My 4-Line Firewall

I’m pleased with myself at the moment: I’ve just succeeded in creating my own firewall from scratch with a Linux box! Rather than purchasing dedicated hardware to isolate our office network a little better from our clients, I finally got my hands on an old desktop system, installed a second NIC and Slackware, and set to work. I had a good idea of what I was doing, but just in case, I consulted the Linux IP Masquerade HOWTO.

The HOWTO is very easy to follow, even if you’re a fledgling admin who hasn’t dealt with things like firewalling, network address translation (NAT) or iptables. It tells you how to make sure your kernel is compiled correctly, how to enable the proper kernel modules, how to enable forwarding, and provides great (and heavily-commented) sample scripts.

Enabling the kernel modules differs by distro, but in Slackware it was just a matter of editing /etc/rc.d/rc.modules and uncommenting the lines for the necessary modules. The big one is ip_conntrack, but there are a few more that are specific to FTP, IRC and SNMP.

After that I added four simple lines to rc.local. This is a good place to add firewall rules as this script is executed last at boot, so you’re sure to have your modules in place and your network up and running before setting up your firewall. Note the HOWTO recommends using a simple pointer to a separate firewall script, and this is great, but my rules are simple enough that I didn’t bother with it. While the sample is good, it’s quite long.

Here are my rules, line-by-line. Note I’m not going to get deep into the iptables syntax here; the man page and a number of online resources are great for more info.

1) /usr/sbin/iptables -P FORWARD DROP

This line is simple: it simply drops all packets by default. Note the full path to iptables isn’t always necessary, but is a good “just in case” practice.

2) /usr/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

The -i and -o arguments specify the incoming and outgoing interfaces. eth0 is my Internet-facing interface and eth1 my network. This says if any incoming connection has been initiated by or is related to a connection on the good guy side of the firewall, then allow the traffic into the network. This is where the connection tracking (i.e., ip_conntrack) modules come into play: they track this behavior and ensure the traffic gets back to the proper host.

3) /usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Note the reversal of the input and output interfaces. This is saying anything going out from the network to the Internet is permissible. Obviously this implies a lot of trust in my co-workers. This will eventually be locked down, but for now, this serves our purposes and is no different from the setup we already had.

4) /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Finally, this does the outgoing NAT. If you’re unfamiliar with network address translation, this is basically taking the private internal IP addresses and masquerading them behind a single, Internet-facing (and, more importantly, Internet-routable) address. If you’re on a cable or DSL connection with a Linksys router, you’re already doing the same thing. And while I do have the IP space to use 1-to-1 NAT (giving each private address its own public address), I have no reason to do so.

And that’s about it. I did add a the line echo "Initializing firewall ruleset" before line 1 so I can see it’s being executed during boot, but the four lines above are the meat of the firewall. Piece of cake!