Introduction to ipchains

This article will cover the basics of ipchains - how to compile the kernel, and the basics of configuring it. It will assume a basic knowledge of TCP/IP and firewalling. Ipchains is the firewall software available with Linux 2.2 - it is a rewrite of the older ipfwadm. It is used for configuring packet filtering, ip masquerading and other parts of a firewall, under linux.

To use ipchains, you need to have support in the kernel - specifically, you need at least support for the following options:


CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y

Ipchains allows you to manage rules in the kernel packet filtering area, by adding or deleting rules from various chains. A chain is simply a set of rules that decide what to do with each packet as it traverses the chain - hence the name. By default, there are 3 chains - the input chain, the forward chain, and the output chain. When a chain goes though the firewall, it first goes through the input chain to see if it is allowed it. After this, we have the routing decision, and if the packet isn't local - ie, destine for a different machine, it goes though the forward chain. Then, just before the packet leaves the machine, it goes through the output chain.

There are a few basic command line options with ipchains:

Now, to use ipchains, you need to start by setting default policies on the various default chains. You do this by:


/sbin/ipchains -P <chain> <target>

For example, to set the default input policy to reject - a very sensible precaution, you could do:


/sbin/ipchains -P input REJECT

A ipchain rule is built up of a combination of source and destination IP address, source and destination port, protocol, interfaces and others. By building rules up with these fundamental blocks, you can create quite complex and flexible rules.

To specify the source and / or destination IP address, you use the following syntax.


/sbin/ipchains -A <chain> -s <ip> -d <ip>

The IP address can be specified in one of a few different ways - the normal way of doing so is just use the dns entry, or the IP address. You can also specify an IP range - either using CIDR notation, or the netmask. For example 192.168.1.0/24 or 192.168.1.0/255.255.255.0, which both specify the same IP range.

You can also specify the protocol, and in the case of tcp or udp, the port - be it a single port or a range. You can also either use the port number, or the service name from /etc/services.

There are many options you can use for the target - you can specify a user defined chain, or you can use one of the defaults.

Now we'll discuss a basic example network, which should give you an idea of how ipchains works. The network, example.net, will be using the RFC1918 private address range 192.168.1.0/24. The router will be 192.168.1.1, the mail server 192.168.1.2, the webserver 192.168.1.3, and the client workstation 192.168.1.4. Our example rules would be something like the following.


# Set default policy for all chains
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -P output ACCEPT

# Set rules for forwarding chain
# Allow icmp to and from our example network for pings etc
/sbin/ipchains -A forward -p icmp -b -d 192.168.1.0/24 -j ACCEPT
# Allow tcp port 25 to and from 192.168.1.2 (ie, smtp to and from the mail server)
/sbin/ipchains -A forward -p tcp -b -d 192.168.1.2 25 -j ACCEPT
# Allow tcp port 80 to and from 192.168.1.3 (ie, http to and from the web server)
/sbin/ipchains -A forward -p tcp -b -d 192.168.1.3 80 -j ACCEPT
# Masquerade the client workstation
/sbin/ipchains -A forward -s 192.168.1.3 -j MASQ
# Log any denied packets - useful for testing
/sbin/ipchains -A forward -l -j REJECT

So as you can see from the example it is easy to get basic packet filtering working, and ipchains gives us most of the basic tools we need to firewall our network. However it is important to be careful when working with firewall rules, as it is easy to deny access to legitimate users - it is essential to test your rules carefully from an outside network.