Firewalls: Ipchains syntax and implementation
Okay, I think we've covered a good bit of theory about what a
firewall should and shouldn't allow now. Time to get to building them.
We'll start with ipchains, since that's simpler than iptables, and move
There is an excellent how-to that explains the rules of ipchains
I could go over the syntax (and will if anyone wants me to), but feel
like I'd be reinventing the wheel since I think Rusty's done such a
good, clear job of it already.
is particularly helpful, and explains the basics of syntax. Please ask
if anything is unclear or confusing.
So let's try to apply all this knowledge. You are a security
consultant hired by the admin of example.com's network. You have the
(we'll pretend that it's routable) IP block 10.1.1.0/24. Most of your
network is comprised of Windows workstation boxes. You also have some
Linux workstation boxes, an FTP server running under Solaris at
10.1.1.7, a Web server running under Linux at 10.1.1.14, and a file
server for the Windows machines at 10.1.1.21. Your mail server is
hosted on the same machine as your Web server (10.1.1.14). DNS is
handled by a FreeBSD server at 10.1.1.5.
Your Windows users want to be able to "access the Internet".
Your Linux users want to be able to ssh into their workstations from
home so that they can work remotely. The company is worried about the
security of its network, and wants for you to firewall it off from the
Internet, without disrupting business. You decide to use ipchains under
What sort of a setup would you recommend? What further
questions would you have for your employers? And what firewall
ruleset(s) would you propose? We will assume for the purposes of this
discussion that the Linux boxes you're using are already built, that
firewalling and IP masquerading support are already built into the
kernel, and that the Linux boxes have been stripped of unnecessary
services and locked down. Post your ideas and rules to the list, and
we'll discuss them and see what the best setup we can come up with is
Copyright (c) 2002 by Raven Alder. This material
may be distributed only subject to the terms and
conditions set forth in the Open Publication License,
v1.0 or later (the latest version is presently
available at http://www.opencontent.org/openpub/).