Results 1 to 3 of 3
  1. #1
    Junior Member
    Join Date
    Jul 2002

    Post Linux firewalling with Firestarter I

    IPTABLES personal firewalling for the beginner
    (or: How to use Firestarter to setup your firewall scripts)

    Disclaimer: This tutorial is aimed at toward the Linux newcomer who wishes to install and setup a reasonable secure firewall with a minimum of effort. Additionally, this tutorial requires an application that is not standard (yet) with any Linux distribution that I am aware of.

    What is Firestarter? Firestarter is a GUI interface to your firewall logs and also provides a nice graphical setup wizard which makes firewall configuration a breeze. I also happen to like Firestarter because:
    1) It uses a graphical, intuitive wizard to build the chains for you - no more need to know the ins and outs of iptables rule configuration
    2) it has been much more thorough than every other iptables script I have seen to date
    3) it uses many kernel processes (in the /proc filesystem) to lower your overhead
    4) it will use any and all modules for networking and netfiltering that are available to your kernel
    5) you can still go into the generated script and manually change, add, or tweak the script.

    I will assume that you are running an RPM based distribution of Linux (SuSE, RedHat, Mandrake, etc.) that is relatively current (meaning that it comes with iptables 1.2.4 or newer and has a 2.4.x kernel version). Firestarter is designed to run in GNOME, but it also works in KDE as well as long as the few Gnome libraries it needs have been installed.

    You will need a Linux distribution that is reasonably current and is RPM based (the RPM based is a recommendation, not a requirement). It is highly recommended that you use iptables v1.2.5 or newer (you can get this at http://www.rpmfind.net - get the latest version for your distribution). You will also need to to get the Firestarter rpm at http://firestarter.sourceforge.net.

    If you are using a generic kernel that you have compiled yourself, you will want to need to compile all of the netfilter options as modules. Configuring and compiling a kernel are beyond the scope of this tutorial. For help in compiling your own custom kernel, consult your distribution's documentation, or visit http://www.tldp.org.

    Now that you have downloaded the Firestarter package and iptables, you need to login as root (either from the GDM login manager or at a shell prompt). I would recommend that your make a directory under /root to store these and any other needed updates. For instance:
    $ su - root
    password: ****
    # mkdir /root/firestarter-pkgs
    # cp /path/to/firestarter-0.8.2-1.i386.rpm /root/firestarter-pkgs
    # cp /path/to/iptables-1.2.5*.i386.rpm /root/firestarter-pkgs

    Next thing, we need to completely remove the ipchains package that is still installed by default.
    # rpm -e ipchains
    (if you receive any messages about other packages being dependent on ipchains such as firewall-config or lokkit, remove those first then remove ipchains).
    We also want to stop the default iptables service from running at bootup. To do that,
    # service iptables stop
    # cd /etc/rc.d/init.d
    # ./iptables stop
    When iptables has been stopped, we remove it from startup by
    # chkconfig --del iptables

    Now we are ready to install our updated iptables and firestarter packages. To do this;
    # cd /root/firestarter-pkgs
    # rpm -Uvh iptables*
    # rpm -Uvh firestarter*

    Thats it. the updated iptables and firestarter are now installed and firestarter is ready for launch and configuration.

    Firestarter is a GUI interface to your firewall logs and also provides a nice graphical setup wizard which makes firewall configuration a breeze. Once Firestarter has been installed, it will be available in your Gnome -> Programs -> Internet application list. Click on it and you will be asked to start the Firestarter configuration wizard.

    NOTE: If you have installed Ximian Gnome 1.4, you will need to open the control panel and under panel -> menu, you will need to place the CNOME programs menu in a sub-menu.

    When you run the firewall wizard, I recommend you select the advanced setup option. On the next page, select which interface you use for the outside world (ppp0, eth0 etc.), whether you want Firestarter to start on dial-out, and whether or not your IP is assigned by DHCP. For example, if you have a pppoe dsl/cable connection, you would select ppp0 for your external interface and activate on dial-out.

    On the next page select your ICMP filtering options. If you want your box to appear as a black-hole when pinged, enable ICMP filtering and select ALL of the ICMP packet types.

    The next page can be a little confusing to some people. This page is for the services you want available to the OUTSIDE world, so choose carefully. For most home users, you can safely say that you have not public services running on the machine. If, however, you are like me and you do have services you want public, then make the appropriate selection. For instance, I have ftp, telnet, www, and mail services that I want publicly available. In that case, I select the option that I have public services and select ftp, telnet, smtp, pop, and www for the services. I *highly* recommend that you leave SAMBA/netbios unchecked as well as any service you do not have an absolute need to have publicly available (this is why we have a firewall in the first place - to protect our computers from outside attacks).

    The next window allows us to further filter our connections by allowing us to choose ToS (Type of Service) filtering. I personally don't use ToS filtering, so I can't tell you what is optimum.

    The last configuration screen we get to allows us to enable and setup IP masquerading and port forwarding. These 2 items for most intents are what comprise NAT. IP masquerading is what is called source NAT (or SNAT) since it allows all the computers on your network to appear as the same machine to the public network (meaning you can have multiple computers access the web simultaneously without packet or information loss). When you enable masquerading, you need to specify your internal or LAN interface. In most cases this will be eth0 or eth1. You will probably also want to specify your internal network address range. In a typical home LAN, this would be or You can also have Firestarter detect your internal address range for you (this is the recommended option, but knowing what my LAN's range was to start with, I knew was to manually input).

    There is the option to setup port mapping on this same page. To do so just click the 'Port Mapping' button. Another little window will pop up - just click the Add button to add another mapped port. What port mapping allows is for us to take an external port on the firewall (say port 80) and forward that to another computer on the network using the same or even different port on the internal machine.
    Example: I wish to have all www requests forwarded to port 80 on the 3rd internal computer. This computer has the internal IP of (firewall resides on which is also the gateway for all other PC's on my network).
    To accomplish this, I select the Port Forwarding button, select Add, and enter the following information:
    firewall port: 80
    LAN port: 80
    LAN address:
    Connection type/Protocol: tcp
    When I'm done adding my port mappings, I click OK and finish the configuration wizard.

    When you are finished running the configuration wizard for Firestarter, the application will automatically run the generated firewall script for you. You can also restart the script manually from a shell prompt but running (as root):
    # service firestarter restart

    The Firestarter window:
    Now that Firestarter is configured and running, you will notice a window showing you the 'hits' or firewall logs. When you get a hit, you can highlight it and right-click on it to get more options for that specific host. These options allow you to
    a) do a reverse DNS lookup to resolve the host name (doesn't always work - especially for dial-up and dynamic ip dsl/cable addresses)
    b) you can allow connections from that host (if it is a service and host you trust - such as the auth/port 113 for an IRC server)
    c) you can deny all connections (if you get a skiddie running a scan on you, you can block, drop, and not log any further connections from them)
    d) you can also open just a specific service (or port) to a specific host/server from here
    and there are other options you can choose from as well.

    Other tasks you can perform from this windows include
    1) viewing the hit list
    2) stopping or restarting the Firestarter firewall
    3) deleting, reloading, or saving the hit list
    4) running the configuration wizard should you change your LAN setup or add a public service.

    In this not-so-short tutorial, we learned how to install a GUI frontend to the iptables firewalling system. We also learned the basics on how to configure a reasonably secure firewall and learned the basic functions of the GUI. If you have questions about more advanced features of Firestarter, look for my advanced topics/custom configuration tutorial. Additional resources are the FAQ located at http://firestarter.sourceforge.net, and the firestarter-user mailing list (which you can subscribe to at the same location). Another good source for iptables documentation is the HOWTO index at samba.org (http://netfilter.samba.org/documentation/index.html).
    Just finished a 2 part Linux firewalling tutorial using Firestarter (basic and advanced customization) .....

  2. #2
    Junior Member
    Join Date
    Jul 2002
    Thanks LeeryOne, thats just what I needed

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Most welcome Ratfood!!! Glac someone else can make use of what I've learned with firewalling the easy way :-)
    Just finished a 2 part Linux firewalling tutorial using Firestarter (basic and advanced customization) .....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts