Difference between revisions of "Firewall Basics"

Motivation

Protecting your Linux from threats on the Internet is ever more important today. For this you should turn off any service that you do not need and also keep your distribution up to date. A firewall also helps to prevent unwanted guests. Using Linux as a firewall to protect your network is also often a good idea. Last but not least: The NAT (Network Address Translation) built into the Linux firewall code is useful if you want a private network behind a Linux router.

The History of the Linux Firewall, replacing iptables with nftables

In the 1990, even before Linux, there was TCP Wrappers which could be used to protect a server program from access by using a list of IP addressed that would be allowed or denied access to a server. It is still in use today, thought most firewall rules are now handled by the kernel:

The Linux had firewalling code in the kernel since about 1997. Back then it was ipfwadm. With the 2.2 kernels came ipchains. This was then replaced with the iptables firewall. iptables was the Linux firewall for the last 20 years. Modern distributions are now replacing this with the netfilter or nftables firewall.

In order to set up rules or display the existing rules there are tools that talk to the kernel interface. For iptables the tools was iptables. For the modern nftables the tools is nft.

Current kernels have an iptables-compatibilty layer, so even if they run nftables internally, a firewall can still be configured (for the most part) with the old iptables commands.

In order to make the transition towards the new nft rules easier there is a tool named iptables-translate, that has the same syntax as iptables but does not insert any firewall rules into the kernel, instead it prints out which nft command would do the trick. So if you find a documentation that tells you about an iptables command then you can use the tool to find the way to do it in nft.

nft allows more freedom in how you structure your firewalls, but since it is rather new most Linux firewalls, even when they use nft, will follow the iptables structure. Thus I first give you a short overview of iptables:

iptables overview

iptables has 3 main tables where you can put firewall rules.

INPUT table

Where all packets are filtered that should be processed by local services

OUTPUT table

Where you can filter packets that were generated locally on your computer

FORWADING table

This can be used to filter all packets which are forwarded from on interface to another one. This table is only used when packet forwarding is enabled - that is when you are using your computer as a router.

Then there are the to NAT tables. These are only used for network translation. If you want to dynamically rewrite package addressed. E.g. to use your private addresses behind a real IP address. In the iptables too you have to use the option -t nat to see them or use them.

The following commands would list all rules in the normal tables and the nat tables:

# iptables -L
# iptables -L -t nat

The option -F cold be used to flush (clear) all rules in that set of tables.

Here are is a simple examples of using IP tables:

# iptables -I INPUT -j DROP -i eth1 -p tcp --dport 22 -s 0/0
# iptables -I INPUT -j ACCEPT -s 182.16.21.0/24 -p tcp --dport 22

Here is what that does: the -I option inserts the rule on top of the table (it thus has precedence over all other rules that might be in the table already. (-A would append at the end of the table). -j tells the target of the rule. The target can be another table (e.g. one that you created yourself). Here we directly say we want to DROP certain packages and ACCEPT others. Once you come to a DROP or ACCEPT rule the processing is finished and the packets will be dropped or it will pass.