Building a powerful & affordable firewall with Linux

It's no doubt that one of the leaders for network equipment is Cisco Systems. Newer Cisco devices are starting to use what Cisco calls its "IOS-XE" operating system, which is a customized flavor of GNU/Linux.

It's no doubt that one of the leaders for network equipment is Cisco Systems. Newer Cisco devices are starting to use what Cisco calls its "IOS-XE" operating system, which is a customized flavor of GNU/Linux. Yes, GNU/Linux, which should not come as any surprise as GNU/Linux is used on countless high level appliances and security devices. In fact, there are hardly any appliances or security devices that run Windows for the operating system. Why? Because GNU/Linux is highly scalable, powerful, reliable, and a better overall solution than Windows.

I have always been a huge fan of using GNU/Linux for building my own firewall boxes. First, old machines like Pentium II or Pentium III boxes are perfect for this. These boxes will easily run even the latest version of GNU/Linux. The Linux kernel itself has many functions built in for network routing, traffic shaping, bridging, virtual IP addresses, and just about anything else that a firewall needs to support. And the fact that Cisco now leverages the Linux kernel for its appliances tells me that even Cisco agrees.

Having GNU/Linux also opens the door for countless additional functionality to be added as well. For instance in small business environments, I usually install NTP services on the GNU/Linux firewall box for all network clients on the private network. NTP is a simple service but highly effective for keeping all clocks in perfect sync on the network, which is important. I also use ftpproxy, which is an FTP gateway service. It allows outside clients to connect to any internal host by providing the username@host at the gateway, and must authenticate before the client can touch the FTP server located on the private network. Another highly useful application for GNU/Linux firewalls is MRTG, which is a router traffic graphing program. Perfect for monitoring bandwidth that passes through the firewall. I also usually install "dhcpd" which is the DHCP server for local network clients. You can even use the firewall as a web caching server as well with "squid". These are just scratching the surface, but having the flexiblity of running these services on a single box at a fraction of the cost of a full hardware firewall provided by Cisco, can save a lot of cash for businesses, or even for home use. Many Pentium II and Pentium III boxes are available today at minimal or even no cost. And GNU/Linux has zero costs as well, which is a very appealing price.

Setting up a firewall is not a super easy task. I always advise setting up a lab environment on a local network, and having at least one computer on the outside and inside of the firewall box for testing. So, basically 3 machines total is good for testing everything. Then, have fun at it, and see what you can build and make work. In most GNU/Linux distributions, basic firewall settings can be configured directly with GUI tools. For instance in Fedora and CentOS, the "Firewall" application under the System / Administration menu, can be used to enable the built-in firewall services (iptables and ip6tables; iptables is for IPv4, and ip6tables is for IPv6). In there, you can set which network services to allow on which interface(s), and also enable masquerading (which is also called Internet connection sharing). But, in order to configure additional IP filtering and to forward incoming connections from the Internet to hosts located on your private network, you will need to dig into the command line and edit the configuration file for iptables. Most commonly, this configuration file is /etc/sysconfig/iptables, which is automatically created the first time by the "Firewall" GUI application. This file contains the rules that the iptables service sets using the iptables command line utility. What is iptables exactly? The "iptables" program is used to create, modify, and delete rules which define what IP traffic is allowed in to, out from, and through the firewall box. This is where things can get complex, and is past the scope of this article. My advice is to read the Iptables Howto, which contains very good information about how iptables works. It is definitely not easy reading, so my further advice is to look for examples for what you want to do, then adjust and add the example rules to your /etc/sysconfig/iptables file and test it out. Digging in and seeing how things work is a great way to learn. The point is that iptables is extremely powerful, and is what every GNU/Linux firewall box uses (even retail routers such as the Linksys WRT54GL). Once set up, it just plain works.