LINUXMAKER, OpenSource, Tutorials

IT security through firewalls with iptables, shorewall

Firewall As A Service (FaaS)

Attacks on corporate networks and also on private individuals are pervasive. This means that both your data and contacts as well as your network as a starting point for further cyberattacks on other networks are in the attacker's sights, and the firewall is usually the first device that comes into contact with these Internet threats. As a result, a firewall does a significant part in protecting your network from cyberattacks. Cyber attacks are becoming more and more complex, and thus the requirements for firewalls are increasing. The know-how required to operate such systems is becoming more and more extensive at IT-LINUXMAKER.

  • You put the installation, maintenance and monitoring in the hands of IT-LINUXMAKER. So your firewall is always up to date and your network is protected in the best possible way.

  • We advise you on the selection of the right firewall and hardware for you.

  • We continuously adapt your firewall to the current dangerous situation.

  • If your security requirements change, be it through growth or other personnel changes, IT-LINUXMAKER also adapts your firewall.

In general, a firewall is a network device that monitors packets that go in and out of the network. If a firewall is installed on a computer, one speaks of a personal or desktop firewall. If it is not on the system to be protected, but on its own device in the network, this is called an external firewall. Other names are network or hardware firewall.
Firewalls block or allow data transit based on defined rules that decide which traffic is allowed and which is not. This is how they ward off attacks from the outside via open ports on a computer or a network. This includes, for example, Internet worms such as SQL Slammer, Sasser, etc. In addition, firewalls block harmful traffic from the inside out if, for example, malware that has gained a foothold internally despite all countermeasures wants to contact a control server.

Proxy based firewall

The proxy-based firewall acts as a security gate between users who request data and the source of this data. It is therefore often referred to as the "gateway firewall". It acts as a proxy between the resources to be protected and other networks such as the Internet and checks all exchanges between the two.
The advantage of a proxy firewall is that devices are never directly connected to the network. The firewall has its own IP address, which is used for communication from outside only. Therefore, this type of firewall is one of the safest. Since not only the network address and port number of an incoming data packet are examined, but the network packets as a whole, proxy firewalls usually also have extensive logging functions. This makes them a valuable resource for administrators in the event of a security incident, since log data can be easily evaluated.
On the other hand, performance can suffer because there are delays if the firewall continuously cuts, re-establishes and filters incoming connections. This in turn makes it impossible to use some applications through the firewall because the response times are too slow. It may also be the case that the firewall only supports certain network protocols and therefore only certain applications.

Stateful Firewall

The stateful firewall, on the other hand, compensates for the performance disadvantages of the proxy firewall. Instead of examining each individual packet, it monitors the connection status - a so-called stateful inspection. This reduces the delay.
At the start of a connection, the firewall checks in depth whether the packets are permitted, secure. If it classifies the traffic as legitimate, the firewall establishes a connection to the destination and lets the packets pass. It now keeps this status in memory and lets all subsequent packets that are part of this communication through without further in-depth checking. The status includes details such as the IP addresses and ports involved in the connection and the sequence numbers of the packets sent. Invalid packets that do not belong to an existing connection, for example because they belong to a denial of service (DoS) attack, are blocked.
Since the stateful firewall stores all connection information - permitted and blocked - in a table in its memory, a targeted distributed denial of service (DDoS) attack can be difficult. Due to the sheer amount of blocked connections that the table records during such an attack, the processing of legitimate connections and thus the service can suffer.
To mitigate this risk, many companies distribute network traffic processing across multiple firewall appliances. Often the choice falls on cloud-based solutions because they scale with the workloads and thus rule out a failure due to overload.

Next Generation Firewalls (NGFW)

Next generation firewalls (NGFW) filter packets in addition to the connection status as well as source and destination addresses based on other characteristics. They contain rules on what individual applications and users are allowed to use and use more information to make better decisions about whether traffic is allowed.
Many NGFW today combine security functions that were traditionally provided by other solutions. These include, for example:

Intrusion Prevention Systems (IPS) - As a separate solution, the IPS usually sat directly behind the traditional firewall and took action against detected anomalies and attack patterns that had made it past the firewall. Many NGFW extend the classic IPS capabilities through more granular security factors. They compare the analyzed traffic against a database of known attack patterns and can detect and prevent unknown attacks based on deviations from normal operation. The integration of the IPS in the NGFW reduces the administrative effort for the administrators, since there is no extra communication between the solutions to configure and control.

Deep Packet Inspection (DPI) - In contrast to classic packet filters, this variant not only inspects the header part with the origin and destination of packets, but also their data content. For example, DPI checks which application is being accessed and what type of data is being transmitted. This information can be used to define more intelligent and detailed guidelines for the firewall. In addition to controlling traffic, DPI can also be used to limit the bandwidth that certain applications can use or to prevent sensitive information from leaving the secure network.

SSL/TLS termination - Traffic that is encoded with the encryption protocol Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL) cannot be checked by DPI because the content is unreadable. Some NGFW therefore offer the possibility to stop, decrypt, inspect this traffic and finally establish a second TLS/SSL connection to the destination address. For example, employees can be prevented from sending internal information out of the secure network, while legitimate traffic can pass unhindered. Since it is possible that when using DPI at this depth, personal data is automatically processed, it is important to carefully examine what is necessary and possible with regard to data protection.

Sandboxing - Incoming emails with attachments can contain malicious code. Sandboxing enables an NGFW to execute attachments and any code they contain in a shielded environment and determine if they are harmful. The disadvantage is that sandboxing adds an additional step to the transmission - similar to the proxy firewall - which sometimes takes up a lot of computing power. As a result, performance can suffer and traffic flow can be delayed.

Technical implementation with iptables, Shorewall

IT-LINUXMAKER relies on the classic iptables for net filters in the Linux kernel for firewalls and uses bash scripts here to generate and start the firewall. On the other hand, we like to use Shorewall, since it is a proven tool for configuring very complex rules for net filters, which is also very well supported and tested by the community.



The "iptables" packet filter is a user space program for configuring the tables (tables) that are made available by the firewall in the Linux kernel (consisting of a series of netfilter modules). These tables contain chains and rules. Different programs are currently used for different protocols; iptables is limited to IPv4, for IPv6 there are ip6tables, for ARP it is arptables, and with ebtables there is a special component for Ethernet packets.

The packet filter "iptables" of the Linux kernel allows precise control over which network packets are allowed to pass. With advanced rules and clever tools, even more is possible.
Linux is predestined for the role as a server - regardless of whether it is a system that is specifically stored as a server or also serves as a work computer. The packet filter module of the Linux kernel, which is configured via "iptables", has no small part in this. In many cases, the rules defined on a server or router system simply serve to allow certain packets to pass through and block others.



Shorewall (Shoreline Firewall) is a free middleware for configuring firewalls based on the netfilter built into the Linux kernel.
The configuration is done in text files. Shorewall uses IPTables to compile netfilter rules from these files, which regulate the IP data flow flowing through the kernel. Shorewall is not an independent daemon and it does not run continuously, but ends after the rules have been created.
The iptables rules created by Shorewall work in OSI layer 3, i.e. the connection layer, even if it is possible to control other layers.
Shorewall's strengths lie in the abstraction of the networks directly connected to the interfaces, which are referred to as "zones". The number of zones and their purpose can be freely defined. Shorewall has the following configuration templates for the three most important applications:
Standalone - connection with only one network interface and only one zone, intended for securing individual PCs or servers
Two-Interface - as a solution for a classic through firewall with hostile 'red' and friendly 'green' network
Three-Interface - as a classic solution with a third network that is specially connected as a DMZ.
Policies (policies) are to be defined between the zones which define the standard behavior between the zones. These represent a fallback solution for the connections for which no explicit rules are defined in the rules. Shorewall also masters the creation of NAT, traffic shaping, bridges and much more.
Shorewall is therefore more of a firewall for professional use and cannot be compared to a personal firewall (OSI layer 7).


IT service and IT consulting

The digitization of business life, essential production processes and private life is in full swing. At the same time, threats from server failures, viruses and cybercrime are increasing. The whole thing is reinforced by neglecting IT security both in the private sphere and in the business world. Protective mechanisms that are really necessary are usually only considered when the damage has already occurred and the restoration of the IT infrastructure has caused enormous costs.
Linux offers you a secure basis in your IT infrastructure right from the start. On the one hand, because it has always been conceived as an operating system geared towards network operation. On the other hand, because the free availability of the source code makes the possibility of defective or misused functions almost impossible. In addition, “Open Source” has always meant permanent improvement by innovative specialists from all over the world. In the meantime, more and more users trust Linux, which among other things provides the kernel for the numerous Android installations, including companies and institutions such as Siemens, BMW, Lufthansa, Deutsche Post AG, Greenpeace and state institutions including the Federal Commissioner for Data Protection.
You are a company, a medium-sized company, a craft company, a sole trader with the appropriate IT infrastructure and you want to fully satisfy your customers with your products. Or you are a private individual with corresponding support requests. Your IT infrastructure should work reliably around the clock. As an expert in this field, IT-LINUXMAKER can protect your information effectively and quickly. With the services of IT-LINUXMAKER you secure your competitive advantage through the stability of your IT infrastructure and your data.

The support contracts from IT-LINUXMAKER are the ideal plus for your IT or development department. IT-LINUXMAKER supports you in all situations related to Linux with administration, monitoring, configuration, troubleshooting and script programming. Where your IT infrastructure is located, how large it is or how many users work in it does not matter for IT-LINUXMAKER.

Checklists - safe digital work

Since the beginning of the corona pandemic, many companies have also been organizing their work via home office regulations. The tips from IT-LINUXMAKER in a practical checklist format show what needs to be considered.

You can find all checklists for safe digital work here:

Secure passwords with the password card

Generate secure passwords of any length with the passwort card. You can check it out here.



Our fees depend on the service/product and the scope. Therefore, we can only state our fees in an offer if we already know your request.


Consultation request