Using Linux iptables or ipchains to set up an internet gateway / firewall / routerfor home or office.

Network Address Translation (NAT) and Network Topologies:

Network Address Translation (NAT) allows an individual on a computer on a private network to point their web browser to access a site on the internet via a gateway computer connecting the local LAN to the internet. This request is recognized to be beyond the local network so it is routed to the Linux gateway using the private network address. The request for the web page is sent to the web site using the external internet IP address of the gateway. The request is returned to the gateway which then translates the IP address to computer on the private network which made the request. This is often called IP masquerading. The Linux OS interface which enables one to configure the kernel for masquerading is either iptables (Linux kernel 2.4) or ipchains (Linux kernel 2.2).

The gateway Linux computer will need two IP addresses and network connections, one to the private internal network and another to the external public internet. The computers (any OS) on the interior Local Area Network (LAN) will have a locally configured IP address. Use the IP Address range reserved for local LAN use. Typically the external IP address is assigned to you by your Internet Service Provider (ISP).

A note on private network IP addresses: A set of IP addresses has been reserved by IANA for private networks. They range from 192.168.0.1 to 192.168.254.254 for a typical small business or home network and are often referred to as private network addresses. This is defined by RFC 1918 (IPv4) and by RFC 4193 (IPv6). Most private networks conform to this scheme.

Block	Range		CIDR Notation	Default Subnet Mask	Number of hosts
24 bit block in class A	10.0.0.0	10.255.255.255	10.0.0.0/8	255.0.0.0	16,777,216
20 bit block in class B	172.16.0.0	172.31.255.255	172.16.0.0/12	255.240.0.0	1,048,576
16 bit block in class C	192.168.0.0	192.168.255.255	192.168.0.0/16	255.255.0.0	65,536

The actual number of hosts will be fewer that listed because addresses on each subnet will be reserved as a broadcast address, etc.

While Classless Inter-Domain Routing (CIDR) is used to define network blocks, the notion of a class helps categorize network blocks. For a description of class A, B, and C networks see the YoLinux Networking Tutorial class description.

The private networks may be subdivided into various subnets as desired. Examples:

Range		CIDR Notation	Default Subnet Mask	Number of hosts
10.2.3.0	10.2.4.255	10.2.3.0/23	255.255.254.0	512
172.16.0.0	172.17.255.255	172.16.0.0/15	255.254.0.0	132608
192.168.5.128	192.168.5.255	192.168.5.128/25	255.255.255.128	128

Your choice of network addresses for your local LAN will typically conform to a class "C" address block while your external IP address for the gateway computer will be that assigned by your ISP or corporate network administrator.

Firewall versions vs Linux kernel versions:

First we must determine what firewall mechanisms are available to us to perform the Network Address Translation and then turn it on if necessary:

Note: References to ipfwadm and ipchains refer to older deprecated software.

Firewall Command	Linux Kernel Version	Red Hat Version
firewall-cmd	3.6.10+	RHEL 7, CentOS7,Fedora 18+
iptables	2.4.x, 2.6.x, +	7.1 - 9.0, RHEL 5/6, CentOS 5/6, Fedora 1-17
ipchains	2.2.x	6.x, 7.0
ipfwadm	2.0.x	5.x

Note: the default Linux 2.4 kernel may use ipchains or iptables but not both. Iptables is the preferred firewall as it supports "state" and can recognize if a network connection has already been "ESTABLISHED" or if the connection is related to the previous connection (required for ftp which makes multiple connections on different ports). Ipchains can not. Ipchain rules take precedence over iptables rules. During system boot, the kernel attempts to activate ipchains, then attempts to activate iptables. If ipchain rules have been activated, the kernel will not start iptables.

The Linux kernel 2.4 will not support ipchains unless that option is configured (during install or later). If during install you select "Disable Firewall - no protection" then ipchains will not be available and you must rely upon iptables for a manual firewall configuration. (iptables only. ipchains will be unavailable)

GUI configuration:

firewall-cmd: Use the GUI tool firewall-config
iptables: The GUI configuration tool /usr/bin/redhat-config-securitylevel can be used to choose a pre-configured firewall (High, Medium or no firewall) or it can be used to manually configure rules based on the network services your server will offer. The init script /etc/rc.d/init.d/iptables will use rules stored in /etc/sysconfig/iptables.
ipchains: The tool that does this is lokkit (or /usr/bin/gnome-lokkit), which uses ipchains to configure firewall options for High and Low security options. To support ipchains after install, run /usr/bin/gnome-lokkit and configure a firewall. It will configure ipchains to activate the firewall. Lokkit will generate the file /etc/sysconfig/ipchains. (Used by init script /etc/rc.d/init.d/ipchains which calls /sbin/ipchains-restore)
To see if ipchains and the Lokkit configuration is invoked during system boot, use the command:
```
    chkconfig --list | grep ipchains
```

The default Red Hat Linux 2.4 kernel is compiled to support both iptables and ipchains. Kernel support for ipchains is available during a kernel configuration and compilation. During make xconfig or make menuconfig turn on the feature: "IP: Netfilter Configuration" + "ipchains (2.2-style) support".

Check your installation by using the command: rpm -q iptables ipchains
These packages must be installed. The commands iptables and ipchains are the command interfaces to configure kernel firewall rules. The default Red Hat kernel 2.4 supports iptables and ipchains. (But not both at the same time.)

[Potential Pitfall]: When performing an upgrade instead of a new install, the upgrade software will not install iptables as did not exist on the system previously. It will perform an upgrade to a newer version of ipchains. If you wish to use iptables, you must manually install the iptables RPM.
i.e.: rpm -ivh iptables-XXX.i386.rpm

[Potential Pitfall]: The Linux operating system kernel may load or not load what you had expected. Use the command lsmod to see if ip_tables or ip_chains were loaded.

Switching a running system from ipchains to iptables: (Red Hat - Linux kernel 2.4 specific)

Sequence	Command	Description
1	chkconfig --del ipchains	Remove ipchains from system boot/initialization process
2	chkconfig --add iptables	Add iptables to system boot/initialization process
3	ipchains -F	Flush ipchains rules
4	service ipchains stop	Stop ipchains. Also: `/etc/init.d/ipchains stop`
5	rmmod ipchains	Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6	service iptables start	Load iptables kernel module. Also: `/etc/init.d/iptables stop`

Example 1: Linux connected via PPP (serial)

This example uses a Linux computer connected to the internet using a dial-up line and modem (PPP). The Linux gateway is connected to the internal network using an Ethernet card. The internal network consists of Windows PC's.

The Linux box must be configured for the private internal network and PPP for the dial-up connection. See the PPP tutorial to configure the dial-up connection. Use the ifconfig command to configure the private network. i.e. (as root)

Configure the network interface to the LAN using either the ip of ifconfig commands:

Using the ip command to configure both network interfaces.

/sbin/ip add 192.168.10.101/255.255.255.0  broadcast 192.168.10.255  dev eth1  # Private LAN

Using the ifconfig command to configure both network interfaces.

/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255    # Private LAN

Note: The modem connection is typically assigned an IP address dynamically by DHCP from the ISP.

This is often configured during install or can be configured using the Gnome tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent settings are held in configuration scripts executed during system boot. (i.e. /etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning network addresses.

Example /etc/sysconfig/network-scripts/ifcfg-eth1:

BOOTPROTO="static" 
IPADDR="192.168.10.101" 
NETMASK="255.255.255.0" 
DEVICE="eth1" 
ONBOOT="yes"

Pick up config file changes: systemctl restart NetworkManager

Run one of the following scripts on the Linux gateway computer:

iptables:

iptables --flush                         # Flush all the rules in filter and nat tables
iptables --table nat --flush

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT         # Assuming one NIC to local LAN

echo 1 > /proc/sys/net/ipv4/ip_forward    # Enables packet forwarding by kernel

ipchains:

#!/bin/sh
ipchains -F forward                                # Flush all previous rules and settings
ipchains -P forward DENY                           # Default set to deny packet forwarding
ipchains -A forward -s 192.168.10.0/24 -j MASQ     # Use IP address of gateway for private network
ipchains -A forward -i ppp0 -j MASQ                # Sets up external internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward             # Enables packet forwarding by kernel

A PPP connection as described by the YoLinux PPP tutorial will create the PPP network connection as the default route.

Example 2: Linux connected via an Ethernet connection (via DSL, Cable, T1)

High speed connections to the internet result in an Ethernet connection to the gateway. Thus the gateway is required to possess two Ethernet Network Interface Cards (NICs), one for the connection to the private internal network and another to the public internet. The Ethernet cards are named eth and are numbered uniquely from 0 upward.

Configure the network interface using either the ip of ifconfig commands:

Using the ip command to configure both network interfaces.

/sbin/ip add XXX.XXX.XXX.XXX/255.255.255.0 broadcast XXX.XXX.XXX.255 dev eth0  # Internet
/sbin/ip add 192.168.10.101/255.255.255.0  broadcast 192.168.10.255  dev eth1  # Private LAN

Using the ifconfig command to configure both network interfaces.

/sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255  # Internet
/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255    # Private LAN

Also see notes on adding a second NIC.

Example /etc/sysconfig/network-scripts/ifcfg-eth1:

BOOTPROTO="static" 
IPADDR="192.168.10.101" 
NETMASK="255.255.255.0" 
DEVICE="eth1" 
ONBOOT="yes"

Pick up config file changes: systemctl restart NetworkManager

Run the appropriate script on the Linux computer where eth0 is connected to the internet and eth1 is connected to a private LAN. Select one of the options depending on the generation of Linux you are using: firewall-cmd, iptables or ipchains

firewall-cmd:

Firewalld is preferred for CentOS7/RHEL7/Fedora 18+ and requires the use of NetworkManager. If not using NetworkManager, use iptables.

Enable and start the firewall daemon:

sudo systemctl enable firewalld
sudo systemctl start firewalld

Use the preconfigured "default" zone for the public external internet connection: public
The default zone can be determined with the command: firewall-cmd --get-default-zone
Use the preconfigured zone for the private internal internet connection: internal
The firewalld configuration is in /etc/firewalld/firewalld.conf with zones defined in the directory /etc/firewalld/zones/
All network interfaces by default are assigned to the "default" zone. Assign a network interface to the private LAN by adding a "ZONE" assignment to the existing configuration.

Edit file: /etc/sysconfig/network-scripts/ifcfg-eth1
```
...
...
ZONE=internal
    
```
Edit file: /etc/sysconfig/network-scripts/ifcfg-eth0
```
...
...
ZONE=public
    
```

Pick up changes: (choose one)

systemctl restart network
systemctl restart firewalld
nmcli con reload
(NetworkManager Command Line Interface)
service network restart
or reboot

Show zones: firewall-cmd --list-all-zones

# Set up IP FORWARDing and Masquerading
firewall-cmd --permanent --zone=public --add-masquerade
firewall-cmd --permanent --zone=internal --add-source=192.168.10.0/24
# or use a "direct" iptables configuration:
# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.10.0/24
# Add services offered by the gateway. eg if the gateway is acting as a DHCP server and web server:
firewall-cmd --permanent --zone=internal --add-service=dhcp
firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --reload

echo 1 > /proc/sys/net/ipv4/ip_forward    # Enables packet forwarding by kernel

The command line argument "--permanent" is optional.

iptables:

# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
iptables --flush            # Flush all the rules in filter and nat tables
iptables --table nat --flush

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward             # Enables packet forwarding by kernel

Linux kernel 2.4.x+

ipchains:

#!/bin/sh
ipchains -F forward                                # Flush rules
ipchains -P forward DENY                           # Default set to deny packet forwarding
ipchains -A forward -s 192.168.10.0/24 -j MASQ     # Use IP address of gateway for private network
ipchains -A forward -i eth1 -j MASQ                # Sets up external internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward

Linux kernel 2.2.x

Configure route for the gateway system:

Create a route for your local LAN to the outside world:

route add  -net 192.168.10.0  netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth0

Where XXX.XXX.XXX.XXX is the internet gateway defined by your ISP. This route may be assigned via DHCP if the system is configured. For more information on routing see the YoLinux networking tutorial

Hardware:

Note: While this configuration requires that the Linux gateway computer have two network cards, if you only have one PCI slot available you may use a card such as the Intel Pro 100 or Pro 1000 Dual Port which has two Ethernet connections which reside on a single card. (This is what I use) Yolinux Hardware tutorial: More on Network interface cards

Intel PCI Dual Pro 100 or Pro 1000 NIC card supports two physical Ethernet connections (eth0, eth1) on one card.
Compliant Standards: IEEE 802.3-LAN, IEEE 802.3U-LAN , Plug and Play
Connectivity Technology: Cable - 10Base-T, 100Base-TX
Data Link Protocol: Ethernet, Fast Ethernet
Processor: 82550 - Intel

Configuring PCs on the office network:

All PC's on the private office network should set their "gateway" to be the local private network IP address of the Linux gateway computer.
The DNS resolution should be set to that of the ISP on the internet.

Windows '95 Configuration:

Select "Start" + Settings" + "Control Panel"
Select the "Network" icon
Select the tab "Configuration" and double click the component "TCP/IP" for the Ethernet card. (NOT the TCP/IP -> Dial-Up Adapter)
Select the tabs:
- "Gateway": Use the internal network IP address of the Linux box. (192.168.XXX.XXX)
- "DNS Configuration": Use the IP addresses of the ISP Domain Name Servers. (Actual internet IP address)
- "IP Address": The IP address (192.168.XXX.XXX - static) and netmask (typically 255.255.255.0 for a small local office network) of the PC can also be set here.

Linux computers:

IP Address: Use ip or ifconfig commands to set the IP address and netmask.
- Using the ip command to configure both network interfaces.
```
/sbin/ip add 192.168.10.10/255.255.255.0  broadcast 192.168.10.255  dev eth0
                
```
- Using the ifconfig command to configure both network interfaces.
```
/sbin/ifconfig eth0 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255
                
```
See Assigning an IP address portion of the Networking tutorial.
Gateway Route: The gateway is set with the "ip" or "route" command:
- Using the ip command:
```
ip route add 192.168.10.0/24 via 192.168.10.101 dev eth0
            
```
- Using the route command:
```
route add 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.101 dev eth0
            
```
Where the NAT gateway Linux router has the IP address 192.168.10.101
This can also be set by the GUI tool /usr/bin/netcfg or console tool /usr/sbin/netconfig which can permanently set the values in /etc/sysconfig/network-scripts/ifcfg-eth0
DNS: Configure file /etc/resolv.conf to set the DNS resolvers and default domain. Example:
```
search internal.megacorp.com
nameserver 172.31.0.2
nameserver 172.31.0.3
            
```
See the Network configuration files portion of the Networking tutorial.
Simple firewall for the desktop Linux system: (not required, just added security protection)
```
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
                    
```
Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
Allow network input/output from self (lo).

Iptables options: (Linux kernel 2.4/2.6 firewall)

General /sbin/iptables format to add rules:
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy

Six pre-defined "chain" rules are available:

INPUT
OUTPUT
INPUT
FORWARD
PREROUTING
POSTROUTING
User defined chains (just give it a new name instead of one of the pre-defined names)

iptables options:

--table -t	Description
filter	Default table. This is used if not specified
nat	Network address translation
mangle	Used for Quality Of Service (QOS) and preferential treatment
raw	Enables optimization. i.e. Ignore firewall state matching for port 80 for enhanced speed due to less processing. Requires kernel patch

Command (Use one)	Description
-A --append	Append rule to chain
-D --delete	Delete rule from chain
-I --insert	Insert rule at beginning or at specified sequence number in chain.
-R --replace	Replace rule
-F --flush	Flush all rules
-Z --zero	Zero byte counters in all chains
-L --list	List all rules. Add option `--line-numbers` for rule number.
-N --new-chain	Create new chain
-X --delete-chain	Delete user defined chain
-P --policy	Set default policy for a chain
-E --rename-chain	Rename a chain

Command Option	Description
-s --source	Source address of packet
-d --destination	Destination address of packet
-i --in-interface	Interface packet is arriving from
-o --out-interface	Interface packet is going to
-p --protocol	Protocol: °tcp --sport port[:port] --dport port[:port] --syn °udp °icmp °mac ...
-j --jump	Target to send packet to
-f --fragment	Fragment matching
-c --set-counters	Set packet/byte counter
-m tcp --match tcp	°--source-port port[:port] (port # or range #:#) °--destination-port port[:port] °--tcp-flags
-m state --match state	--state °ESTABLISHED °RELATED °NEW °INVALID (Push content, not expected to receive this packet)

Defined Policies	Description
ACCEPT	Let packet through
DROP	Deny packet with no reply
REJECT	Deny packet and notify sender
RETURN	Handled by default targets
MARK	Used for error response. Use with option --reject-with type
MASQUERADE	Used with nat table and DHCP.
LOG	Log to file and specify message: °--log-level # °--log-prefix "prefix" °--log-tcp-sequence °--log-tcp-options °--log-ip-options
ULOG	Log to file and specify userpace logging messages
SNAT	Valid in PREROUTING chain. Used by nat.
REDIRECT	Used with nat table. Output.
DNAT	Valid in POSTROUTING chain. Output.
QUEUE	Pass packet to userspace.

For the full info see the man page for iptables.

Ipchains options: (Linux kernel 2.2 firewall)

General /sbin/ipchains format to add rules:
ipchains -A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]]] [-d address [port[:port]]] -j policy [-l]

ipchains options:

Command	Description
-A	Add rule to chain
-D	Delete rule from chain
-I	Insert rule
-R	Replace rule
-F	Flush all rules
-L	List all rules
-N	Create new chain
-X	Delete user defined chain
-P	Set default target

Command Option	Description
-s	Source address of packet
-d	Destination address of packet
-i	Interface packet is arriving from
-p	Protocol
-j	Target to send packet to
-y	For -p tcp. Packet is SYN packet.
--icmp-type	For -p icmp.
-l	Log the packet to syslog. `/var/log/messages` Available in default Red Hat 6.0+ kernel

System targets (policy)	Description
ACCEPT	Let packet through
DENY	Deny packet
REJECT	Deny packet and notify sender
MASQ	Forward chain masquerade
REDIRECT	Send to different port
RETURN	Handled by default targets

Four chain rule types are available:

IP input chain
IP output chain
IP forwarding chain
User defined chains (just give it a new name instead of the built-in names: input, output or forward)

For the full info see the man page for ipchains. To add firewall rules read the links provided below.

Adding more security rules to your gateway:

iptables:

Deny a specific host: iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP

Block ports by adding the following firewall rules:

# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT  -i lo -p all -j ACCEPT  # Rule for your computer to be able to access itself via the loopback
iptables -A OUTPUT -o lo -p all -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       # Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       # Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  # Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       # Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        # Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        # Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        # Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        # Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP            # Deny packets which claim to be from your loopback interface.

These rules may be executed on their own to protect your system while attached to the internet or they may be appended to the end of the iptables gateway NAT scripts above.

Debugging and logging:

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

Add this to the end of your rules and you should be able to monitor dropped connections in /var/log/messages. I do NOT log in this method due to the outrageous volume of messages it generates. Use this for debugging or short term monitoring of the network.

Another approach to firewalls is to drop everything and then grant access to each port you may need.

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT                       # Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT          # Open ftp port
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT          # Open secure shell port
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT          # Open HTTP port
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT   # Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP               # Drop all other connection attempts. Only connections defined above are allowed.

ipchains:

This script configures firewall rules for a Linux computer with two Ethernet ports. One port connects the computer to the internet with an external address of XXX.XXX.XXX.XXX. The other Ethernet port connects the computer to an internal network of 192.168.10.0 to 192.168.10.255. This script is more complex but preferred to the previous scripts because of the extra security that the extra firewall rules offer. The script does work with a system running portsentry. For more on portsentry see the YoLinux Internet Security: portsentry Tutorial.

Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo

Gateway script for ipchains firewall and NAT:

#!/bin/sh

# Flush Rules
ipchains -F forward 
ipchains -F output 
ipchains -F input 

# Set default to deny all
ipchains -P input   DENY
ipchains -P output  DENY 
ipchains -P forward DENY 

# Add Rules

# Accept packets from itself (localhost) (s)ource to itself (d)estination
# Keeps system logging, X-Windows or any socket based service working.
ipchains -A input  -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo

# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l

# Accept requests/responses from/to your own firewall machine
ipchains -A input   -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0
ipchains -A output  -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0

# Allow outgoing packets source (s) to destination (d)
ipchains -A input   -j ACCEPT -p all -s 192.168.10.0/24 -i eth1
ipchains -A output  -j ACCEPT -p all -s 192.168.10.0/24 -i eth1

# Deny and log (option -l) outside packets from internet which claim to be from your loopback interface
ipchains -A input  -j REJECT -p all -s localhost  -i eth0 -l

ipchains -A forward -s 192.168.10.0/24 -j MASQ
ipchains -A forward -i eth1 -j MASQ

# Enable  packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Notes:

For this example it was assumed that your private network is from 192.168.10.0 to 192.168.10.255
The -d 0.0.0.0/0 refers to all or any destination address of packet. (destination in this case is irrelevant and the -d statement may be omitted))
localhost refers to your loopback interface on 127.0.0.1

Red Hat will configure firewall rules as an option during installation.

Example of the security configuration: /etc/sysconfig/ipchains
This is the configuration file for the script /etc/rc.d/init.d/ipchains (which calls /sbin/ipchains-restore) which may be invoked during system boot.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT                # Allow WWW http access to web server
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT                # Allow SSH (Secure Shell) access
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT  # Allow DHCP/BOOTPC
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT  
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT  # eth1 internal network access OK. External eth0 goes through firewall rules
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT    # This shuts off telnet,FTP,bind...! Use for a workstation only
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT       # Workstation only or explicitly ports as above with 80, 22
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT         # Block NFS
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT # Block remote X-Window connections
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT      # Block remote font server connections

Note: Once ipchains have been invoked for kernel 2.4, one may NOT use iptables. You may use one or the other but not both.

Save/restore an tables/ipchains configuration:

IpTables: iptables-save man page
/sbin/iptables-save > /etc/sysconfig/iptables.rules
/sbin/iptables-restore < /etc/sysconfig/iptables.rules
IpChains:
/sbin/ipchains-save > /etc/sysconfig/ipchains.rules
/sbin/ipchains-restore < /etc/sysconfig/ipchains.rules

The system init script looks for the file name /etc/sysconfig/ipchains instead of /etc/sysconfig/ipchains.rules. This will make the rules accessible to the init script which will invoke the rules upon system boot. See the YoLinux Init process tutorial for more information on init scripts and system boot procedures.

Also see: how to turn off ICMP and look invisible to ping.

Linux IP Forwarding:

Choose one of the following to allow the Linux kernel to forward IP packets:

Immediately allow the forwarding of packets. The configuration is not preserved on reboot but sets a flag in the kernel itself.
```
    echo 1 > /proc/sys/net/ipv4/ip_forward
```
Another method is to alter the Linux kernel config file: /etc/sysctl.conf
Set the following value:
```
    net.ipv4.ip_forward = 1
```
This will configure the system to allow forwarding of packets upon system boot. It is stored in this configuration file and thus read and set upon system boot. If set to "0" then there will be no forwarding of packets.
An alternate method is to alter the network script: /etc/sysconfig/network
```
     FORWARD_IPV4=true
```
Change the default "false" to "true".

All the above methods will result in a proc file value of "1" to allow TCP packet forwarding. Options 2 and 3 set boot configurations in a configuration file and will not take effect until system boot or until this command is issued: sysctl -p
Test the current setting of the kernel: cat /proc/sys/net/ipv4/ip_forward

Note: The /proc directory is NOT on your hard drive but is present in the running kernel.

CIDR Notation:

The notation "/24" refers to the use of the first 24 bits of a 32 IP address. The is the equivalent of using the bitmask 255.255.255.0. To put it another way, it specifies a range of IP addresses: 0 to 255 for the last octet while the first three remain constant.

Example: 192.168.103.0/24 refers to the IP address range 192.168.103.0 to 192.168.103.255

The notation "/32" refers to a single IP address as it implies that all 32 bits of the IP address are significant.

proc file settings:

Additional security rules for gateway protection: The gateway is the system exposed to the internet and thus is the first line of defense against hackers. Here are some extra security tips.

Turning on Linux kernel support for spoof and DOS (Denial Of Service) protection:
```
   echo 1 >/proc/sys/net/ipv4/tcp_syncookies
```
Must first be compiled into kernel. (Included in Redhat default kernel) By default the Redhat install has this disabled (set to 0). This helps to prevent against the common 'syn flood attack'. A connecting computer (peer) may not receive reliable error messages from an over loaded server with syncookies enabled.
For more on SYS cookies see: CERT Advisory CA-96.21
Turn on Source Address Verification: (Off by default on Red Hat install - set to 0)
```
   echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter
   OR
   echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
```
State the interface appropriate for your installation.
The first example prevents spoofing attacks against your external networks only.

IP spoofing is a technique where a host sends out packets which claim to be from another host. It is also used to hide the identity of the attacker.

The TCP Man page - Linux Programmer's Manual and /usr/src/linux/proc.txt [link] (Kernel 2.4) cover /proc/sys/net/ipv4/* file descriptions.

Also see:

local file:/usr/src/linux/Documentation/proc.txt
proc man page

Configuration Tools:

GUI tools and scripts exist to help you with the configuration of ipchains. See:

Firestarter - Configuration of firewall and real-time hit monitor for the Gnome desktop. Configures ipchains (kernel 2.2) and iptables (kernel 2.4)
Firewall Builder - iptables, ipfilter and OpenBSD PF. (GTK--)

Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)

Tools for iptables configuration:

Webmin - Linux web admin tool
Shorewall
NARC: Netfilter Automatic Rule Configurator

SSH Tunneling Through The Gateway:

One can give access and expose a system on the local LAN to the outside network via the gateway router. For example one can use SSH to allow web traffic to the gateway to be passed on the an internal web server.

Run the following command on the NAT'ed web server on the local LAN to generate a connection between the web server and the gateway which will forward all web traffic received on the gateway on port 8080 and re-route it to port 80 on the internal web server.

ssh -nNT -R 8080:localhost:80  user1@gateway.megacorp.com

or using port 80 for all web traffic:

ssh -nNT -R 80:localhost:80  user1@gateway.megacorp.com

Links and information:

firewalld:

iptables:

IpTables.org - Netfilter/Iptables home page
Linux iptables syntax - by Shane Chen
ipmenu - Console based application for viewing and editing iptables and chains.
Bastille Linux - Security hardening system (script)
IPTables Firewall Script - Bob Sully

ipchains:

Man page for ipchains
Man page for ifconfig
Ipchains HOWTO - LDP - Paul Russell
Linux Firewall Script - ipchains and ipfwadm scripts and configuration. (It's the fanciest I've seen.) - by Craig Zeller
linas.org: Linux NAT, Load Balancing, and High Availability
Config /etc/rc.d/init.d/firewall script file -Web Server
Config /etc/rc.d/init.d/firewall script file - Mail Server

Relevant networking links:

Traffic shaping - bandwidth allocation using tc - by Shane Chen
- tc examples
PPP Dialing your ISP - TUTORIAL
Man page for resolv.conf
Man page for pppd
Man page for chat
Connecting to an ISP
Networking overview HOWTO - LDP
Modem HOWTO - LDP
Smoothwall.org - Web managed OS for Firewall, VPN, Dialup, Intrusion detection, DMZ, dynamic DNS, DHCP, port forwarding, ...
DSLreports.com: Reviews of DSL providers, bandwidth speed measurement, Tools, Info

Linux Based Routers:

Leaf - Linux Embedded Application firewall
Eigerstein

SOCKS Proxy Servers:

I can no longer find the NEC reference implementation but here are some other SOCKS proxy server options for Linux:

sSOCKS5
Polipo - SOKS 5, web caching, IPV6 support
DeleGate - proprietary software
DeleGate
DeleGate

One may also configure ssh to provide SOCKS5 proxy capability:

ssh -f -N -D 0.0.0.0:1080 localhost

Where:

-D: port forwarding on port 1080. The IP address 0.0.0.0 specifies the socket option INADDR_ANY which means that it is listening for connections from any IP address.
-N: stays idle and does not allow for the execution of commands on localhost
-f: Run in the background as a daemon

Iptables can be used to further restrict IP sources accessing port 1080 and add further security constraints.

Books:

	"Linux Firewalls" by Robert L. Ziegler, Carl Constaintine ISBN #0735710996, New Riders 10/2001 Second edition. (Focus: iptables) This is the most up to date version of this book. It highlights the recent changes to the Linux 2.4 kernel (including iptables). It also includes coverage of VPS's and SSH. Scripts and examples are provided for almost any condition or purpose one may require. I highly recommend this book for anyone concerned about internet security.
	"Linux Firewalls" Robert L. Ziegler ISBN #0-7357-0900-9, New Riders 11/1999 First edition. (Focus: ipchains) Most complete Linux firewall/security book in publication. Covers ipchains, bind and a complete review of possible firewall configurations. A newer version of this book has been released. See the above book.
	"Red Hat Linux Firewalls" Bill McCarty ISBN #0764524631, John Wiley and Sons Red Hat Press
	"Linux iptables Pocket Reference" by Gregor N. Purdy ISBN #0596005695, O'Reilly; 1 edition (November, 2004)
	"LINUX Routers: A Primer for Network Administrators" by Tony Mancill ISBN #0130090263, Prentice Hall PTR; 2 edition (June 15, 2002)

Using Linux iptables or ipchains to set up an internet gateway / firewall / router for home or office

iptables:

ipchains:

firewall-cmd:

iptables:

ipchains:

Configure route for the gateway system:

Hardware:

Windows '95 Configuration:

Linux computers:

iptables:

ipchains: