8. IP filtering setup (IPCHAINS)

Linux ipchains is a rewrite of the Linux IPv4 firewalling code and a rewrite of ipfwadm, which was a rewrite of BSD's ipfw, I believe. It is required to administer the IP packet filters in Linux kernel versions 2.1.102 and above.

The older code doesn't deal with fragments, has 32-bit counters (on Intel at least), doesn't allow specification of protocols other than TCP, UDP or ICMP, can't make large changes atomically, can't specify inverse rules, has some quirks, and can be tough to manage (making it prone to user error). Or so the author says.

I'm not going to get real deep into how to control an IPChains firewall because there is a GREAT!! HOWTO on it at http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html. I'd just end up duplicating it here. Here are the basics.

You work with chains by name. You start with three built-in chains input, output and forward which you can't delete. You can create chains of your own. Rules can then be added and deleted from these rule sets.

The operations to work on entire chains are;

1. Create a new chain (-N).
2. Delete an empty chain (-X).
3. Change the policy for a built-in chain. (-P).
4. List the rules in a chain (-L).
5. Flush the rules out of a chain (-F).
6. Zero the packet and byte counters on all rules in a chain (-Z).

There are several ways to manipulate rules inside a chain:

1. Append a new rule to a chain (-A).
2. Insert a new rule at some position in a chain (-I).
3. Replace a rule at some position in a chain (-R).
4. Delete a rule at some position in a chain (-D).
5. Delete the first rule that matches in a chain (-D).

There are a few operations for masquerading, which are in ipchains for want of a good place to put them:

1. List the currently masqueraded connections (-M -L).
2. Set masquerading timeout values (-M -S).

There are some timing issues involved in altering firewall rules. If you are not careful, you can let packets through while you are half-way through your changes. A simplistic approach is to do the following:

     # ipchains -I input 1 -j DENY
     # ipchains -I output 1 -j DENY
     # ipchains -I forward 1 -j DENY

... make changes ...

     # ipchains -D input 1
     # ipchains -D output 1
     # ipchains -D forward 1
     # 

This drops all packets for the duration of the changes.

Here a duplicate of the above firewall rules in IPChains.

#!/bin/sh
#
# rc.firewall
#
## Flush everything, start from scratch
  /sbin/ipchains -F input
  /sbin/ipchains -F output
  /sbin/ipchains -F forward

## Redirect for HTTP Transparent Proxy
  #$IPCHAINS  -A input -p tcp -s 192.1.2.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080

## Create your own chain
  /sbin/ipchains -N my-chain
  # Allow email to got to the server
  /sbin/ipchains -A my-chain -s 0.0.0.0/0 smtp -d 192.1.2.10 1024:-j ACCEPT
  # Allow email connections to outside email servers
  /sbin/ipchains -A my-chain -s 192.1.2.10 -d 0.0.0.0/0 smtp -j ACCEPT  
  # Allow Web connections to your Web Server
  /sbin/ipchains -A my-chain -s 0.0.0.0/0 www -d 192.1.2.11 1024: -j ACCEPT
  # Allow Web connections to outside Web Server
  /sbin/ipchains -A my-chain -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT
  # Allow DNS traffic
  /sbin/ipchains -A my-chain -p UDP -s 0.0.0.0/0 dns -d 192.1.2.0/24 -j ACCEPT

## If you are using masquerading
  # don't masq internal-internal traffic
  /sbin/ipchains -A forward -s 192.1.2.0/24 -d 192.1.2.0/24 -j ACCEPT
  # don't masq external interface direct
  /sbin/ipchains -A forward -s 24.94.1.0/24 -d 0.0.0.0/0 -j ACCEPT
  # masquerade all internal IP's going outside
  /sbin/ipchains -A forward -s 192.1.2.0/24 -d 0.0.0.0/0 -j MASQ

## Deny everything else
  /sbin/ipchains -P my-chain input DENY

Don't stop here. This is not a great firewall and I'm sure you have other services you will be providing. Again, read the IPCHAINS-HOWTO.