|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Wednesday, 22 November 2000||Author: Brad Marshall|
|Published to: enhance_articles_sysadmin/Sysadmin||Page: 1/1 - [Std View]|
Introduction to ipchains
You asked for it, you got it. For everyone who read Brad's firewalling piece yesterday and begged for more, here it is! This time, Brad takes you through the world of ipchains, a very important tool to create packet filtration rules under Linux.
To use ipchains, you need support in the kernel. Specifically, you need at least support for the following options:
CONFIG_FIREWALL=yipchains allows you to manage rules in the kernel packet filtering area, by adding or deleting rules from various chains. A chain is simply a set of rules that decide what to do with each packet as it traverses the chain, hence the name. By default, there are 3 chains: the input chain, the forward chain, and the output chain. When a chain goes though the firewall, it first goes through the input chain to see if it is allowed it. After this, we have the routing decision, and if the packet isn't local, i.e. destined for a different machine, it goes though the forward chain. Then, just before the packet leaves the machine, it goes through the output chain.
There are a few basic command line options with ipchains:
/sbin/ipchains -PFor example, to set the default input policy to reject - a very sensible precaution, you could do:
/sbin/ipchains -P input REJECTA ipchain rule is built up of a combination of source and destination IP address, source and destinationport, protocol, interfaces and others. By building up rules with these fundamental blocks, you can create quite complex and flexible rules. To specify the source and / or destination IP address, you usethe following syntax:
/sbin/ipchains -AThe IP address can be specified in one of several ways: the normal way of doing so is just use the dns entry, or the IP address. You can also specify an IP range, either using CIDR notation, or the netmask.For example 192.168.1.0/24 or 192.168.1.0/255.255.255.0, which both specify the same IP range.
You can also specify the protocol, and in the case of tcp or udp, the port, be it a single port or a range. You can also either use the port number, or the service name from /etc/services.
There are many options for the target. You can specify a user defined chain, or you can use one of the defaults.
# Set default policy for all chainsAs you can see from the example, it's easy to get basic packet filtering working, and ipchains gives us most of the basic tools we need to firewall our network. However, you must be careful when working with firewall rules, as it is easy to deny access to legitimate users. Essential is testing your rules carefully from an outside network.
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -P output ACCEPT
# Set rules for forwarding chain # Masquerade the client workstation
/sbin/ipchains -A forward -s 192.168.1.4 -j MASQ
# Log any denied packets - useful for testing
/sbin/ipchains -A forward -l -j REJECT