Originally Published: Wednesday, 22 November 2000 Author: Brad Marshall
Published to: enhance_articles_sysadmin/Sysadmin Page: 1/1 - [Std View]

Introduction to ipchains

You asked for it, you got it. For everyone who read Brad's firewalling piece yesterday and begged for more, here it is! This time, Brad takes you through the world of ipchains, a very important tool to create packet filtration rules under Linux.

This article will cover the basics of ipchains, including how to compile the kernel, and the basics of configuring it. The assumption is you have a basic knowledge of TCP/IP and firewalling. ipchains is the firewall software available with Linux 2.2 It is a rewrite of the older ipfwadm, used for configuring packet filtering, ip masquerading and other parts of a firewall, under linux.

To use ipchains, you need support in the kernel. Specifically, you need at least support for the following options:

CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y
ipchains allows you to manage rules in the kernel packet filtering area, by adding or deleting rules from various chains. A chain is simply a set of rules that decide what to do with each packet as it traverses the chain, hence the name. By default, there are 3 chains: the input chain, the forward chain, and the output chain. When a chain goes though the firewall, it first goes through the input chain to see if it is allowed it. After this, we have the routing decision, and if the packet isn't local, i.e. destined for a different machine, it goes though the forward chain. Then, just before the packet leaves the machine, it goes through the output chain.

There are a few basic command line options with ipchains:

-N
Create a chain
-X
Delete a chain
-P
Set the default policy
-L
List rules in a chain
-F
Flush a chain
-A
Append a rule to a chain
-I
Insert a rule in a chain
-D
Delete a rule from a chain
Now, to use ipchains, you start by setting default policies on the various default chains. You do this by:
/sbin/ipchains -P
For example, to set the default input policy to reject - a very sensible precaution, you could do:
/sbin/ipchains -P input REJECT
A ipchain rule is built up of a combination of source and destination IP address, source and destinationport, protocol, interfaces and others. By building up rules with these fundamental blocks, you can create quite complex and flexible rules. To specify the source and / or destination IP address, you usethe following syntax:
/sbin/ipchains -A -s -d
The IP address can be specified in one of several ways: the normal way of doing so is just use the dns entry, or the IP address. You can also specify an IP range, either using CIDR notation, or the netmask.For example 192.168.1.0/24 or 192.168.1.0/255.255.255.0, which both specify the same IP range.

You can also specify the protocol, and in the case of tcp or udp, the port, be it a single port or a range. You can also either use the port number, or the service name from /etc/services.

There are many options for the target. You can specify a user defined chain, or you can use one of the defaults.

ACCEPT
accept the packet
DENY
drop the packet
REJECT
drop the packet, and return that it was denied
MASQ
masquerade the packet
REDIRECT
used with transparent proxying to redirect the packet to a local socket
RETURN
return to the previous chain, in the case of user defined, or use the default policy
Now we'll discuss a basic example network, which should give you an idea of how ipchains works. The network, example.net, will be using the RFC1918 private address range 192.168.1.0/24. The router will be 192.168.1.1, the mail server 192.168.1.2, the webserver 192.168.1.3, and the client workstation 192.168.1.4. Our example rules would be something like the following.
# Set default policy for all chains
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -P output ACCEPT

# Set rules for forwarding chain # Masquerade the client workstation
/sbin/ipchains -A forward -s 192.168.1.4 -j MASQ

# Log any denied packets - useful for testing
/sbin/ipchains -A forward -l -j REJECT

As you can see from the example, it's easy to get basic packet filtering working, and ipchains gives us most of the basic tools we need to firewall our network. However, you must be careful when working with firewall rules, as it is easy to deny access to legitimate users. Essential is testing your rules carefully from an outside network.