall unless requests for those services can be redirected to the appropriate server in the DMZ. Use PREROUTING NAT to accomplish this. Add a line similar to the following into the firewall:

iptables -t nat -A PREROUTING -i $EXT -p tcp -m multiport –dports 110,80 -j DNAT –to 192.168.10.3

This is called PREROUTING because routing decisions take place after the destination IP address in the protocol header has been changed to the IP address of the server in the DMZ.

IP Forwarding

If the firewall server has more than one network card, enable IP forwarding. This will allow packets to move between two network cards. If IP forwarding hasn't been enabled on the network cards, put in the following at the top of the firewall script.

echo “1″ > /proc/sys/net/ipv4/ip_forward

Running the script

To run the script simply type “firewall.sh” at the command prompt. The script can be run when the server boots up by using a cronjob that runs when the computer boots. Use the “nmap” port scanning tool to check if the desired ports are open and everything else is closed.

Before embarking on designing and implementing a firewall one should research all aspects of network security. This will ensure optimal security from any risk, whether from within or from outside the company.

Source:

Peter Hupston, IT Manager Legalwise S.A., "How to Create Linux Computer Firewalls", 21 October 2009