Linux Firewalls

Linux Firewalls

Attack Detection and Response with iptables, psad, and fwsnort
by Michael Rash
October 2007, 336 pp.

"Between 2000 and mid-2008, I've read and reviewed nearly 250 technical books. I've also written several books, so I believe I can recognize a great book when I see it. Linux Firewalls is a great book."
Richard Bejtlich,, from the foreword to Linux Firewalls

System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.

Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:

  • Passive network authentication and OS fingerprinting
  • iptables log analysis and policies
  • Application layer attack detection with the iptables string match extension
  • Building an iptables ruleset that emulates a Snort ruleset
  • Port knocking vs. Single Packet Authorization (SPA)
  • Tools for visualizing iptables logs

Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables—along with psad and fwsnort—to detect and even prevent compromises.

Visit the book's companion site for supporting files, downloads, errata, and more.

Author Bio 

Michael Rash is a Security Architect on the Dragon Intrusion Detection System with Enterasys Networks, Inc., and is a frequent contributor to open source projects. As the creator of psad, fwknop, and fwsnort, Rash is an expert on firewalls, IDSs, OS fingerprinting, and the Snort rules language. He is co-author of the book Snort 2.1 Intrusion Detection, lead-author and technical editor of the book Intrusion Prevention and Active Response, and has written security articles for Linux Journal, SysAdmin, and ;login:.

Table of contents 

Foreword by Richard Bejtlich

Chapter 1: Care and Feeding of iptables
Chapter 2: Network Layer Attacks and Defense
Chapter 3: Transport Layer Attacks and Defense
Chapter 4: Application Layer Attacks and Defense
Chapter 5: Introducing psad: The Port Scan Attack Detector
Chapter 6: psad Operations: Detecting Suspicious Traffic
Chapter 7: Advanced psad Topics: From Signature Matching to OS Fingerprinting
Chapter 8: Active Response with psad
Chapter 9: Translating Snort Rules into iptables Rules
Chapter 10: Deploying Fwsnort
Chapter 11: Combining psad and Fwsnort
Chapter 12: Port-Knocking vs. Single Packet Authorization
Chapter 13: Introducing fwknop
Chapter 14: Visualizing iptables Logs

Appendix A: Attack Spoofing
Appendix B: A Complete fwsnort Script

View the detailed Table of Contents (PDF).
View the Index (PDF).


"If you're building a Linux firewall and want to know what all the bells and whistles are, when you might want to set them off, and how to hook them together, here you go."
;login (Read More)

"This admirable, eminently usable text goes much further than advertised."
Linux User and Developer, Issue 77

"If you run one or more Linux based firewalls, this book will not only help you to configure them securely, it will help you understand how they can be monitored to discover evidence of probes, abuse and denial of service attacks. Readers of this book will gain an understanding of firewall log analysis and how the netfilter firewall can be dramatically enhanced with several open source tools."
Ron Gula, CTO & Co-Founder of Tenable Network Security

"The book is easy to read, and chock full of attack vectors and subtle (and not so subtle) iptables configuration tips. This well researched book heightens an average system administrator's awareness to the vulnerabilities in his or her infrastructure, and the potential to find hardening solutions."
Free Software Magazine (Read More)

"Right from the start, the book presented valuable information and pulled me in. Each of the central topics were thoroughly explained in an informative, yet engaging manner. Essentially, I did not want to stop reading. Rating: 9/10"
Slashdot (Read More)

"One of the main reasons Linux Firewalls is a great book is that Mike Rash is an excellent writer. I've read (or tried to read) plenty of books that seemed to offer helpful content, but the author had no clue how to deliver that content in a readable manner. Linux Firewalls makes learning network security an enjoyable experience."
Richard Bejtlich, Tao Security

"What really makes this book different from the others I've seen over the years is that the author approaches the subject in a layered method while exposing potential vulnerabilities at each step. (Thank you so VERY much.) So for those that are new to the security game, the book also takes a stab at teaching the basics of network security while teaching you the tools to build a modern firewall."
InfoWorld (Read More)

"Linux Firewalls is a great resource. It provided insight and helpful information into additional tools to get the most out of iptables and to add in additional functionality." (Read More)

"If you or anyone you know is responsible for keeping a secure network, Linux Firewalls is an invaluable resource to have by your side. You will gain a better understanding of attacks, how to use iptables, PSAD, and fwsnort - all in an effort to properly defend and respond to attempted compromises." (Read More)

"Michael does a great job of explaining not just how iptables works, but he shows how users gain operational value from using open source tools and techniques, such as visualization, to analyze firewall logs."
Raffael Marty, SecViz

The Art of Information Security interviewed Linux Firewalls author Michael Rash about network security and open source security tools. Read the interview here.


Please visit the book's companion site for updates and errata.