YoLinux: Using Linux and iptables/ipchains to set up an internet gateway for home or office

Methods of connecting your network to the internet:

This tutorial will cover using a linux computer as a gateway between a private network and the internet. Any internet connection whether it be a dial-up PPP, DSL, cable modem or a T1 line can be used. In the case of most dial-up PPP connections and cable modem connections, only a single IP address is issued allowing only one computer to connect to the internet at a time. Using Linux and iptables/ipchains one can configure a gateway which will allow all computers on a private network to connect to the internet via the gateway and one external IP address, using a technology called "Network Address Translation" (NAT) or masquerading. Ipchains can also be configured so that the Linux computer acts as a firewall, providing protection to the internal network.

Note: References to ipfwadm in other literature referes to older depricated software (kernels 2.0.x) which has been supersceeded by ipchains. (kernel 2.2.x) Ipchains are used in RedHat 6.0, 6.1, 6.2 and 7.0. Kernel 2.4 uses iptables and is available in RedHat 7.1.

Firewall Command Linux Kernel Version Red Hat Version
ipfwadm 2.0.x 5.x
ipchains 2.2.x 6.x, 7.0
iptables 2.4.x 7.1+

Note: Red Hat 7.1 and it's default Linux 2.4 kernel may use ipchains or iptables but not both. Ipchain rules take precedence over iptables rules. During system boot, the kernel attempts to activate ipchains, then attempts to activate iptables. If ipchain rules have been activated, the kernel will not start iptables.

Red Hat 7.1 will not support ipchains unless that option is configured (during install or later). If during install you select "Disable Firewall - no protection" then ipchains will not be available and you must rely upon iptables for a manual firewall configuration. (iptables only. ipchains will be unavailable) The tool that does this is lokkit (or /usr/bin/gnome-lokkit), which uses ipchains to configure firewall options for High and Low security options. To support ipchains after install, run /usr/bin/gnome-lokkit and configure a firewall. It will configure ipchains to activate the firewall. Lokkit will generate the file /etc/sysconfig/ipchains. (Used by init script /etc/rc.d/init.d/ipchains which calls /sbin/ipchains-restore)

To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: chkconfig --list | grep ipchains

The default Red Hat 7.1 Linux 2.4 kernel is compiled to support both iptables and ipchains. Kernel suppport for ipchains is available during a kernel configuration and complilation. During make xconfig or make menuconfig turn on the feature: "IP: Netfilter Configuration" + "ipchains (2.2-style) support".

Check your installation by using the command: rpm -q iptables ipchains
These packages must be installed. The commands iptables and ipchains are the command interfaces to configure kernel firewall rules. The default Red Hat 7.1 kernel supports iptables and ipchains. (But not both at the same time.)


Network Address Translation (NAT):

An individual on a computer on the private network may point their web browser to a site on the internet. This request is recognized to be beyond the local network so it is routed to the Linux gateway using the private network address. The request for the web page is sent to the web site using the external internet IP address of the gateway. The request is returned to the gateway which then translates the IP address to computer on the private network which made the request. This is often called IP masquerading. The software interface which enables one to configure the kernel for masquerading is iptables (Linux kernel 2.4) or ipchains (Linux kernel 2.2)

The gateway computer will need two IP addresses and network connections, one to the private internal network and another to the external public internet.

A note on private network IP addresses: A set of IP addresses has been reserved by IANA for private networks. They range from 192.168.0.1 to 192.168.254.254 for a typical small business or home network and are often refered to as CIDR private network addresses. Most private networks conform to this scheme.

Class Range CIDR Notation Default Subnet Mask Number of Subnets Number of hosts per subnet
Class A 10.0.0.0 10.255.255.255 10.0.0.0/8 255.0.0.0 126 16,777,214
Class B 172.16.0.0 172.31.255.255 172.16.0.0/12 255.255.0.0 16,384 65,534
Class C 192.168.0.0 192.168.255.255 192.168.0.0/16 255.255.255.0 2,097,152 254

This is detailed in RFC 1918 - Address Allocation for Private Internets.
Network Subnets

Example 1: Linux connected via PPP

This example uses a Linux computer connected to the internet using a dial-up line and modem (PPP). The Linux gateway is connected to the internal network using an ethernet card. The internal network consists of Windows PC's.

The Linux box must be configured for the private internal network and PPP for the dial-up connection. See the PPP tutorial to configure the dial-up connection. Use the ifconfig command to configure the private network. i.e. (as root)

   /sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255

This is often configured during install or can be configured using the tool netcfg or the general Gnome admin tool Linuxconf. See the YoLinux Networking tutorial for more information on assigning network addresses.

Run one of the following scripts on the Linux gateway computer:

A PPP connection as described by the YoLinux PPP tutorial will create the PPP network connection as the default route.

Example 2: Linux connected via DSL, Cable, T1

High speed connections to the internet result in an ethernet connection to the gateway. Thus the gateway is required to possess two ethernet Network Interface Cards (NICs), one for the connection to the private internal network and another to the public internet. The ethernet cards are named eth and are numbered uniquely from 0 upward.

Use the ifconfig command to configure both network interfaces.

   /sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255   - External network (internet)
   /sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255     - Internal private network
Also see notes on adding a second NIC.

Run the appropriate script on the linux computer where eth0 is connected to the internet and eth1 is connected to a private LAN:

Create a route for internal packets:

     route add  -net 192.168.1.0  netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth1
Where XXX.XXX.XXX.XXX is the internet gateway defined by your ISP. For more information on routing see the YoLinux networking tutorial

Note: While this configuration requires that the Linux gateway computer have two network cards, if you only have one PCI slot available you may use a card such as the Intel Pro 100 Dual Port which has two ethernet connections which reside on a single card. (This is what I use) Yolinux Harware tutorial: More on Network interface cards

Intel PCI Dual Pro 100 NIC card supports two physical ethernet connections (eth0, eth1) one one card.
Compliant Standards: IEEE 802.3-LAN, IEEE 802.3U-LAN , Plug and Play
Connectivity Technology: Cable - 10Base-T, 100Base-TX
Data Transfer Rate: 100 Mbps
Data Link Protocol: Ethernet, Fast Ethernet
Processor: 82550 - Intel

Ipchains options: (Linux kernel 2.2 firewall)

General /sbin/ipchains format to add rules:
ipchains -A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]]] [-d address [port[:port]]] -j policy [-l]

ipchains options:

Command Description
-A Add rule to chain
-D Delete rule from chain
-I Insert rule
-R Replace rule
-F Flush all rules
-L List all rules
-N Create new chain
-X Delete user defined chain
-P Set default targe
Command Option Description
-s Source address of packet
-d Destination address of packet
-i Interface packet is arriving from
-p Protocol
-j Target to send packet to
-y For -p tcp. Packet is SYN packet.
--icmp-type For -p icmp.
-l Log the packet to syslog.
/var/log/messages
Available in default Red Hat 6.0+ kernel
System targets
(policy)
Description
ACCEPT Let packet throughpacket
DENY Deny packet
REJECT Deny packet and notify sender
MASQ Forward chain masquerade
REDIRECT Send to different port
RETURN Handled by default targets

Four chain rule types are available:

For the full info see the man page for ipchains. To add firewall rules read the links provided below.

Configuring PCs on the office network:

Windows '95 Configuration:

Linux computers:


Adding more security rules to your gateway:

ipchains:

This script configures firewall rules for a Linux computer with two ethernet ports. One port connects the computer to the internet with an external address of XXX.XXX.XXX.XXX. The other ethernet port connects the computer to an internal network of 192.168.10.0 to 192.168.10.255. This script is more complex but preferred to the previous scripts because of the extra security that the extra firewall rules offer. The script does work with a system running portsentry. For more on portsentry see the YoLinux Internet Security: portsentry Tutorial.

Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo

Gateway script for ipchains firewall and NAT:

   #!/bin/sh

   # Flush Rules
   ipchains -F forward 
   ipchains -F output 
   ipchains -F input 

   # Set default to deny all
   ipchains -P input   DENY
   ipchains -P output  DENY 
   ipchains -P forward DENY 

   # Add Rules

   # Accept packets from itself (localhost) (s)ource to itself (d)estination
   # Keeps system logging, X-Windows or any socket based service working.
   ipchains -A input  -j ACCEPT -p all -s localhost -d localhost -i lo
   ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo

   # Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
   ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l

   # Accept requests/responses from/to your own firewall machine
   ipchains -A input   -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0
   ipchains -A output  -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0

   # Allow outgoing packets source (s) to destination (d)
   ipchains -A input   -j ACCEPT -p all -s 192.168.10.0/24 -i eth1
   ipchains -A output  -j ACCEPT -p all -s 192.168.10.0/24 -i eth1

   # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface
   ipchains -A input  -j REJECT -p all -s localhost  -i eth0 -l

   ipchains -A forward -s 192.168.10.0/24 -j MASQ
   ipchains -A forward -i eth1 -j MASQ

   # Enable  packet forwarding
   echo 1 > /proc/sys/net/ipv4/ip_forward

Notes:


Red Hat 7.1 will configure firewall rules as an option during installation. Note that the firewall rules are generated for ipchains. The configuration tool /usr/bin/gnome-lokkit was used to perform this setup.

Example of the security configuration: /etc/sysconfig/ipchains
This is the configuration file for the script /etc/rc.d/init.d/ipchains (which calls /sbin/ipchains-restore) which may be invoked during system boot.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT                - Allow WWW http access to web server
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT                - Allow SSH (Secure Shell) access
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT  - Allow DHCP/BOOTPC
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT  
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT             - Allow access from internal network on eth1. External eth0 goes through the firewall rules.
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT    - Note: This shuts off telnet, FTP, bind, etc!!! Use for a workstation only.
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT       - Workstation only or explicitly allow each service as above with port 80 and 22.
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT         - Block NFS
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT - Block remote X-Window connections
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT      - Block remote font server connections
Note: Once ipchains have been invoked for kernel 2.4 (RH 7.1), one may NOT use iptables. You may use one or the other but not both.


iptables:

Deny a specific host: iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP

Block ports by adding the following firewall rules:

# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT                          - This rule is essential if you want your own computer to be able to access itself throught the loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  - Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       - Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP            - Deny outside packets from internet which claim to be from your loopback interface.
These rules may be executed on their own to protect your system while attached to the internet or they may be appended to the end of the iptables gateway NAT scripts above.

Debugging and logging:

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
Add this to the end of your rules and you should be able to monitor dropped connections in /var/log/messages. I do NOT log in this method due to the outrageous volume of messages it generates. Use this for debugging or short term monitoring of the network.


Another approach to firewalls is to drop everything and then grant access to each port you may need.

ptables -F
iptables -A INPUT -i lo -p all -j ACCEPT                       - Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT - Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT          - Open ftp port
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT          - Open secure shell port
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT          - Open HTTP port
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT   - Accept local network Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP                                        - Drop all other connection attempts. Only connections defined above are allowed.


Save/restore an ipchains/tables configuration:

Also see: how to turn off ICMP and look invisible to ping.


proc file settings:

The TCP Man page - Linux Programmer's Manual and /usr/src/linux/proc.txt [alt link] (Kernel 2.2) cover /proc/sys/net/ipv4/* file descriptions.

Also see:


IP Forwading Notes:

The following command will allow the Linux kernel to forward IP packets:

    echo 1 > /proc/sys/net/ipv4/ip_forward

An alternate method is to alter the network script: /etc/sysconfig/network

     FORWARD_IPV4=true
Change the default "false" to "true".


CIDR Notation:

The notation "/24" refers to the use of the first 24 bits of a 32 IP address. The is the equivalent of using the bitmask 255.255.255.0. To put it another way, it specifies a range of IP addresses: 0 to 255 for the last octet while the first three remain constant.

Example: 192.168.103.0/24 refers to the IP addresse range 192.168.103.0 to 192.168.103.255

The notation "/32" refers to a single IP address as it implies that all 32 bits of the IP address are significant.


Configuration Tools:

GUI tools and scripts exist to help you with the configuration of ipchains. See:

Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)

Tools for iptables configuration:


Links and information:

iptables:

ipchains:

Relevant networking links:

Linux Router Project:

Documents: