A firewall is usually a computer that sits on two different networks and passes allowed traffic between them, filtering out traffic that is not permitted. Usually placed between a company's network and the outside world, a firewall provides a useful security blanket to stop rogue traffic getting in, and internal user contacting services they shouldn't on the way out.

Firewalls can also be used between departmental networks within a company, and even on individual machines to limit the incoming and outgoing traffic that may pass.

We need firewalls because of "port scanners" out there - automated or manual - that will look for open ports (services) in your computer and will attempt to connect on any that are carelessly left open.


Kernel chains are how information is passed between the outside world and the operating system and you specify rules using three types of chains
 INPUT - for packets destined for the firewall
 OUTPUT - for packets originated from the firewall
 FORWARD - for packets neither destined nor origined by the firewall

If you're firewalling an individual machine (as we'll do in the examples that follow), you won't have any forwarding possibilities so won't be concerned with FORWARD packets.


Use the iptables command.
-L list current settings
-P apply new settings for a chain
-A add a further rule to a chain at end of chain
-I Insert a rule at top of chain




If you're setting up a tight firewall, then you'll want to start off by setting the default ACCEPT policy to DROP.

Then add back in support for established or related packets - once you've allowed a connection, you really must allow the conversation to continue.

The Domain Name service (DNS) really ought to be allowed in most circumstances otherwise users are "flying blind" so that should be added back in. And we'll want to add in pings too if we want people to be able to check if we're around. Finally, we should allow loopback traffic so that services / clients running within our system can work.

And finally consider other services you want to add - we'll allow incoming ftp, ssh, ldap and web in our example - perhaps we're firewalling a web and ldap server. We will NOT allow MySQL even though the server may be running it, as we've probably chosen to make it accessible from ssh sessions and the web server only.

Outgoing - any service to be allowed. Forward - all services banned.


We've edited the rules into a file ...


And applied the rules:


Checking that they worked:



If you're forwarding packets (which in our example we're not as we've only got the one interface card), then you can use Network Address Translation (or NAT) to change the source or destination IP address of a packet as it passes through the firewall.

Why would you want to do this?

Firstly, so that external packets can be routed to a specific server on your internal network; not only does this approach save on IP addresses, but it lets you hide your network behind the firewall and not reveal its structure.

Secondly, so that with your single IP address to the world any of your users can use Internet services - with their outgoing packets being rewritten to make it appear as if they came from your company's main system, and incoming (return) packets being addressed back to them.

As you get more into this technology, you'll find that you're using SNAT (Source NAT) and DNAT (destination NAT).


See also Setting up a firewall on Linux

Please note that articles in this section of our web site were current and correct to the best of our ability when published, but by the nature of our business may go out of date quite quickly. The quoting of a price, contract term or any other information in this area of our website is NOT an offer to supply now on those terms - please check back via our main web site

Web Application Deployment - Network Configuration and Security
Web Application Deployment - Firewalls
resource index - Deployment
Solutions centre home page

You'll find shorter technical items at The Horse's Mouth and delegate's questions answered at the Opentalk forum.

At Well House Consultants, we provide training courses on subjects such as Ruby, Perl, Python, Linux, C, C++, Tcl/Tk, Tomcat, PHP and MySQL. We're asked (and answer) many questions, and answers to those which are of general interest are published in this area of our site.