Netfilter is the update to the firewall code in the linux kernel. Netfilter is only available with the latest 2.4 series of the Kernel. It is similar to but more powerful than ipchains which served that function in the 2.2 series of the Linux Kernel. The command to alter the behavior of netfilter is iptables. For a thorough introduction to the capabilities of the Netfilter code read this article written by Dave Wreski.
If netfilter, ipchains and ipfwadmin are compiled as modules, the administrator of a system has the ability to choose between the firewalling tools from the different kernel series. The tools are: ipfwadmin from the 2.0 series', ipchains from the 2.2 series' and iptables now available from the 2.4 kernel. This choice is controlled by inserting the appropriate modules into a running kernel.
Stateful inspection or dynamic filtering is included in the netfilter framework. Here is a quote from the previously linked article written by Dave Wreski. "This connection tracking mechanism provides the ability to associate all the packets of a particular connection with each other. Stateful inspection attempts to interpret the higher level protocols such as NFS, http and ftp. The behavior of the firewall changes based on the information contained in the packet. If the packet contains information in the header that indicates it is part of an existing connection, and it matches a rule that states it's a permissable service, then it is permitted to pass through the firewall." James C. Stephens has written an explanation of how connection tracking occurs whithin the netfilter code.
An understanding of netfilter and general firewall terminology is very helpful.
I want to build a firewall using Netfilter. Where do I start
Start with the available Documentation! Of course the most important is the man page (man iptables). There are the How-to's which are from Rusty's Unreliable Guides: Linux 2.4 Packet Filtering HOWTO Linux 2.4 NAT HOWTO. For my own purposes I created a shortened version of the man page that I find useful for an extremely quick reference.
The bubble diagrams from the How-TO's are helpful, but they don't give as good of a representation as the fololowing flowchart. I am using this flowchart with permission of John Davidson. Thank you John. Please see the chart with a very good description of each of the netfilter hooks here.
I have 1 computer with one modem. Isn't this kind of thing already done.
Note: If you only have the one modem as a network interface then you don't evan need the last line because there are no hosts to forward to. With this firewall installed the host will essentially be an observer on the internet, capable of creating connections going out and not accepting any connections from the internet. This includes tcp, icmp and udp protocols.
I have computers on the inside of this host connected on a lan. I need Masquerading as well.
I want to do more than what these examples allow, I need some recommendations.
A little advice written by the maintainer of netfilter from the How-to's.
Recommendations from James C. Stephens who advocates a more restrictive script for a single computer with one interface.
Recommendations from Oskar Andreasson who includes detailed explanations for his script.
I have some recommendations of my own.
Do you want to create more intricate scripts. How about use a true - demilitarized - zone to protect internet servers and internal hosts. Also there is the psuedo demilitarized zone setup. It is possible to set these up and drop and accept on a larger number of rules, for each scenario. Visit John Davidson's website.
Testing to see if your firewall is achieving it's objective. Netfilter can not make the underlying services answering request on open ports more secure services. Netfiter can however serve as a layer beteen a network interfaces and the services that respond to requests. If you have a number of services on a machine but only want one or two ports to answer requests from a certan interface, or subnet or ipaddress or any other possible netfilter parameter match it can help greatly in achieving your security objective.
It is a good idea to test to see if you are achieving your objective. Use nmap to scan ports to see which services can respond from an interface. Use tcpdump to write to a file all of the packets that an interface can sniff. To analyze network traffic with a convenient gui program, ethereal may be the program for you. It can capture packets from a graphical user interface or open files created from many other network monitors including tcpdump. I learned more about how information is sent over the wire in a couple of hours of expierimentation with ethereal than I leaned from many more hours reading about protocols. I should have read the books in front of a computer running ethereal.
The Logs are an important source for testing your script. Tail your messages file. Use with the listing of your firewall rules which outputs the number of packets matched by the rule. If your logging rules are not doing what you think they are supposed to, then your drop rules may not be as well.
For you bleeding edgers out there, the netfilter team is strong and growing. With all of the distributions about to do a 2.4 based release, the number of people are only going to increase. If you download the userspace code, you will be able to compile the latest version of the userspace tool iptables. This download also contains the patch-o-matic. The patch-o-matic runs a routine asking questions about what kernel updates you would like to have applied to your kernel source code. It applies some patches automatically which are bug fixes. Most of the patches offer bleeding edge code that is in development and/or waiting for inclusion in the official kernel tree.
To try any of these patches, unpack the bunzip2 archive in /usr/local/src, and follow the directions in the INSTALL file. It's really simple, just execute make pending patches and make patch-o-matic. Then say yes to anything you want to try. You can also try the utilities to save and restore iptables. Execute make experimental followed by install experimental.
The patches which are of most interest include: irc-conntrack-nat an IRC support module for NAT, nat-overlap bug fix (ssh), ppc and sparc mangle fix, IPSec ah and esp match module, dnat balance patch for (`--to-dest 1.2.3.4-1.2.3.7'), set tos to any value between 0x0 and 0xff, allow ftp connection tracking and NAT to operate on up to 8 ports, ftp conntrack without entering passive mode, restrict the number of parallel TCP connections to a server per client, send dropped packets to userspace via a netlink socket, a match which lets you use bitmaps with one bit per address from some range of IP addresses, match to detect TCP and UDP port scans, track portmapper requests using UDP and TCP respectively, take a range of addresses (`--to-source 1.2.3.4-1.2.3.7') and gives a client the same address for each connection, SNMP NAT support, allows you to match a string in a whole packet, enables the user to match packets by their TTL value, enables the user to set the TTL value of an IP packet or to increment / decrement it by a given value, ULOG target: more advanced packet logging mechanism than the standard LOG target.
Here is the description of a netfilter patch that fixed a problem which was causing me to not be able to browse certain websites: This patch adds the CONFIG_IP_NF_TARGET_TCPMSS and CONFIG_IP_NF_MATCH_TCPMSS options, which allow you to examine and alter the MSS value of TCP SYN packets, to control the maximum size for that connection. THIS IS A HACK, used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. I was very pleased to be able to browse linuxtoday again.
Sorry, I did not include a short description of all the features being worked on. Hopefully this gives you the idea that there is quite a bit of work going on and that the length of the man page in another year may be twice as long.
There is also a gui available if you want to try it. here.
I did not try this, but here is a project of a stateful firewall on a floppy.
What port is port xxx used forr?. Here is the /etc/services to end all /etc/services.