Linux firewalls

When looking for an effective, inexpensive firewall solution, Linux firewalls do not often enter into the picture unless someone involved in the security planning process is a Linux guru. With the ability to easily run on that old system in the corner – the one that can’t even load the latest version of Windows (mine runs on a Pentium 133) – Linux firewalls can provide many of the basic features and functionality of their commercial counterparts, such as NAT (network address translation) and stateful packet filtering, at a fraction of the cost.

Linux firewalls may not be the best solution in all situations – such as the main corporate gateway firewall for large organizations – but they work great as internal firewalls separating network subnets and gateway firewalls for small and medium businesses and home networks with broadband Internet access.

Current Linux firewalls (2.4 kernel) run netfilter/iptables. Netfilter provides the kernel hooks that allow the firewall to inspect network traffic; iptables provides the table structure to define rule sets that govern traffic flow. Many Linux distributions include netfilter/iptables support by default; find more at http://www.netfilter.org.

The hardest part about using Linux firewalls is properly configuring them. The first step is to ensure that the system acting as the firewall is as secure and hardened as possible. During initial installation, install only the minimum required packages to provide basic system functionality, IP forwarding, and iptables support. Your mantra is: “If the firewall does not need it, do not install it.”

For some distributions, this may mean removing additional packages after installation, even when selecting the most basic installation. For example, with Red Hat Inc. systems there are several programs you can only remove after installation (such as sendmail) if they are not needed. Linux hardening scripts can also help you through this process – the best tool I have found is Bastille Linux, available at http://www.bastille-linux.org.

Once the system is properly configured, it is time to create the iptables firewall script that will add the proper rule set to apply to inbound and outbound packets. A great resource is New Riders’ Linux Firewalls (Second Edition) by Bob Ziegler. Firewall Builder, included in Mandrake and Debian distributions or available at http://fwbuilder.sourceforge.net, is a graphical front end that can ease this process. For newbies, Red Hat provides Lokkit, a basic GUI configuration tool ideal for beginners and networks that only require a very simple firewall configuration.

Deciding how to access the firewall system is an important step that is often overlooked. In the systems I build, I only allow access through SSH using key authentication. Many documents on the Internet can help: http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html and http://www.iptables.organd are excellent introductions, as are the how-to guides at the aforementioned netfilter site.

Linux firewalls can be a robust, cost-effective solution for almost any organization, as long as the system is properly configured.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now