Use iptables to set up a firewall
Q I want to set up a firewall but I'm not sure where to start. The default firewalls in the distros I've tried are a bit basic - I need something with more control. I've heard that Iptables is the way to go, but it seems very complicated, with some arcane-looking rules. Is there something that gives me decent control over what is and isn't allowed, but in a more accessible way?
A All firewalling takes place inside the Linux kernel, using the netfilter modules. These actually do a lot more than firewalling, handling anything to do with routing, forwarding, blocking and tracking network packets. Iptables is the user space application that controls netfilter, and is usually used in conjunction with a file containing a series of rules that are applied to netfilter. It's possible to write the rules file with a text editor, and many people do, but it requires a decent knowledge of the various options and their consequences. Remember that computers do what you tell them to do, not what you want them to.
It's possible to create a set of rules that leaves your computer open to attack, while believing that it's locked down. That's where the various firewall front-ends come in; they enable you to specify your needs and create the Iptables rules for you. The rule files they create are then read by Iptables at startup and you can even create rules on one machine and transfer them to another. One popular firewall front-end is Guarddog (www.simonzone.com/software/guarddog). Guarddog works with zones, defined for the local computer and the internet to start with. You group computers or networks in these zones, so the first step may be to create a LAN zone for other computers on your network. If you have only one computer, the local and internet zones will be enough.
Once the zones are defined, use the Protocols tab to specify what types of communication you allow to and from other zones. For example, you may want to allow NFS or SMB connections from the LAN so other computers can see your shared directories, but you almost certainly don't want this open to the internet. The protocols are grouped by category and the lower left pane shows a description of the selected protocol. By default, everything from other zones to the local machine is turned off, so enable the services you need and click Apply. Now try to use services that you haven't enabled to see whether the results are as expected. The Logging tab controls writing of blocked and rejected packets to the system log. This can be useful when testing a setup but can also fill up the filesystem containing /var/log if overused. In the Advanced section you can disable the firewall, which is a good test if something doesn't work.
If it starts working when you disable the firewall, you need to look at the firewall rules. You can also enable DHCP - useful if you're following the LTSP tutorial in this issue - and export a set of rules for use on another machine. The final tab, Port Reference, is useful to see what each port number generally handles.
- Configuring the kernel for IPTables support
- Blocking SSH access to a particular PC with iptables
- Turn off ports using iptables via a web-based front-end
- Vsftp: connections from behind a firewall hang
- How to exclude a port from a Linux firewall