How to Write a Linux Firewall in Less than 1000 Lines of Code Part 1–Overview

Side note: This article is based on a project in my master course about computer system security at 2010. I’m writing this article to recall the knowledge I’ve learned through the project and also hoping someone else can benefit from it.

Features of the Firewall

The firewall can BLOCK or UNBLOCK packets according to a set of rules. The rules are set by a user space configuraiton utility program. For example,

./mf –in –scrip 10.0.2.15  –srcnetmask 255.255.0.0  –destport 80  –proto TCP  –action BLOCK

The rule will be added to the firewall and all incoming TCP packets from source IP 10.0.0.0/16 network to destination port 80 will be blocked.

The firewall configuration utility can add, delete and print rules. And the kernel module will manipulate the network packets according to these rules.

Design and Implementation

The firewall implementation is done as a Linux kernel module. If you don’t have experience in kernel programming, don’t worry, I’ll try to be as detailed as necessary.

The implementation also has a simple configuration program for users to configure the firewall in user space. And procfs virtual file system is used to pass information between user space and kernel space.

All programming is done in C, and the computing knowledge covered includes command line parsing API in GNU libc, how to write a linux kernel module, knowledge about Linux proc file system, and understanding of netfilter.

The overall design of this firewall implementation is as below,

image

Figure 1. Overall Design of Minifirewall

The configuration tool is called minifirewall. It parses the user commands and sends instructions to the kernel module mf_km.ko through a proc file /proc/minifirewall. Then based on user commands, mf_km.ko can add/delete/print firewall policy.

The mf_km.ko intercepts network packets arriving or leaving system network interface, and filters (either pass or drop) the packets based on firewall policy set by user.

More details of the implementation will be covered later.

Part 2: Command Line Arguments Parsing in glibc

Part 3.1: Linux Kernel Module Basics and Hello World

Part 3.2: Linux Kernel Programming – Linked List

Part 3.3 Linux Kernel Programming – Memory Allocation

Part 4.1: How to Filter Network Packets using Netfilter – Part 1 Netfilter Hooks

Part 4.2 How to Filter Network Packets using Netfilter – Part 2 Implement the Hook Function

Part 5: Linux procfs Virtual File System

Part 6: Put Everything Together (If you want the entire code, check out this part)

10 thoughts on “How to Write a Linux Firewall in Less than 1000 Lines of Code Part 1–Overview”

    1. Thanks for your articel!
      I’m having a semester project that is about writting firewall on linux. Can you suggest me some books and documents to research?
      Thanks so much!

  1. mf.c: In function ‘print_rule’:
    mf.c:309:1: error: expected declaration or statement at end of input please help me with this code
    thank you

  2. I wish I could find this earlier… Now I have almost finished everything… Yes, the assignment is still the same for that module=.=

  3. I know this is an old post, but your images are missing but I would find them very useful for my own project. Do you happen to still have them, and if so is there any way you could upload them?
    -Thanks, Stefan

Leave a Reply to Hisoka Cancel reply

Your email address will not be published. Required fields are marked *