Blocking unwanted connections with IP chains

Linux has a package called IP chains that allows you to set up a firewall on a Linux system. This capability is useful for protecting an entire network at its entry point or blocking certain connections on an individual workstation. When a network interface receives a packet, it puts the packet through a chain of rules. These rules are made up of evaluations that decide if a packet is denied, if it is allowed through, or if the default action is taken.

These chains and rules are configured using the ipchains tool. The syntax for ipchains is as follows:

ns -[ADC] chain rule-specification [options]

ns -[RI] chain rulenum rule-specification [options]

ns -D chain rulenum [options]

ns -P chain target [options]

The ipchains tool can take many command-line options and parameters. They are broken up into Tables 17-12 and 17-13 for ease of reading and to separate the different functionalities.

Table 17-12

ipchains Commands



-A, --append

Appends a rule to the end of the specified chain.

-D, --delete <rul

'e number>l Deletes one or more rules from the specified chain.

<matching rule>

-R, --replace <rule number> Replaces the specified rule with another.

-R, --replace <rule number> Replaces the specified rule with another.

-I, --insert <number of rule Inserts a new rule before the specified rule.

to insert before>

Lists the rules in the specified chain, or all chains.

-F, --flush <chain name> Clears all rules in the specified chain.

Zeroes all counters in the specified chain.

-N, --new-chain <chain name> Creates a new user-defined chain with the specified name.


Table 17-12 (continued)



-P, --policy

Sets the default target for a chain.

-M, --masquerading

Used with the -L function, lists the current masqueraded connections. Used with the -S option, sets the kernel masquerading parameters.

-S, --set tcp tcpfin udp

Changes the timeout values used for masquerading. The timeouts are as follows: tcp indicates TCP session timeout; tcpfin indicates TCP session timeout after receiving a FIN packet; and udp indicates UDP packet timeout. This option is only used along with the -M flag.

-C, --check

Checks the given packet against the selected chain. Useful for testing and debugging.



Table 17-13 ipchains Parameters



-p, --protocol [!]

The protocol of the rule or packet to check. Possible values are tcp, udp, icmp, or all. Other values listed in /etc/protocols may be used. A ! preceding the protocol name inverts the test. For example, a rule with !tcp would apply to any protocol that is not tcp.

-s, --src, --source [!] address/[mask] [!] [port[:port]]

Specifies the source address and optional port of a connection.

--sport, --source-port [!] [port[:port]]

Used to separately define a source port or range of ports.

-d, --dst, --destination [!] address[/mask] [!] [port[:port]]

Specifies the destination address and optional port of a connection.

--dport, --destinationport [!] [port[:port]]

Separately specifies the destination port.

Checks for ICMP type. Uses -h icmp to see the full list

Checks for ICMP type. Uses -h icmp to see the full list



-j, --jump <target>

Specifies the target of a rule or what to do if a packet matches this rule. If this option is left out of a rule, the rule has no effect but can be used for logging purposes.

-i, --interface [!] <interface name>

Specifies the interface through which a packet must enter for the Input chain or exit for the Output chain.

[!] -f, --fragment

Specifies that the rule is used only for the second and subsequent fragments of a packet.

-b, --bidirectional

Matches the packet in both directions. It is the same as adding two rules with the source and destinations reversed.

-v, --verbose

Enables verbose output for the -L command.

-n, --numeric

Shows addresses in numeric form, instead of resolving to hostnames.

-l, --log

Enables logging for packets that match this rule.

Chains and rules

When packets pass through the selected interface, they are evaluated against rules. A group of rules makes up a chain.


There are three main chains in IP chains: Input, Output, and Forward. A packet is processed through the Input chain when it is received by a network interface. The Output chain is used when a packet is sent out a network interface. The Forward chain is used when a packet is being forwarded from one interface to another, inside of a system.

In most cases you put your rules on the Input chain, since this provides the most protection. The chains are processed sequentially: When a packet is received, it goes through the Input chain; if it passes through that, it goes to the Forward chain; and if it survives that, it finally goes to the Output chain. If a packet is destined for the local system it will pass through only the Input chain.

The chains have a default policy that you set up. Normally, the default is DENY, and you must explicitly allow things through. The possible default policies are DENY, REJECT, and ACCEPT. A subtle but very important difference exists between DENY and REJECT. When a packet is met with DENY, it is simply dropped. No word is sent back to the source informing it of this action. The REJECT policy sends back an ICMP message to the source telling it that the packet was denied. The choice of which to use depends on the situation. Most people want their firewall to silently drop the packet and not report back any information to someone probing their site. The problem with this practice, however, is that it can sometimes cause confusion when troubleshooting a network problem.


Rules control what happens to a packet as it passes through a chain. Rules are made up of a condition that must be met and an optional target. When a packet is processed through a chain, it is matched against the rules in order until the first match is found. Once the match is found, the target is invoked, and the packet may then be forwarded along or rejected.

In some cases creating a rule that has no target is useful. This causes the packet to match, but no action is taken, and the packet continues through the chain. The idea is to use these phantom rules for logging and statistical purposes so you can see what type of traffic is being sent through the firewall.

The six basic targets that can be used in rules are as follows:

ACCEPT is used to move the packet to the next chain or out of the network interface if it succeeds through the Output chain. DENY and REJECT were already discussed and cause a packet to be stopped, with varying results. MASQ is used only in the Forward chain and is discussed later in this chapter.

REDIRECT is used to redirect packets to a local socket, instead of the remote socket in their header. It is used only in the Input chain and finds use in applications such as transparent Web caches and proxies. This way, a user's Web request is sent through the cache without the user's even knowing.

RETURN is really used only in user-defined chains. This causes the packet to return to the calling chain. A user-defined chain is a chain just like Input, Output, and Forward, but has no default policy and is created by the user. It is called just like any other target, but by its name, which is set by the user. User-defined chains are used to increase modularity of complex chain structures. They allow the user to break out certain rule check sequences into other parts for ease of administration.

Rule order

The order in which rules are applied is extremely important. The target of the first matching rule is used on a packet. If the rules are not in the correct order, you may not get the expected result. Consider the following metarules:

Allow Anyone to WebServer at Port 80 Deny to WebServer at Port 80

Since the processing of the chain stops at the first matching rule, everyone can get to the Webserver, even the guys from you are trying to stop. The rules should be reversed so that specific rules should come before general rules.

Putting it all together

So now you understand rules, chains, conditions, targets, and rule order. Most likely you currently do not have any rules, but to be safe you should clear out the chains by using the -F option. These commands can be entered at the command line manually, but are usually put at the beginning of a configuration script:

ipchains -F input ipchains -F output ipchains -F forward

These commands should usually be at the beginning of any ipchains script, to be safe. The last thing you need are quirky results because of a forgotten rule hanging around. The next step is to set the default policy for all three of the standard chains by using the -P option. For example:

ipchains -P input DENY ipchains -P output ACCEPT ipchains -P forward ACCEPT

Most rules happen when a packet enters the system, so by default you deny everything and open the gate for certain packets with rules. To keep things simple, set the other two chains to ACCEPT. This may not be the best choice for a complicated setup, so use your judgment in the situation at hand. To make sure your changes worked, list the current state:

debian:/home/jason# ipchains -L Chain input (policy DENY): Chain forward (policy ACCEPT): Chain output (policy ACCEPT):

Getting in the habit of also using the -n option when viewing the rules is a good idea. This option causes the system to display only IP addresses, and not to resolve them to hostnames. With an open ruleset resolving names may be fine, but when you start restricting access, you may no longer be able to access DNS names, and resolving names causes a very long timeout period.

Now you are ready to create your rules. Right now the system is like Fort Knox — nothing is getting in since the default Input chain's policy is set to DENY, and no rules are defined to get around that. First, allow the internal interfaces to receive packets. Assume this system has two network interfaces: the internal is eth0 with a network range of and the external is eth1. To allow the internal interfaces to receive packets, you would use the following:

ipchains -A input -i lo -j ACCEPT ipchains -A input -i eth0 -j ACCEPT

Don't forget about the loopback interface named lo. A lot of services use this and may not function if it is denied. Certain ranges of IP addresses you should never see coming in, and it is usually a good idea to block those explicitly. For example:

ipchains -A input -i ethl -s j DENY ipchains -A input -i ethl -s -j DENY

These are private unroutable addresses that should never send packets to your incoming interface. To make sure no one tries to spoof you, you can block them. If you are using public addresses, IP addresses assigned to you by your ISP, you should also block those from coming in on the outside interface to prevent spoofing.

The next step is to open up any ports for services that you host, such as mail and SSH. For example:

ipchains -A input -i eth1 -p tcp -d 25 -j ACCEPT ipchains -A input -i eth1 -dport 22 -j ACCEPT

These rules would allow outside hosts to connect to the internal mail server. It also allows SSH connections to the firewall itself from the outside world, in case of maintenance or a needed change when you're not at the workstation. The next examples are two rules that are used to allow replies to DNS queries. In the following examples, change the IP address of to that of your ISP's DNS server.

ipchains -A input -i eth1 -p udp -s 53 -j ACCEPT ipchains -A input -i eth1 -p tcp -s 53 -j ACCEPT

Finally, logging packets that are denied by your firewall is usually a good idea. This way you can get a look at who is trying to access blocked services. Sometimes this shows a configuration problem; other times it shows the people you are trying to keep out working to get in. To log all denied packets you would use the following:

ipchains -A input -j DENY -l

This reinforces the default policy of the chain, but adds the logging option.

IP masquerading

Many people are now getting broadband Internet connections to their home or office. They want to be able to share this connection with multiple PCs, but most ISPs give out only one IP address per connection. The solution to this is IP masquerading, or IP Masq. IP Masq lets all of your systems share one IP address. It's not really a part of firewalling or filtering, but is handled by IP chains.

Exam Tip The MASQ target is only used with the Forward chain.

Configuring IP Masq is very easy. Use the sample network and ipchains you set up in the previous section. Since the network used is listed as private use only, packets from this network will not be routed on the Internet. To get these systems on the Internet, you need to use IP Masq and have them hide behind a single real IP address. The command to enable IP Masq in this situation is as follows:

ipchains -F forward ipchains -A forward -s -d ! -j MASQ

That's it! This flushes any old rules out of the Forward chain and causes any packets from that are not local (destination isn't on the same network) to be masqueraded as the real IP address assigned to the system's network interface.

Enabling forwarding

IP masquerading only functions if packet forwarding is enabled. Most Linux distributions ship with this feature disabled, for security. You can enable it in two ways. The first is to edit the /etc/sysconfig/network file in Red Hat and to add the following setting:


The other method uses the /proc file system by echoing a 1 into

/proc/sys/net/ipv4/ip_forward by using the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

If you use the second method, be sure to add this command to your firewall startup script or another script run at boot.

Exam Tip IP forwarding can be enabled two ways. Make sure to know both.

Saving the configuration

The rules you create with ipchains are volatile; they go away when the system is rebooted. To keep them around, you should create a script that runs the commands again and have it started at boot. The following is an example script.

# Firewall Script

# Enable IP Forwarding

# Flush old rulesets.

ipchains -F input ipchains -F output ipchains -F forward #

# Set default policies.

ipchains -P input DENY ipchains -P output ACCEPT

ipchains -P forward ACCEPT #

# Allow local interfaces

ipchains -A input -i lo -j ACCEPT

ipchains -A input -i eth0 -j ACCEPT #

# Deny address blocks we should never see.

# Also include our local address block since we should not

# see these on this interface.

ipchains -A input -i ethl -s -j DENY ipchains -A input -i ethl -s -j DENY

ipchains -A input -i eth1 -s -j DENY

# Allow inbound services. Mail and SSH.

ipchains -A input -i eth1 -p tcp -d 25 -j ACCEPT

ipchains -A input -i eth1 -dport 22 -j ACCEPT #

# Allow DNS query responses.

ipchains -A input -i eth1 -p udp -s 53 -j ACCEPT

ipchains -A input -i eth1 -p tcp -s 53 -j ACCEPT #

# Deny all other packets and log them.

# Enable IP Masq for the internal network.

ipchains -A forward -s -d ! -j MASQ

Was this article helpful?

0 0

Post a comment