Build your own Linux server
Published: 22 Apr 2004
Firewall
Although you can scour the Internet, or even download packages such as Smoothwall that will convert your machine into a dedicated high-security firewall (dedicated means it will wipe any data already present), the built-in firewall, ipchains, is plenty good enough for our purposes. Unfortunately, it can also be hard to get to grips with.
Help is at hand. There's plenty of good documentation on the Web but, essentially, the ipchains tool tell the kernel what packets to filter by inserting and deleting rules from the Linux kernel's packet filtering section.
The way it works is that packets fall through a list or chain of rules, each of which can affect its fate depending on what type of packet it is. There are three lists -- input, output and forward. When a packet comes in, the kernel uses the input chain to decide its fate. If it survives, the kernel decides where to send the packet next. If it's destined for another machine, it consults the forward chain. Finally, just before a packet is to go out, the kernel consults the output chain. If a packet falls through all the filters and has not yet been passed on or rejected, a well-configured firewall will block or reject it.
So the first task is to work out which traffic you plan to allow, and which to block. A simple firewall will allow access to external Web sites (http), to email servers (smtp), and to domain name servers (DNS) and not much else.
You can set up the system to allow only certain types of traffic through the system. For example, we used the security level applet to allow ftp (for file access), ssh (for remote control) and DHCP (for automatic IP addressing) traffic but no others. The command ipchains –list will show the rules that are currently configured and, with a little study of the output, you'll be able to see what task each rule or chain is doing.
A detailed description of how to create a firewall and set it up in the dual-homed configuration described would, on its own, double the size of this feature. Although the task is not particularly difficult, explanations and caveats take time so, instead, we suggest you read the Linux ipchain how-to and this firewall and proxy server how-to instead.
Summary
Although it's not the latest version of the OS, once all the available updates have been installed, the combination of Red Hat and the KDE 3.2 desktop has proved very stable. We found setting up a server to perform basic tasks to be fairly simple, although you have to be prepared to read a lot of online documentation. As ever, common sense and a willingness to google for answers always yields results.
Linux is ideal for the kinds of tasks we've described, and the experience you gain will reap dividends in the future. What's more, the availability and enthusiasm of the open source community for answering questions, plus the fact that the software is free, neatly blend the economic and personal justification for the task.
Full Talkback thread
12 comments
-
> /etc/squid/squid.conf -- recognised as a
> conf... Anonymous -
Why doesn't the author tell us exactly what he's r... bard cazmit -
RE Why doesn't the author tell us exactly what he'... Anonymous -
he suggests turning off the insecure telnet, yet u... Anonymous -
It's good that ZDNet is running articles on this t... Nigel -
Not bad for someone starting out in Linux but rath... Andy Morris -
Don't what planet this author is on but there are... Robert Walker -
Redhat 9 seems a questionable choice given that up... Geoff Ballinger -
I thought telnet was turned off by default in RH9... Anonymous -
Well well, about time we had some more of this sor... Nigel Packer -
smeserver is a 1-CD distribution aimed at exactly... Carl Rhinehart -
Take a look at NASLite (www.naslite.com). It is a... Anonymous



















