Sep 13

Building a simple Linux Home Firewall

Category: How-To Guides

Using linux as a home firewall must be the most common use of linux in the home, and is one of the ways that many people get started with linux. A linux home firewall will run on just about any old PC hardware, so long as you can install 2 network cards in it. Firewalling for the average home user requires very little processor power — a 486 will work just fine, although administration might be a bit sluggish.

All you need for a home firewall is a simple linux installation (I use redhat) to start off with. You’ll need to configure both of your network cards: eth0 with the IP address that your provider assigned to you, and eth1 as 192.168.0.1/24. The firewall consists of 2 simple pieces: keeping people out and allowing your connections through.

Step 1: Keeping people out using state tracking
State tracking allows you to only allow valid connections, identified by the correct packets originating from the correct places. Any incoming packet that is not associated with a connection that you originated will be dropped.

The first thing to setup is a new “chain” that we will use for both INPUT and FORWARD categories of packets. This can be done with the following commands. The first command sets up a new chain called “block”. The second command allows any state-tracked packet that is for an established connection to flow through. The third command matches anything else and drops the packet.


/sbin/iptables -N block
/sbin/iptables -A block -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -j DROP

We then want to add rules for our external interfaces to jump to this block table. We’ll assume that eth1 is our external interface, and eth0 is our internal (trusted) interface. We’ll also add a rule for the loopback interface, since many applications that you may have on your server will need that.


/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i lo -j ACCEPT
/sbin/iptables -A FORWARD -j block

At this point, you should be able to get out to the internet from the linux box that you setup, but you’re not yet translating traffic from your home network to use this new internet connection. This brings us to step 2.

Step 2: Network Address Translation

We’re going to use “fake” 192.168.0.* addresses on the internal network, which will allow up to 253 workstations behind your firewall. If you’re running more than that, this range can be increased, but, well, if you have more than 253 workstations behind your home firewall, you’re doing something pretty special :). We’re going to use the real IP address of 4.3.2.1 as the IP address of your linux box — substitute your ip address in there.

We’re going to use a technology called “SNAT”, which stands for source-address network address translation. This basically means that the firewall is going to translate the fake address of workstations behind the firewall to it’s own address, which is a valid internet IP address. This is really just a simple command:

/sbin/iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -j SNAT –to-source 4.3.2.1

At this point, we’re ready to configure a workstation. For small networks, just configure your workstations by hand. If you have more than a few workstations, then we can use DHCP to automagically assign IP addresses to them. That’ll be covered in a seperate article.

For now, setup a workstation with the IP address of 192.168.0.10, a subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1. Use whatever DNS servers were assigned to you by your ISP. Once that machine is configured, you should be able to browse the internet from that machine.

We can then check our config with the command:

/sbin/iptables -L -n -v

Which will give a verbose description of the rules that we have running. If all is working, RedHat gives us an easy way to save our active config:

/etc/rc.d/init.d/iptables save

So that our rules will still be around if we have to reboot our firewall for some reason.

Comments are off for this post

Comments are closed.