In order to understand how to configure a firewall, you need to understand how the data moves from one computer to another. The best explanation I have seen comes from the IP Chains HOWTO:
All traffic through a network is sent in the form of packets. For example, downloading this package (say it's 50k long) might cause you to receive 36 or so packets of 1460 bytes each, (to pull numbers at random).
The start of each packet says where it's going, where it came from, the type of the packet, and other administrative details. This start of the packet is called the header. The rest of the packet, containing the actual data being transmitted, is usually called the body.So, ipchains looks at the to, from, and port request in the header of the packet and then looks at its rules to decide what to do with it. Examining a rule is the easiest way to understand what it is doing. Here is what I use for the pop3 part of my firewall:Some protocols, such TCP, which is used for web traffic, mail, and remote logins, use the concept of a `connection' -- before any packets with actual data are sent, various setup packets (with special headers) are exchanged saying `I want to connect', `OK' and `Thanks'. Then normal packets are exchanged.
A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to deny the packet (i.e.. discard the packet as if it had never received it), accept the packet (i.e.. let the packet go through), or reject the packet (like deny, but tell the source of the packet that it has done so).
Under Linux, packet filtering is built into the kernel, and there are a few trickier things we can do with packets, but the general principle of looking at the headers and deciding the fate of the packet is still there.
One problem is that the same tool (``ipchains'') is used to control both masquerading and transparent proxying, although these are notionally separate from packet filtering (the current Linux implementation blurs these together unnaturally, leaving the impression that they are closely related).
ipchains -A input -p tcp -j ACCEPT -s 192.168.124.0/24 -d 0.0.0.0/0
110
ipchains -A input -p tcp -j DENY -d 0.0.0.0/0 -s 192.168.124.0/24
110
-A input: append this rule to the other input rules (i.e. do
not erase the other rules)
-p tcp: using the tcp protocol
ACCEPT/DENY: exactly what they say
-s: the source of the data packet
-d: the destination of the data packet. 0.0.0.0/0 means: from
anywhere, and 192.168.124.0/24 are my network addresses.
The 1st rule above says: accept any data from the local network going anywhere else for port 110. The second rule says: deny any packet coming from anywhere else going to the local network on port 110.
This sounds simple, but what if you do not know what your ip address
is - like when you dial up to the internet? And setting up each port can
take a while. Fortunately there is help. Ian
Hall-Beyer has put together 3
outstanding scripts that you can put right
into your box with a minimum of configuring. Here is his Readme file:
1) Pick the script that is appropriate to your particular network setup:After you edit the files, run the one you need. For the Masquerade/Standalone, I recommend you run it from /etc/ppp/ip-up (or ip-up.local for Redhat based systems.) Ian is working on a making it even easier with perl and a gtk interface.masquerade:
For systems on an internal RFC1918 network.standalone:
Single machines connected to the net, wanting strong security.routable:
For systems gatewaying a standard network with a routable subnet.2) Copy the appropriate script into /usr/sbin. Edit your script variables
as follows:LOCALIF: http://linux.freediskspace.com/files/42180/(Masquerade/Standalone)
This is the interface with which you are connected to the IP network.
For modems and serial port ISDN TA's, this is usually ppp0. Otherwise,
use the ethernet interface your access device is connected to.INTERNALNET: (Routable/Masquerade)
Set this to the *network* address and hostmask of the network you're
gatewaying. bitmasks or dotquadded masks are acceptable.3) If you're on a dialup, add an entry into ip-up to call the script after
you've connected. If you're on a permanent connection, call it from
rc.local.4) Change the permissions on the file:
chmod 755 /etc/masquerade[Enter]