Impossible tri-bar

Digital Phenomena - Your first stop for internet consultancy 
Setting Up a Linux Firewall on Your Network

Page 4 — Tables and Chains

The 2.2 Linux kernel packet-filtering tool is called "ipchains." The updated version that ships with version 2.4 is known as "iptables." (There is an older version still, called "ipfwadm," that works with the 2.0 kernel, but one can't live in the past.) All of these tools operate on a very simple principle — apply sets of rules to control which sorts of traffic are allowed in and out, and which are not.

Each workstation in the house knows that the firewall machine is its gateway. When workstation number one sends a packet to the firewall machine, the latter assigns the packet to a particular port number (so as to keep track of where it came from), replaces the IP number in the originating header with its own real-world IP address, and sends the packet out. When it receives a reply to the packet from the outside world, the reply will come to the same TCP/IP port. The firewall machine knows that traffic on that port goes to workstation number one, so it replaces the port number and IP address with their original values and passes the packet on to the workstation. This process is completely transparent to both parties.

There are a number of tools that configure ipchains and iptables for you automatically. These easy-to-use tools include PMFirewall and Mason. PMFirewall involves making choices about the configuration you desire. Mason has a "learning mode" that simply looks at how you use your network and sets up firewalling rules automatically to accommodate you. As of this writing, Mason supports iptables and PMFirewall does not. Download and install one of these tools, and configuring your firewall is approximately as easy as pie.

Just for fun, let's go over how to set up a firewall with PMFirewall. The installation of Mason is similar, but Mason takes care of detecting your network setup automatically. First, you have to make sure that you have ipchains installed. It should come with your Linux distribution. If you can't find it on your system (and you're running the 2.2 kernel), check the CDs you installed from. If it's not there either, it can be downloaded from here. You'll also want to make sure your kernel is configured to work with ipchains. Chances are that it is ... if you get a message that it's not, the ipchains HOWTO will tell you how to check, and how to fix your configuration if you have to.

Download the zipped PMFirewall from the creator's site and save it wherever you like to save such things on your system. Unpack the file by typing

tar -xzvf ./pmfirewall-x.x.x.tar.gz

where x.x.x is the version number. Then cd to the pmfirewall directory thus created, and, as the root user, type


The installation process will prompt you for answers to some preliminary questions — where do you want config files installed, where does your copy of ipchains live, how are you connected to the Internet — for which the default answers should typically suffice. Then it will ask about how you want the firewall set up. Are there machines that you want to give unquestioned access to? Are there machines that you want to prohibit unilaterally? You will be asked to enter their IP addresses.

You also have to tell PMFirewall whether you have a static IP address or whether you're given a new one every time you log on, via DHCP. Then it asks what services you are running on the firewall machine: FTP? SSH? Telnet? SMTP? DNS? POP? a Web server? IMAP? and so forth. And are there any other ports that you want left open?

Finally, you are asked to configure masquerading, supply information about your internal network, and specify startup behavior. Voila! PMFirewall has configured your firewall automatically. You can proceed to tweak the settings manually if you want or need to.

When your firewall is set up, you can test it by going to the Self Port Scan, which will check your machine for open ports. Try accessing the page from your firewall machine with the firewall turned off and then with it turned on. The difference should be striking ... like, say, the difference between slightly elevated temperatures and third-degree burns all over your body.

|Home|About Us|Services|Search|
W3C validatedW3C validated CSSCompatible with all browsers