Overview of Firewalls and Masquerading (Linux in a Nutshell, 3rd Edition)

2.4. Overview of Firewalls and Masquerading

A firewall computer is a secure system that sits between an internal network and an external network (i.e., the Internet). It is configured with a set of rules that it uses to determine what traffic is allowed to pass and what traffic is barred. While a firewall is generally intended to protect the network from malicious or even accidentally harmful traffic from the outside, it can also be configured to monitor traffic leaving the network. As the sole entry point into the system, the firewall makes it easier to construct defenses and monitor activity.

The firewall can also be set up to present a single IP address to the outside world, even though it may use multiple IP addresses internally. This is known as masquerading. Masquerading can act as additional protection hiding the very existence of a network. It also saves the trouble and expense of obtaining multiple IP addresses.

NOTE

The discussion of iptables applies to Version 2.4 Linux kernels. As this book was being written, both iptables and the 2.4 kernel were still in development. The final product may differ slightly from what we describe here. See the O'Reilly book Linux Network Administrator's Guide by Olaf Kirch and Terry Dawson or the the "Linux IPTABLES-HOWTO" for more information. This HOWTO, and a myriad of others, can be obtained from the the Linux Documentation Project web sites (see the Preface).

IP firewalling and masquerading are implemented in Linux Version 2.2 with the ipchains utility and in Linux Version 2.4 with the iptables facility. The 2.0 kernels used a command called ipfwadm, which is included in the command section for older systems but will not be covered here. The two newer commands are very similar, but some of the organization of the rules they use is different. The firewalling facilities built into the 2.4 kernel are also designed to be extensible. If there is some function missing from the implementation, you could add it. See the "Linux netfilter Hacking HOWTO" for details on how to do this.

Most distributions come with all the firewall support already built into the kernel, but if it is not built into yours, you need to compile firewall support into the kernel by running make config with the 2.2 kernel and selecting all of the following networking options:

Network firewalls
TCP/IP networking
IP: firewalling

If you want to support a transparent proxy service on your firewall, select the following option:

IP: transparent proxy support

If you want your firewall to support masquerading, select the following options as well:

IP: masquerading
IP: ICMP masquerading

With the 2.4 kernel, you will need to select these options:

Network packet filtering (replaces ipchains)
IP tables support (required for filtering/masq/NAT)
Packet filtering

There are several extended target and matching rule modules you may wish to compile as well. The behavior of those extension modules is described under the iptables command. If you have an existing firewall designed for the 2.2 kernel, or the 2.0 kernel, you can compile support for these older-style commands and use them with your new kernel instead of the newer iptables style of netfiltering.

The firewalling facility provides built-in rule sets, or chains, against which each network packet is checked. In the 2.4 kernel, these chains are also organized into tables that separate out filtering functions from masquerading and packet mangling functions. In either kernel, if a match is found, the counters on that rule are incremented and any target for that rule is applied. A target might accept, reject, or masquerade a packet or even pass it along to another chain for processing. Details on the chains provided in both iptables and ipchains can be found under the description of the appropriate command.

In addition to these chains, you can create your own user-defined chains. You might want a special chain for your PPP interfaces or for packets from a particular site. To call a user-defined chain, you just make it the target for a match.

It is possible to make it through a chain without matching any rules that have a target. If no rule matches the packet in a user-defined chain, control returns to the chain from which it was called, and the next rule in that chain is checked. If no rule matches the packet in a built-in chain a default policy for that chain is used. The default policy can be any of the special targets that determine what is done with a packet. The valid targets for each command are detailed in the commands section.

In the 2.2 kernel, you use the ipchains command to define the rules. Once you have the rules defined, you can use ipchains-save to create a file with all the rule definitions and ipchains-restore to restore those definitions when you reboot. The equivalent 2.4 kernel command for defining rules is iptables. iptables-save and iptables-restore were not completed at the time of this writing but should work similarly to their ipchains counterparts.

For more information on the kinds of decisions you need to make and the considerations that go into defining the rules, see a general book on firewalls such as the O'Reilly book Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. For more details on ipchains or iptables, consult the Linux Network Administrator's Guide, 2d ed. by Olaf Kirch and Terry Dawson, or consult one of the relevant HOW-TOs, such as the "Linux IPCHAINS HOW-TO" or the "Linux IPTABLES HOW-TO."