Setting Up Linux for Firewalling
To build a Linux IP firewall, it is necessary to have a kernel built with IP firewall support and the appropriate configuration utility. In all production kernels prior to the 2.2 series, you would use the ipfwadm utility. The 2.2.x kernels marked the release of the third generation of IP firewall for Linux called IP Chains. IP chains use a program similar to ipfwadm called ipchains. Linux kernels 2.3.15 and later support the fourth generation of Linux IP firewall called netfilter. The netfilter code is the result of a large redesign of the packet handling flow in Linux. The netfilter is a multifaceted creature, providing direct backward-compatible support for both ipfwadm and ipchains as well as a new alternative command called iptables. We’ll talk about the differences between the three in the next few sections.
Kernel Configured with IP Firewall
The Linux kernel must be configured to support IP firewalling. There
isn’t much more to it than selecting the appropriate options when
performing a make menuconfig of your
kernel.[60]
We described how to do this is in
Chapter 3.
In 2.2 kernels you should select the following options:
Networking options ---> [*] Network firewalls [*] TCP/IP networking [*] IP: firewalling [*] IP: firewall packet logging
In kernels 2.4.0 and later you should select this option instead:
Networking options ---> [*] Network packet filtering (replaces ipchains) IP: Netfilter Configuration ---> . <M> Userspace queueing via NETLINK ...
Get Linux Network Administrator's Guide, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
