Tuesday, 20 May 2014

Firewalls Overview

What is a firewall?

Many systems connected to the internet are open to attempts by outside users to gain unauthorized access by setting up an illegal connection to the system. A firewall prevents any direct unauthorized attempts at access.

A good foundation for network security is to set up a Linux system to operate as a firewall for the network. The firewall can be used to set up either packet filtering or proxies. Packet Filtering is the process of deciding whether or not a packet received by the firewall should be passed on to the local network. The packet filtering software checks the source and destination addresses of the packet and sends the packet on if it is allowed.

Proxies can be used to control access to specific services, such as web or FTP servers. A proxy is required for each service. For example, the web server has its own web proxy, while an FTP server has an FTP proxy. Proxies can also be used to cache commonly used data, such as web pages, so that users do not need to constantly access the originating site.

An additional task performed by firewalls is NAT (Network address translation). Network address translation redirects packets to appropriate destinations. It performs tasks such as redirecting of packets to certain hosts, forwarding packets to other networks and chaning the host source of packets to implement IP masquerading.

The current Linux kernel incorporates support for firewalls using the Netfilter (IPtables) packet filtering package, which implements both packet filtering and NAT tasks for the Linux 2.4 kernel and above.

Implementing a firewall is simply a matter of providing a series of rules to govern what kind of access should be allowed on the system. If that system is also a gateway for a private network, the system's firewall can also help protect the network from outside attacks.


Netfilter implements packet filtering and NAT tasks separately using different tables and commands. The command used to execute both is iptables, but for NAT, add the -nat option.

With iptables, different tables of rules can be set up to select packets according to differing criteria. Netfilter supports three tables: filter, nat and mangle. Packet filtering is implemented using a filter table that holds rules for dropping or accepting packets. Network address translation operations are implemented using the nat table. Specialized changes made to packets before they are sent out, when they are received or as they are being forwarded are implemented using the mangle table.

By default, iptables operates on the filter table, which need not be specified. To list the rules use the -L (list) option. This will include a DNS lookup for hostnames, and will show port lables and hostnames. To show only numeric output and avoid the DNS lookup, use the -n (numeric output), which will show IP addresses and port numbers eg
iptables -L -n
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

To operate on the nat table, add the -t nat option eg:
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 867 packets, 146K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  vlan2  *  
Chain POSTROUTING (policy ACCEPT 99 packets, 6875 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      vlan2  
Chain OUTPUT (policy ACCEPT 99 packets, 6875 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain WANPREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination