BASIC Firewalling with IPChains

There are a number of great tutorials and HOWTOs on IPChains available on the net. If you get confused by this
tutorial I would recommend you look to the internet for clarification.
Linux Kernal 2.2 supports stateless packet filtering -- like a router.
Linux Kernal 2.4 supports stateful packet filtering -- like on a commercial firewall package.

TCP/IP Introduction/Reminder

TCP/IP is the basic internet protocol developed by a group of academics. This is an open source standard and is
what makes the internet as we know it possible. Microsoft has tried to coopt this standard and has released
standards that were intended to make TCP/IP obsolete. Luckily these efforts were a failure.

Every communication between two computers on the internet is broken into data packets. Each data packet begins
with a header which tells servers and computers where to send the packet to. TCP/IP stands for Transport Control
Protocol / Internet Protocol. The IP part gets information from one host to another.
The header's important fields are:
Source IP address and Destination IP address. or SRC_IP and DST_IP.
TCP gets information from one program to another.Header's important fields are:
Source Port and Destination Port.
Another TCP - like protocol is UDP or User Datagram Protocol. I will not elaborate
on the difference here. I would advise you to look to the internet for more information if you are interested.

TCP rides with the IP packet through encapsulation, this will all be important in understading your IPChains. The
header for TCP is placed at the beginning of the data portion of the IP packet.
TCP is good at correcting errors, packet ordering, confirming packets, and creating and destroying connections.
This last part is of particular interest. By understanding how a connection is made using TCP and what that consists
of, you can regulate who may connect to your computer. All hack attacks begin with a connection. So sit up and
pay attention! You should be aware that the one downside of TCP that UDP is actually superior for is that TCP has
a high overhead, data flows at slower speeds.

Packet Filtering Introduction

There are two major types of firewalls: Packet Filtering and Proxy

      Packet Filtering deletes packets trying to connect over a network based on a set of rules written by you.

      Proxy-based firewalls allow you to make a connections through an intermediary host, then that host connects for you, making
      a clean connection and protecting the entity behind the host.

The major drawback of using a Proxy is a slower connection. Although these are sometimes useful as a user wanting to surf anonymously. Remember though, you are not totally anonymous because the host knows who you are and everyone else knows who the host is
(identification occurs through your IP address).
When you make a connection, you send your packet to a host port from a port on your machine. Common services
such as FTP and Web Servers listen on a predictable port. In fact, web browsers are programmed to automatically
check port 80 for the webpage by default. You can check another port with a web browser by indicating it in the
address. i.e., however, if there is nothing there or if there is a service running that
doesn't understand a browser request, nothing will come of your attempt. Daemon is the name for the listener on a
port. So there would be an FTP daemon listening on port 21. Anyway, in building your firewall, you want to restrict
access to ports as that is where the connection requests go. A bunch of open ports = vulnerability.

Common ports and their service:

FTP -- 20/21
SSH -- 22
SMTP -- 25
DNS -- 53
HTTP -- 80
POP -- 110
IMAP -- 143
HTTPS -- 443
IRC -- 6667
Telnet -- 23

If you dont know what these services are, look them up, they are very common. You should not have any trouble
finding plenty of documentation on them.

Lets Block Connections

So here is how you would block all incoming connection requests but let all connection requests go through:
TCP does what is called handshaking when a new connection is made.

*The first packet sent says: Source -> Synchronize or (SYN) = on and Acknowledge (ACK) = off

*The second packet says Source: SYN=on, ACK=on

*The third packet says Source-> Destination: SYN=off, ACK=on

*The fourth packet says .... -> SYN=off, ACK=on

To block all incoming requests then, you need to set you firewall to reject or drop all packets that have SYN=on and
ACK=off. Lets get into some practical IPChain writing.

There are there possible chains INPUT, FORWARD, OUTPUT (packets that are going to be forwarded go through all
three in ipchains) When there is an incoming connection request on a specfic port, your machine will test the request against its rule
set to determine whether the connection is responded too, is completed, rejected or dropped.

Lets look at an INPUT Chain then go through each line of the chain:

Default Policy: Accept
src_port = 23 judgement=block
dst_port = 21 judgement=block
This chain has a default policy of accept. That means when a new connection comes in, if it is not covered by your
rule set then the connection will be allowed. The opposite is true for a default policy: deny

This chain then says that any packet that has a header indicating a source port of 23 block or do not allow the
connection to be made, effectively denying access to telnet. The next rule says that any packet with a destination
port 21 is also blocked, effectively denying access to FTP (both good policies).

IPChain Syntax:

ipchain -P where ACTION = {allow, deny, reject, masquerade}
then set default policy of the chain

ipchains -F chain flushes or resets all chains.

ipchains -A chain appends a rule to the end of chain

ipchains -L chain lists all rules for chain

ipchains -A chain
-s (Source_IP)
-d (Destination_IP)
--source-port (Source_Port)
--destination-port (Destination_Port)
-i (network_interface)
! (expression) also =NOT (boolean logic)
-y = SYN (flag set) to block packets with SYN status = on or = off


ACCEPT permits a connetion to be made,
DROP means the connection is dropped and no msg is sent to user,
REJECT means the connection is dropped and a reject message is sent to the user,
LOG means that the connection attempt will be logged with the person's IP, time and other goodies.

Syntax Example for blocking ftp and telnet:
{Default Policy: Accept
src_port = 23 judgement=block
dst_port=21 judgement=block}

would look like:
ipchains -P input allow --setting default policy
ipchains -F input --flushing ruleset
ipchains -A input -p tcp --sport 23 -j DENY --denying any TCP connection with source port 23, which is telnet
ipchains -A input -p tcp --dport 21 -j DENY --denying any TCP connection with destination port 21, which is where your ftp server is