Home > Store

Troubleshooting Linux Firewalls

Register your product to gain access to bonus material or receive a coupon.

Troubleshooting Linux Firewalls


  • Sorry, this book is no longer in print.
Not for Sale


  • Copyright 2005
  • Dimensions: 7" x 9-1/4"
  • Edition: 1st
  • Book
  • ISBN-10: 0-321-22723-9
  • ISBN-13: 978-0-321-22723-2

While Linux firewalls are inexpensive and quite reliable, they lack the supportcomponent of their commerical counterparts. As a result, most users of Linuxfirewalls have to resort to mailing lists to solve their problems. Our authorshave scoured firewall mailing lists and have compiled a list of the most oftenencountered problems in Linux firewalling. This book takes a Chilton's manualdiagnostic approach to solving these problems.The book begins by presenting the two most common Linux firewallconfigurations and demonstrates how to implement these configurations in animperfect network environment, not in an ideal one. Then, the authors proceedto present a methodology for analyzing each problem at various network levels:cabling, hardware components, protocols, services, and applications. Theauthors include diagnostic scripts which the readers can use to analyze andsolve their particular Linux firewall problems. The reference distributions areRed Hat and SuSE (for international market).


Related Article

Evaluating Your Firewall

Sample Content

Online Sample Chapter

Introduction to Troubleshooting Linux Firewalls

Downloadable Sample Chapter

Download the Sample Chapter related to this title.

Table of Contents


1. Introduction.

    Why We Wrote This Book

    How This Book Is Organized

    Goals of This Book

    The Methodical Approach and the Need for a Methodology

    Firewalls, Security, and Risk Management

    How to Think About Risk Management

    Computer Security Principles

    Firewall Recommendations and Definitions

    Why Do I Need a Firewall?

    Do I Need More Than a Firewall?

    What Kinds of Firewalls Are There?

      Firewall Types

    The Myth of "Trustworthy" or "Secure" Software

    Know Your Vulnerabilities

    Creating Security Policies


    Defense in Depth


2. Getting Started.

    Risk Management

    Basic Elements of Risk Management

    Seven Steps to Managing Risk

    Phase I: Analyze


      Quantify the Value of the Asset

      Threat Analysis

    Phase II: Document

      Create Your Plan

      Create a Security Policy

      Create Security Procedures

    Phase III: Secure the Enterprise

      Implement Policies

      Implement Procedures

      Deploy Security Technology and Counter Measures

      Securing the Firewall Itself

      Isolating Assets


      Ingress/Egress Filtering

    Phase IV: Implement Monitoring

    Phase V: Test

    Phase VI: Integrate

    Phase VII: Improve


3. Local Firewall Security.

    The Importance of Keeping Your Software Up to Date


      red carpet




    Over Reliance on Patching

    Turning Off Services

      Using TCP Wrappers and Firewall Rules

      Running Services with Least Privilege

      Restricting the File System

    Security Tools to Install

      Log Monitoring Tools

      Network Intrusion Detection

      Host Intrusion Detection

      Remote Logging

      Correctly Configure the Software You Are Using

      Use a Hardened Kernel

      Other Hardening Steps 


4. Troubleshooting Methodology.

    Problem Solving Methodology 

    Recognize, Define, and Isolate the Problem

    Gather Facts

    Define What the "End State" Should Be

    Develop Possible Solutions and Create an Action Plan

    Analyze and Compare Possible Solutions

    Select and Implement the Solution

    Critically Analyze the Solution for Effectiveness

    Repeat the Process Until You Resolve the Problem

      Finding the Answers or...Why Search Engines Are Your Friend




5. The OSI Model: Start from the Beginning.

    Internet Protocols at a Glance

      Understanding the Internet Protocol (IP)

      Understanding ICMP

      Understanding TCP

      Understanding UDP

      Troubleshooting with This Perspective in Mind


6. netfilter and iptables Overview.

    How netfilter Works

      How netfilter Parses Rules 

      Netfilter States

      What about Fragmentation?

      Taking a Closer Look at the State Engine


7. Using iptables.

    Proper iptables Syntax

      Examples of How the Connection Tracking Engine Works  

      Applying What Has Been Covered So Far by Implementing Good Rules

    Setting Up an Example Firewall

      Kernel Options

      iptables Modules

      Firewall Rules

      Quality of Service Rules

      Port Scan Rules

      Bad Flag Rules

      Bad IP Options Rules

      Small Packets and Rules to Deal with Them

      Rules To Detect Data in Packets Using the String Module

      Invalid Packets and Rules to Drop Them

      A Quick Word on Fragments

      SYN Floods

      Polite Rules

      Odd Port Detection and Rules to Deny Connections to Them

      Silently Drop Packets You Don't Care About

      Enforcement Rules

      IP Spoofing Rules

      Egress Filtering

      Send TCP Reset for AUTH Connections

      Playing Around with TTL Values

      State Tracking Rules

      STEALTH Rules

      Shunning Bad Guys

      ACCEPT Rules


8. A Tour of Our Collective Toolbox.

    Old Faithful


      Analyzing Traffic Utilization

      Network Traffic Analyzers

    Useful Control Tools

      Network Probes

      Probing Tools

    Firewall Management and Rule Building


9. Diagnostics.

    Diagnostic Logging

      Scripts To Do This for You

      The catch all Logging Rule

      The iptables TRACE Patch

    Checking the Network

    Using a Sniffer to Diagnose Firewall Problems

    Memory Load Diagnostics



10. Testing Your Firewall Rules (for Security!).

      INSIDE->OUT Testing with nmap and iplog

      Interpreting the Output from an INSIDE->OUT Scan

      Testing from the OUTSIDE->IN

      Reading Output from nmap

      Testing your Firewall with fragrouter



11. Layer 2/Inline Filtering.

    Common Questions

    Tools Discussed in this Part

    Building an Inline Transparent Bridging Firewall with ebtables (Stealth Firewalls)

      Filtering on MAC Address Bound to a Specific IP Address with ebtables

      Filtering Out Specific Ports with ebtables

    Building an Inline Transparent Bridging Firewall with iptables (Stealth Firewalls)

    MAC Address Filtering with iptables

    DHCP Filtering with ebtables


12. NAT (Network Address Translation) and IP Forwarding.

    Common Questions about Linux NAT

    Tools/Methods Discussed in this Part

      Diagnostic Logging

      Viewing NAT Connections with netstat-nat

      Listing Current NAT Entries with iptables

      Listing Current NAT and Rule Packet Counters

      Corrective Actions


13. General IP (Layer 3/Layer 4).

    Common Question

    Inbound: Creating a Rule for a New TCP Service

    Inbound: Allowing SSH to a Local System

    Forward: SSH to Another System

    SSH:  Connections Timeout

    telnet: Forwarding telnet Connections to Other Systems

    MySQL: Allowing MySQL Connections


14. SMTP (e-mail).

    Common Questions

    Tools Discussed in this Part

    Allowing SMTP to/from Your Firewalls

    Forwarding SMTP to an Internal Mail Server

    Forcing Your Mail Server Traffic to Use a Specific IP Address with an SNAT Rule 

    Blocking Internal Users from Sending Mail Through Your Firewall

    Accept Only SMTP Connections from Specific Hosts (ISP)

    SMTP Server Timeouts/Failures/Numerous Processes

    Small e-Mail Send/Receive Correctly-Large e-Mail Messages Do Not 


15. Web Services (Web Servers and Web Proxies).

    Common Questions

    Tools Discussed in this Part

      Inbound: Running a Local Web Server (Basic Rules)

      Inbound: Filter: Incoming Web to Specific Hosts

      Forward: Redirect Local Port 80 to Local Port 8080

      Forwarding Connections from the Firewall to an Internal Web Server

      Forward: To Multiple Internal Servers

      Forward: To a Remote Server on the Internet

      Forward: Filtering Access to a Forwarded Server 

      Outbound: Some Websites Are Inaccessible (ECN)

      Outbound: Block Clients from Accessing Websites

      Transparent Proxy Servers (squid) on Outbound Web Traffic


16. File Services (NFS and FTP).

    Tools Discussed in this Part

      NFS: Cannot Get NFS Traffic to Traverse a NAT or IP Forwarding Firewall

      FTP Inbound: Running a Local FTP Server (Basic Rules)

      FTP Inbound: Restricting Access with Firewall Rules

      FTP Inbound: Redirecting FTP Connections to Another Port on the Server

      FTP Forward: Forwarding to an FTP Server Behind the Firewall on a DMZ Segment

      FTP Forward: Forwarding to Multiple FTP Servers Behind the Firewall on a DMZ Segment

      FTP Forward: From One Internet Server to Another Internet Server

      FTP Forward: Restricting FTP Access to a Forwarded Server

      FTP Outbound: Connections are Established, but Directories Cannot Be Listed, and Files Cannot Be Downloaded


17. Instant Messaging.

    Common Questions/Problems

    Tools Discussed in This Part

    NetMeeting and GnomeMeeting

      Connecting to a Remote NetMeeting/GnomeMeeting Client from Behind an iptables Firewall (Outbound Calls Only)

      Connecting to a NetMeeting/GnomeMeeting Client Behind a netfilter/iptables Firewall (Inbound/Outbound Calls)

      Directly from the GnomeMeeting Website's Documentation

      Blocking Outbound NetMeeting/GnomeMeeting Traffic 

    MSN Messenger

      Connecting to Other MSN Users

      Blocking MSN Messenger Traffic at the Firewall

    Yahoo Messenger

      Connecting to Yahoo Messenger

      Blocking Yahoo Messenger Traffic

    AOL Instant Messenger (AIM)

      Connecting to AIM

      Blocking AOL Instant Messenger Traffic


      Connecting to ICQ

      Blocking ICQ


      Recalling Our Methodology


    Common Questions

    Tools Discussed in this Part

      Forwarding DNS Queries to an Upstream/Remote DNS Server

      DNS Lookups Fail: Internal Hosts Communicating to an External Nameserver

      DNS Lookups Fail: Short DNS Name Lookups Work-Long Name Lookups Do Not

      DNS Lookups Fail: Nameserver Running on the Firewall 

      DNS Lookups Fail: Nameserver Running on the Internal and/or DMZ Network 

      Misleading rDNS Issue: New Mail, or FTP Connections to Remote Systems Take 30 Seconds or More to Start 

      DHCP: Dynamically Updating Firewall Rules with the IP Changes

      Blocking Outbound DHCP

      DHCP: Two Addresses on One External Interface

      DHCP: Redirect DHCP Requests to DMZ


19. Virtual Private Networks.

    Things to Consider with IPSEC

    Common Questions/Problems

    Tools Discussed in this Part

      IPSEC: Internal Systems-Behind a NAT/MASQ Firewall Cannot Connect to an External IPSEC Server 

      IPSEC: Firewall Cannot Establish IPSEC VPNs 

      IPSEC: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN

      PPTP: Cannot Establish PPTP Connections Through the Firewall

    Running a PPTP Server Behind a NAT Firewall

      PPTP: Firewall Cannot Establish PPTP VPNs 

      PPTP: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN

      Using a free/openswan VPN to Secure a Wireless Network 




Download the Index file related to this title.


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020