≡ Menu

windows background

How do I build a Simple Linux Firewall for DSL/Dial-up connection?

If you're new to Linux, here's a simple firewall that can be setup in minutes. Especially those coming from a Windows background, often lost themselves while creating linux firewall.
This is the most common question asked by Linux newbies (noobs). How do I install a personal firewall on a standalone Desktop Linux computer. In other words "I wanna a simple firewall that allows or permits me to visit anything from my computer but it should block everything from outside world".
Well that is pretty easy first remember INPUT means incoming and OUTPUT means outgoing connection/access. With following little script and discussion you should able to setup your own firewall.

Step # 1: Default Firewall policy

Set up default access policy to drop all incoming traffic but allow all outgoing traffic. This will allow you to make unlimited outgoing connections from any port but not incoming traffic/ports are allowed.
iptables -p INPUT DROP
iptables -p OUTPUT ACCEPT

Step # 2: Allow unlimited traffic from loopback (lo) device

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

Step # 3: Setup connection oriented access

Some protocol such as a FTP, DNS queries and UDP traffic needs an established connection access. In other words you need to allow all related connection using iptables state modules.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Step # 4: Drop everything else and log it

iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

But wait you cannot type all above commands at a shell command prompt. It is a good idea to create a script called fw.start as follows (copy and paste following script in fw.start file):

# A simple
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Setting default filter policy
iptables -P INPUT DROP
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

You can enhance your tiny firewall with

  • Create a script to stop a firewall
  • This is optional, if you wish to start a firewall automatically as soon as Debian Linux boots up use the instruction outlined here
  • Finally if you wanna open incoming ssh (port 22) or http (port 80) then insert following two rules before #DROP everything and Log it line in above script:

iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT

Easy to use Linux firewall programs/tools

  • GUI tools - firestarter :: A graphical interfaced Open Source firewall for Linux. (highly recommended for Linux desktop users)
  • IPCop Firewall and SmoothWall :: Setup a dedicated firewall box. (highly recommended for Linux server and LAN/WAN users)

Linux commands to help you navigate

As a Linux system administrator, you will need to find files in directories all over the file system. Especially those coming from a Windows background, often lost themselves while navigating file system.

Linux and other UNIX (BSD) OS offers an excellent collection of utilities, which can be use to finding the files and executables, remember you cannot memorize all the commands and files ;)
Commands to help you navigate:

  • file: Determines file types
  • which: Locates an executable in your PATH
  • whereis: Locates binaries and man page
  • find: Find the file
  • grep: Search for text/string in the named file name
  • strings: Find text string in a binary file

The which command

It is useful to locate a command. Some opertating system such as Solaris/HP-UX (even linux) have multiple homes. So you wanna find out which version you are going to use by order of the directories in your PATH variable. Try out following commands:
$ which ls
$ which vi
$ which vim

The file command

You would like to find out if a command is a shell script or a binary file or simply cannot recognize file by its extension then use file command to determine file type.
$ file /usr/sbin/useradd

/usr/sbin/useradd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), stripped

Let us try another example:
# file /etc/shadow

/etc/shadow: ASCII text

But wait sec, you don't have to type full command path:
$ file $(which adduser)

/usr/sbin/adduser: perl script text executable

The whereis command

It locates binaries and man pages. When you get message command not found then use whereis command to locate binary file. For example ifconfig command:
$ ifconfig

bash: ifconfig: command not found

Now locate ifconfig binary, enter:
$ whereis -b ifconfig

ifconfig: /sbin/ifconfig

So let us try the full path, enter:
$ /sbin/ifconfig

The grep command

The grep command can search for text or strings such as IP address, domain names and lots of other stuff inside a text file. Often new Linux sys admin forgets to configuration file names. However, you can use grep to find out those configuration file name. For example, find out the file containing IP address
# grep -R "" /etc/* | less

Find out kernel driver module bttv configuration file name, so that you can remove the driver:
# grep -R "bttv" /etc/* | less<

The strings Commands

The grep command is useful to search a text file, if you would like to find text string in a binary file then use strings command.
# strings /usr/bin/users

You might think this is stupid idea to search inside binary file for text string. Well, no it is not a stupid idea. For example, you would like to quickly find out if internet service supports tcpd access control facility via /etc/hosts.allow and /etc/hosts.deny files (read as tcp wrappers) or not. Let us find out if sshd server support tcpd or not:
# strings $(which sshd)| grep libwrap

libwrap refuse returns

The find Command

Use find command to find the files. Find all files belonging to the user charvi:
# find / -user charvi

Remove all core dump files
# find / -name core -exec rm -i{}\;

Please see more find command examples here and here. For more info please read the man pages of find, grep, file, which.