Overview of Firewalls and Masquerading (Linux in a Nutshell, 4th Edition)

2.4. Overview of Firewalls and Masquerading

A firewall computer is a secure system that sits between an internal network and an external network (i.e., the Internet). It is configured with a set of rules that it uses to determine what traffic is allowed to pass and what traffic is barred. While a firewall is generally intended to protect the network from malicious or even accidentally harmful traffic from the outside, it can also be configured to monitor traffic leaving the network. As the sole entry point into the system, the firewall makes it easier to construct defenses and monitor activity.

The firewall can also be set up to present a single IP address to the outside world, even though multiple IP addresses may be used internally. This is known as masquerading. Masquerading can act as additional protection, hiding the very existence of a network. It also saves the trouble and expense of obtaining multiple IP addresses.

IP firewalling and masquerading are implemented in Linux Version 2.4 with netfilter, also known as iptables. In Linux Version 2.2, they are implemented with the ipchains facility. The 2.0 kernels used a command called ipfwadm, which will not be covered here. The two newer commands are very similar, but differ in some of the organization of their rules. The firewalling facilities built into the 2.4 kernel are also designed to be extensible—if there is some function missing from the implementation, you can add it.

Most distributions come with firewall support already built into the kernel. If this is not the case in your distribution, you need to compile firewall support into the kernel by running make config with the 2.4 kernel and selecting the following network options:

Network packet filtering (replaces ipchains)
TCP/IP networking

Then select the following options from the IP: Netfilter Configuration menu:

IP tables support (required for filtering/masq/NAT)
Packet filtering

There are several extended target and matching rule modules you may wish to compile as well. The behavior of those extension modules is described under the iptables command. If you have an existing firewall designed for the 2.2 kernel or the 2.0 kernel, you can compile support for these older-style commands and use them with your new kernel instead of the newer iptables style of netfiltering.

For ipchains support in the 2.2 kernel, select these options:

Network firewalls
TCP/IP networking
IP: firewalling

If you want to support a transparent proxy service on your firewall, select the following option:

IP: transparent proxy support

If you want your firewall to support masquerading, select the following options as well:

IP: masquerading
IP: ICMP masquerading

The packet filtering facilities provide built-in rule sets. Each network packet is checked against each rule in the rule set until the packet either matches a rule or is not matched by any rule. These sets of rules are called chains. In the 2.4 kernel, these chains are organized into tables that separate filtering functions from masquerading and packet mangling functions. In either the 2.4 or 2.2 kernel, if a match is found, the counters on that rule are incremented and any target for that rule is applied. A target might accept, reject, or masquerade a packet, or even pass it along to another chain for processing. Details on the chains provided in both iptables and ipchains can be found under the description of the appropriate command.

In addition to these chains, you can create your own user-defined chains. You might want a special chain for your PPP interfaces or for packets from a particular site. To call a user-defined chain, you just make it the target for a match.

It is possible to make it through a chain without matching any rules that have a target. If no rule matches the packet in a user-defined chain, control returns to the chain from which it was called, and the next rule in that chain is checked. If no rule matches the packet in a built-in chain, a default policy for that chain is used. The default policy can be any of the special targets that determine what is done with a packet. The valid targets for each command are detailed in Chapter 3.

In the 2.4 kernel, you use the iptables command to define the rules. Once you have the rules defined you can use iptables-save to create a file with all the rule definitions, and iptables-restore to restore those definitions when you reboot. The equivalent 2.2 kernel commands are ipchains, ipchains-save, and ipchains-restore.

For more information on the kinds of decisions you need to make and the considerations that go into defining the rules, see a general book on firewalls such as Building Internet Firewalls (O'Reilly). For more details on ipchains or iptables, consult the Linux Network Administrator's Guide (O'Reilly), or one of the relevant HOWTOs, such as the "Linux 2.4 Packet Filtering HOWTO." These HOWTOs and a number of tutorials are available on the Netfilter web site at http://www.netfilter.org/.