Iptables

This article is based on the old wiki iptables and stateful firewall (see the end of the article) and aims to get you started with and stateful firewall wishing that it will make you jump to write, maybe your first, stateful firewall rules and why not a complicated set of rules.

First off, you will need to configure your kernel with netfilter support. If you want to be able to add rules based on IP filtering like black listing IP addresses based on a live feed, do not forget to add IPSet support to your kernel and merge package.

Installation
Then merge the package with the desired USE flags to get you started.

Kernel configuration
So fire up a `make nconfig' in a terminal or a virtual terminal or else a `make menuconfig' for a more graphical output in your linux source directory, usually `/usr/src/linux' if that link point to something.

One can setup IPv6 support category to  to be safe and enable almost all Netfilter sub category as the following. Or else, enable only what you need and leave the other modules unset. You certainly would want almost all IP virtual server support core components (scheduler are certainly optional), IP: Netfilter Configuration support, IPv6: Netfilter Configuration for IPv6 support, IP set support for IP filtering based on IP, MAC, ports and then pick up what you need in Core Netfilter Configuration with at least: Netfilter: NFQEUE, LOG; Connection tracking: flow, mark, events, netlink; Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}... you get the idea.

Once done, build your kernel and install kernel modules with something like: `make -j2 && make modules_install'.

Firewall
To create firewall rules, we are going to use ipt=$(which iptables) or ipt=$(which ip6tables) for IPv6 support to write down a few rules that will be loaded using `$ipt-restore <$rules' (rules file are usally saved to `/var/lib/$ipt/rules-save' so that whenever your machine is powered on, the rules set will be loaded automatically with `/etc/init.d/$ipt'.

Lets begin with a little example:

If you're looking into the perfect firewall, the previous command will set up the policy for INPUT chain and will satisfy the more paranoids. However, the previous will drop every packet that will be sent to the local host. And that, usually, nobody want it to be a default policy.

That example shows how we will be generating firewall rules.

Stateless firewall
Traditional firewall uses stateless firewall rules like:

that just opens unconditional holes without any kind of filtering based on the states of the connection nor the interfaces nor the ports. That rules will just accept any web traffic on port 80 because standard web traffic originate from port 80 (`--sport' switch means source port). This what is avoided by using a stateful firewall approach that filter the in/outbound packets based on the state of the connection.

Stateful firewall
In a stateful firewall approach, the previous example will be handled like:

First, we will drop everything like a hot potato, then accept only incoming traffic depending on the state of the state of the packets (stated NEW here), and then establish the connection. Eeven better, we could place the last line before the second to avoid going into complicated filtering chain for already related and established connections.

This is how a stateful firewall operate to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules
This section will try to build up a script that will generate a set of rules with internal and external interfaces.

External resources

 * iptables and stateful firewall source article
 * iptables and stateful firewall