This is an archived course. Information may be out of date, some links are broken and email addresses have been removed.

10 Firewalls: Ipchains syntax and implementation

Okay, I think we've covered a good bit of theory about what a firewall should and shouldn't allow now. Time to get to building them. We'll start with ipchains, since that's simpler than iptables, and move on up.

There is an excellent how-to that explains the rules of ipchains firewalling at:
I could go over the syntax (and will if anyone wants me to), but feel like I'd be reinventing the wheel since I think Rusty's done such a good, clear job of it already.
is particularly helpful, and explains the basics of syntax. Please ask if anything is unclear or confusing.

So let's try to apply all this knowledge. You are a security consultant hired by the admin of's network. You have the (we'll pretend that it's routable) IP block Most of your network is comprised of Windows workstation boxes. You also have some Linux workstation boxes, an FTP server running under Solaris at, a Web server running under Linux at, and a file server for the Windows machines at Your mail server is hosted on the same machine as your Web server ( DNS is handled by a FreeBSD server at

Your Windows users want to be able to "access the Internet". Your Linux users want to be able to ssh into their workstations from home so that they can work remotely. The company is worried about the security of its network, and wants for you to firewall it off from the Internet, without disrupting business. You decide to use ipchains under Linux.

What sort of a setup would you recommend? What further questions would you have for your employers? And what firewall ruleset(s) would you propose? We will assume for the purposes of this discussion that the Linux boxes you're using are already built, that firewalling and IP masquerading support are already built into the kernel, and that the Linux boxes have been stripped of unnecessary services and locked down. Post your ideas and rules to the list, and we'll discuss them and see what the best setup we can come up with is for

Copyright (c) 2002 by Raven Alder. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at