As we all know, Linux can be used as an excellent firewall software. Whether it is combined with the use of Web or FTP sites, or as an internal LAN front-end server, Linux users are able to construct to meet the special needs of the firewall to provide the necessary tools.
ipchains built into the Linux kernel, it is a system among refusal to accept the basic firewall tool for routing data packets. Thanks ipchains, coupled with the Linux operating system, the inherent cost advantage for the LAN connection to the Internet or corporate network firewall, Linux is undoubtedly a cheap option.
Linux kernel defines three types of firewall traffic filtering, the different rules applied to a variety of communication functions to form a very wide range of firewall. Three basic types are as follows:
Enter Firewall (Input Firewall): All incoming data before receiving input firewall rules have been checked.
Firewall output (Output Firewall): All outgoing data before sending the output firewall rules have been checked.
Forwarding Firewall (Forwarding Firewall): All data forwarded before forwarding firewall rules have been sent to check.
Users can define their own rules (or "chain", ie chains), which acts on the three basic firewall rules extensions.
All three of these additional rules as well as user-defined type has a default policy, the default policy controls how the system processes the packet arrival special firewall. Users can either use a standard policy for any rules to be transferred to another user-defined rules for further processing. The standard strategy:
ACCEPT (accepted): Permits the packet through the firewall.
REJECT (reject): Drops the packet and sends an ICMP error message to the sender of the packet. Here ICMP refers to Internet Control Message Protocol, namely Internet Control Message Protocol.
DENY (rejected): discards the packet, it does not provide any error message to the sender.
MASQ (camouflage): camouflage (Masquerade) packet to make it look like from the local system. This strategy is particularly useful when Linux as a router.
REDIRECT (forwards): No matter where the destination of the packet, forwards it to the specified port on the local system.
RETURN (return): This policy is only valid for the user-defined rules, which means a direct return to the calling chain. If the policy is applied in some core chain, which means that the chain out and replaced with the default policy of the chain.
Chain construction rules
ipchains construction rules chain method is quite simple and very flexible. For any chain, the user can specify a range of options, including:
Protocol type (TCP, UDP, ICMP or ALL).
The packet's source address (in the format: address [/ mask] [port [: port]]).
(Same format as the source address) data packet destination address.
Destination port number (format: port [: port]]).
ICMP packet type (there are many types of ICMP messages, you can specify the rule to a particular type).
Rule applies interface (such as eth0).
There are other options, you can specify the priority of different types of TCP packets through them. For example, give the FTP package than the IRC (Internet Relay Chat) packets a higher priority. Another example is provided for certain logging chain; set up more detailed options, such as packet type, size and so on.
Given the variety ipchains rich features and options to build a firewall may be very simple or very complex, which is related to specific needs. Simple firewall can only be made 4-5 of commands; complex firewall may consist of hundreds ipchanins of commands, locking all, only the specific services and ports open when the user needs.
Build good firewall is a very complex task, firewall script examples
Here is a simple firewall script.
ipchains -A input -i eth0 -s 192.168.0.0/16 -j REJECT
ipchains -A input -d 192.168.1.5 25 -j ACCEPT
ipchains -A input -d 192.168.1.5.110 -j ACCEPT
ipchains -A input -d 192.168.0.0/16 -syn -j REJECT
The script to add some rules to the input chain of rules. Meaning the first rule is that any data packet to the external interface, dressed as if its source address from the internal network (192.168), it is discarded, it is because someone is trying to cheat. The next two rules mean that receive all destined for 192.168.1.5 (this is a mail server that provides SMTP service on port 25, a POP3 server on port 110). Mean a final rule is to reject all other SYN bit set incoming TCP connection (the SYN bit set represents attempt to initiate a connection).
Whether it is to provide a firewall for Linux servers, or provide for the internal LAN firewall / router, ipchains can provide powerful filtering capabilities. A complete firewall configuration brings safety and protection is priceless. Linux people have any desired configuration of the firewall required flexibility and strength, but also the unique advantages of low cost.