Linux Server Firewalls

A firewall is software that performs packet filtering, allowing the server administrator to determine what packets of data are accepted or rejected from a given network interface based on criteria such as source, destination, protocol and other specifics found in the headers contained in the packet of data. The ability to filter which packets of data are accepted provides a measure of protection against unsavoury elements who may attempt to exploit or compromise your Linux server.

The software most commonly used to provide a firewall on a Linux computer is iptables, which is part of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series produced by the netfilter.org project. Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework allowing your Linux server to perform stateful and stateless packet filtering, network address translation and network address port translation. Netfilter/iptables allows the Linux server administrator to build firewalls, use NAT and masquerading for internet connection sharing, use NAT to implement a transparent proxy and more.

A firewall on your Linux server can place an additional layer of protection between your server and the internet and all of its evils. For example if your Linux server was used as a nameserver, mailserver and public webserver (for the corporate website perhaps) and was also used as a file and print server within the office the firewall could be configured so that the file and print services were not accessible from its WAN interface. Although your Samba server would probably be configured to prevent access outside of your LAN IP range the firewall would prevent any opportunity for exploit by making the Samba service completely inaccessible. Unfortunately, because we need to allow people to resolve our company domain, visit our website and send us email the firewall must be configured to allow access to these services and their corresponding ports. I must add that in this example it would be better to use two Linux servers, one for the file and printsharing with a LAN IP address situated behind the firewall and the other for the rough and tough world of the internet, as this reduces the damage if the internet machine is compromised. Years of working for various internet service providers have conditioned me to be cautious at the very mention of the word firewall. A misconfigured or poorly orchestrated firewall can effectively cut your machine off from the world or prevent services from working correctly. Many times I have been confronted by irate customers who would claim that the ISP had been down for preposterous lengths of time only to discover that a misconfigured firewall was to blame. Unfortunately this problem has not been limited to residential customers and is not specific to any particular operating system. If you choose to implement a Linux server firewall you must consider the services that the Linux server provides and configure the firewall accordingly. If you block the ports that the services are available and run on then they simply will not work. If your server provides DNS services and you block port 53 users will not be able to access the DNS server and be unable to resolve domain names as a prime example. Block port 80 and your webserver is unaccessible, another common example. Block port 22 and you will not be able to secure shell into your Linux server to correct the mistake. The intention of the above two paragraphs is not to reduce your confidence in your firewall but to convey its limitations. Your Linux server firewall is only the beginning as far as your Linux server security is concerned, if a service that is publicly accessible through your firewall such as your mailserver or nameserver has a security flaw having a firewall will not stop the service from being exploited. Your machine should be hardened and secure in its own right and maintained accordingly.

Configuring your Linux Server Firewall

Your firewall rules are usually contained in a firewall script that is executed when the Linux server first boots up. The name and location of this script will depend on your Linux distribution, on Slackware Systems it will be called rc.firewall and on Redhat servers it is usually simply called iptables. If you are unsure as to what to call it or where it should go on the vast majority of Linux systems you can call it whatever you like, say /etc/rc.d/rc.firewall, chmod 700 it to make it executable and start it by adding it to rc.local.

To assist you in configuring your Linux server firewall we have included Oskar Andreasson's fantastic Iptables Tutorial which provides an incredibly detailed insight into how a firewall works and includes example firewall scripts that you can study and even adopt to suit your Linux server.

Some Linux distributions include tools that are designed to simplify the configuration of your firewall such as Ubuntu's ufw firewall configuration tool. We shall take a quick look at ufw on the Ubuntu Server Firewall page to see how it works and how to use it.

These resources will help you on your way to understanding iptables/netfilter at a higher level but there are times when we need a firewall and we need one faster than we can learn how to make one (or we dont want to learn how to make one). If this sounds like you then there are a number of tools available that you can use to create your firewall without having to roll up your sleeves.

The Easy Firewall Generator provides an excellent IPTables firewall script in seconds that will work immediately the vast majority of the time without any modification. Credit for the Easy Firewall Generator we host on linuxserverhowto.com goes to its creator, T. S. Morizot. Many thanks Scott!

Firestarter is a free, open source graphical firewall configuration tool that is powerful and easy to use. It is suitable for use on servers, desktops and dedicated gateways.

Shorewall is free to use and once installed on your server will assist you by helping you configure and generate a firewall script.