Build a Linux Firewall Based on Ipchains-Linux Enterprise Application-Linux server application information. The following is a detailed description. As we all know, Linux can be used as an excellent firewall software. Whether used in combination with a Web or FTP website or as a front-end server of an internal LAN, Linux provides the necessary tools to construct a firewall that meets the special requirements of users.
Built in the Linux kernel, ipchains is a basic firewall tool that rejects, accepts, and routes data packets between systems. With ipchains, coupled with the inherent low-cost advantage of the Linux operating system, Linux is undoubtedly a cheap option for LAN or CEN firewall connected to the Internet.
Firewall type
The Linux kernel defines three types of firewall communication filtering, and applies different rules to various communication modes to form a firewall with extremely broad functions. The three basic types are as follows:
Input Firewall: all incoming data is checked by the Input Firewall rules before it is received.
Output Firewall: all outgoing data is checked by the Output Firewall rules before being sent.
Forwarding Firewall: All forwarded data is checked by Forwarding Firewall rules before being sent.
Users can define their own rules (or "chains", that is, chains), which are equivalent to scaling up the three basic firewall rules.
Firewall Policy
All three rule types and user-defined additional rules have default policies. The default policy controls how the system processes special data packets arriving at the firewall. You can either use a standard policy for any rule or transfer it to another user-defined rule for further processing. These standard policies are:
ACCEPT (ACCEPT): Allow data packets to pass through the firewall.
REJECT (rejection): discard the packet and send an ICMP error message to the sender of the packet. Here, ICMP refers to the Internet Control Message Protocol, that is, the Internet Control Message Protocol.
DENY: directly discards data packets and does not provide any error information to the sender.
MASQ (disguise): disguise a data packet to make it look like it is from a local system. This policy is particularly useful when Linux is used as a router.
REDIRECT (forwarding): no matter where the data packet is destined, it is forwarded to the specified port of the local system.
RETURN (RETURN): this policy is only valid for user-defined rules. It directly returns the call chain. If this policy is applied to a kernel chain, it means that the chain is detached and replaced by the Default policy of this chain.
Construct a rule chain
The ipchains method for constructing rule chains is quite simple and flexible. For any chain, you can specify a series of options, including:
Protocol type (TCP, UDP, ICMP, or ALL ).
Data packet source address (Format: address [/mask] [port [: port]).
The destination address of the data packet (in the same format as the source address ).
Target port Number (Format: port [: port]).
ICMP packet type (there are many types of ICMP messages. You can specify rules to a specific type ).
The interface applied by the rule (for example, eth0 ).
There are other options to specify the priority of different TCP packets. For example, assign an FTP package a higher priority than an IRC (Internet Relay Chat) package. Another example is to provide logging for some links and set more detailed options, such as the package type and size.
In view of the wide variety of functions and options of ipchains, building a firewall may be simple or extremely complex, which is related to specific requirements. A Simple Firewall can consist of only four to five commands. A complex firewall can consist of hundreds of ipchanins commands to lock everything, only open specific services and ports as needed.
Building a Firewall is a very complicated task. We strongly recommend that you refer to the Linux Firewall Design Toolkit at www.linux-firewall-tools.com/linux/firewall. It provides a simple and detailed online firewall design interface, even if you are not familiar with how to use ipchains, you can use it to generate firewall scripts that can be used directly.
Firewall script instance
The following is a simple firewall script.
