ipchains Scripts

ipchains support scripts

The ipchains software package is supplied with three support scripts. The first of these we've discussed briefly already, while the remaining two provide an easy and convenient means of saving and restoring your firewall configuration.

The ipfwadm-wrapper script emulates the command-line syntax of the ipfwadm command, but drives the ipchains command to build the firewall rules. This is a convenient way to migrate your existing firewall configuration to the kernel or an alternative to learning the ipchains syntax. Theipfwadm-wrapper script behaves differently from the ipfwadm command in two ways: firstly, because the ipchains command doesn't support specification of an interface by address, the ipfwadm-wrapper script accepts an argument of -V but attempts to convert it into the ipchainsequivalent of a -W by searching for the interface name configured with the supplied address. The ipfwadm-wrapper script will always provide a warning when you use the -V option to remind you of this. Secondly, fragment accounting rules are not translated correctly.

The ipchains-save and ipchains-restore scripts make building and modifying a firewall configuration much simpler. The ipchains-savecommand reads the current firewall configuration and writes a simplified form to the standard output. The ipchains-restore command reads data in the output format of the ipchains-save command and configures the IP firewall with these rules. The advantage of using these scripts over directly modifying your firewall configuration script and testing the configuration is the ability to dynamically build your configuration once and then save it. You can then restore that configuration, modify it, and resave it as you please.

To use the scripts, you'd enter something like:

ipchains-save >/var/state/ipchains/firewall.state

to save your current firewall configuration. You'd restore it, perhaps at boot time, with:

ipchains-restore </var/state/ipchains/firewall.state

The ipchains-restore script checks if any user-defined chain listed in its input already exists. If you've supplied the -f argument, it will automatically flush the rules from the user-defined chain before configuring those in the input. The default behavior asks you whether to skip this chain or to flush it.

Linux Firewall Basic Acknowledgements

Linux for Firewalling

To build a Linux IP firewall, it is necessary to have a kernel built with IP firewall support and the appropriate configuration utility. In all production kernels prior to the 2.2 series, you would use the ipfwadm utility. The 2.2.x kernels marked the release of the third generation of IP firewall for Linux called IP Chains. IP chains use a program similar to ipfwadm called ipchains. Linux kernels 2.3.15 and later support the fourth generation of Linux IP firewall called netfilter. The netfilter code is the result of a large redesign of the packet handling flow in Linux. The netfilter is a multifaceted creature, providing direct backward-compatible support for both ipfwadm and ipchains as well as a new alternative command called iptables.

Kernel Configured with IP Firewall:-

The Linux kernel must be configured to support IP firewalling. There isn't much more to it than selecting the appropriate options when performing amake menuconfig of your kernel. In 2.2 kernels you should select the following options:

Networking options  --->

        [*] Network firewalls

        [*] TCP/IP networking

        [*] IP: firewalling

        [*] IP: firewall packet logging

Firewall packet logging is a special feature that writes a line of information about each datagram that matches a particular firewall rule out to a special device so you can see them.In kernels 2.4.0 and later you should select this option instead:

  Networking options  --->

     [*] Network packet filtering (replaces ipchains)

         IP: Netfilter Configuration  --->

              .

             <M> Userspace queueing via NETLINK (EXPERIMENTAL)

             <M> IP tables support(required for

                 filtering/masq/NAT)

             <M>   limit match support

             <M>   MAC address match support

             <M>   netfilter MARK match support

             <M>   Multiple port match support

             <M>   TOS match support

             <M>   Connection state match support

             <M>   Unclean match support (EXPERIMENTAL)

             <M>   Owner match support (EXPERIMENTAL)

             <M>   Packet filtering

             <M>     REJECT target support

             <M>     MIRROR target support (EXPERIMENTAL)

              .

             <M>   Packet mangling

             <M>     TOS target support

             <M>     MARK target support

             <M>   LOG target support

             <M> ipchains (2.2-style) support

             <M> ipfwadm (2.0-style) support

The ipfwadm Utility:-

The ipfwadm (IP Firewall Administration) utility is the tool used to build the firewall rules for all kernels prior to 2.2.0. Its command syntax can be very confusing because it can do such a complicated range of things, but I will provide some common examples that will illustrate the most important variations of these.

The ipfwadm utility is included in most modern Linux distributions, but perhaps not by default. There may be a specific software package for it that you have to install. If your distribution does not include it, you can obtain the source package from ftp.xos.nl in the /pub/linux/ipfwadm/ directory, and compile it yourself.

The ipchains Utility:-

Just as for the ipfwadm utility, the ipchains utility can be somewhat baffling to use at first. It provides all of the flexibility of ipfwadm with a simplified command syntax, and additionally provides a "chaining" mechanism that allows you to manage multiple rulesets and link them together.

The ipchains command appears in most Linux distributions based on the 2.2 kernels. If you want to compile it yourself, you can find the source package from its developer's site at http://www.rustcorp.com/linux/ipchains/. Included in the source package is a wrapper script called ipfwadm-wrapper that mimics the ipfwadm command, but actually invokes the ipchains command. Migration of an existing firewall configuration is much more painless with this addition.

The iptables Utility:-

The syntax of the iptables utility is quite similar to that of the ipchains syntax. The changes are improvements and a result of the tool being redesigned to be extensible through shared libraries. Just as for ipchains,I will present iptables equivalents of the examples so you can compare and contrast its syntax with the others.

The iptables utility is included in the netfilter source package available at http://www.samba.org/netfilter/. It will also be included in any Linux distribution based on the 2.4 series kernels.