You can configure linux as firewall in several ways, depends on your requirements and your network size. The easiest way is to use iptables (packet filtering) if you have a simple network or a few computers. There are other methods like pf and ipfw etc but they are quite complex to setup as you’ll need them if you have huge network or inhouse servers like web servers, email server, dns server etc with huge amount of traffic.

For for basic and simplicity we’ll use iptables as it is very easy to setup and troubleshoot, also we’ll setup this linux box to do NAT (network address translation) as well, means it will share internet with other computers.

I will setup packet filtering firewall for the following diagram

Here linux which acts as firewall and do NAT as well. If you to Linux box to assign IP to your computer you’ll need to install DHCP service, or you can assign IPs manually if you do not want DHCP server. In either case your workstations will have these TCP/IP settings.
i.e.
Workstation1

IP: 192.168.1.21
Subnetmask: 255.255.255.0
Gateway: 192.168.1.10
DNS: If you are using a router/DSL modem then DNS ip is the IP of your Router i.e. 192.168.1.1, if you are using cable modem then it will be the Public DNS IP which is 194.168.4.100 other wise if can give it the IP of linux machine if this linux box is a dns server as well. You’ll two Ethernet Cards, connect the first ethernet card (eth0) to your Switch and the second ethernet card (eth1) to your router or cable modem. Set eth1 to get IP automatically from router or cable modem and type ifconfig eth1 Let say IP assigned by router to eth1 is 192.168.1.2

Now log on to linux box and type the following commands.

iptables -F
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A block -j LOG
iptables -A block -j DROP
iptables -A INPUT -j block
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Thats it. Linux box is configured as firewall and also will be able to do NAT.

Now if you want to allow some services to the internet, like email, web server and ftp you’ll need to do the following.

For Email server Allow port 25, for Web server allow port 80

iptables -A INPUT -d 192.168.1.2 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT

If you are using ftp server (passive mode) you need to allow port ranges defined in ftp server’s conf file, e.g. port ranges from 50010 to 50050, to do this type

iptables -A INPUT -d 192.168.1.2 -p tcp --dport 50010:50050 -j ACCEPT

for ftp active mode allow 20:21 instead of 50010:50050.

If linux interface eth1 is connected with cable modem, then eth1 IP should look like 83.7.123.43, just change 192.168.1.2 with 83.7.123.43.

If you want to allow IP 65.23.99.200 destined for IP 192.168.1.2 on port 22 or port you can do so by:

iptables -A INPUT -s 65.23.99.200 -d 192.168.1.2 -p tcp --dport 22 -j ACCEPT

If you dont have iptables installed (which is in most cases pre installed when you install linux) you can install it (in simple way) using Yum, just type

yum install iptables

Now let me explain what the above commands do.
iptables -F Flush/Wipe any previous entry from iPtables.
iptables -N Defines new block
iptables -A block -m state –state ESTABLISHED,RELATED -j ACCEPT will only allow packets that are established from internal devices. All outgoing packets will be allowed and all incomming traffic that is in reponse to the established outgoing packets will also be allowed. Means that when your computer establish a connection with external server, only packets send from your computer to server and packets from server to your computer that are part of established connection will be permited (state full firewall).

iptables -A block -m state –state NEW -i ! eth1 -j ACCEPT will only allow all new packets which is not generated by eth1, means newly packets that are only orginated from internal devices NOT from eth1.

iptables -A block -j LOG will keep logs of packets in and out.
iptables -A block -j DROP will drop all traffic that do not match the above condition.
iptables -A INPUT -j block will execute the defined block.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE will do the NATing

Now you need to enable masquerading (NAT) option in /etc/sysctl.conf file, and make sure the line net.ipv4.ip_forward = 1
restart iptables /etc/init.d/iptables restart
and check logs
iptables -L

Hope this helps you, Please write comments/Critics/suggestions and correct me if I’m wrong. Thanks for visiting

This entry was posted on Saturday, May 3rd, 2008 at 12:46 am and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.