IP Firewall Chains (Web page design) allows you to develop classes
IP Firewall Chains allows you to develop classes of firewall rules to which you may then add and remove hosts or networks. An artifact of firewall rule chaining is that it may improve firewall performance in configurations in which there are lots of rules. IP Firewall Chains are supported by the 2.2 series kernels and are also available as a patch against the 2.0.* kernels. The HOWTO describes where to obtain the patch and provides lots of useful hints about how to effectively use the ipchains configuration utility. Using ipchains There are two ways you can use the ipchains utility. The first way is to make use of the ipfwadmwrapper shell script, which is mostly a drop-in replacement for ipfwadm that drives the ipchains program in the background. If you want to do this, then read no further. Instead, reread the previous sections describing ipfwadm, and substitute ipfwadm-wrapper in its place. This will work, but there is no guarantee that the script will be maintained, and you will not be taking advantage of any of the advanced features that the IP Fire- wall Chains have to offer. The second way to use ipchains is to learn its new syntax and modify any existing configurations you have to use the new syntax instead of the old. With some careful consideration, you may find you can optimize your configuration as you convert. The ipchains syntax is easier to learn than the ipfwadm, so this is a good option. The ipfwadm manipulated three rulesets for the purpose of configuring firewalling. With IP Firewall Chains you can create arbitrary numbers of rulesets, each linked to one another, but there are three rulesets related to firewalling that are always present. The standard rulesets are direct equivalents of those used with ipfwadm, except they have names: input, forward and output. Let’s first look at the general syntax of the ipchains command, then we’ll look at how we’d use ipchains instead of ipfwadm without worrying about any of the advanced chaining features. We’ll do this by revisiting our previous examples. ipchains Command Syntax The ipchains command syntax is straightforward. We’ll now look at the most important of those. The general syntax of most ipchains commands is: ipchains command rule-specification options Commands There are a number of ways we can manipulate rules and rulesets with the ipchains command. Those relevant to IP firewalling are: -A chain Append one or more rules to the end of the nominated chain. If a hostname is supplied as either source or destination and it resolves to more than one IP address, a rule will be added for each address. -I chain rulenum Insert one or more rules to the start of the nominated chain. Again, if a hostname is supplied in the rule specification, a rule will be added for each of the addresses it resolves to. -D chain Delete one or more rules from the specified chain that matches the rule specification. -D chain rulenum Delete the rule residing at position rulenum in the specified chain. Rule positions start at one for the first rule in the chain. -R chain rulenum Replace the rule residing at position rulenum in the specific chain with the supplied rule specification.