Posted by: Mangesh_Linux_Administrator | September 1, 2010

The Linux Mascot

The Linux Mascot


By  Ragib Hasan
Department of Computer Science
University of Illinois at Urbana-Champaign

Table of Contents

a.  In The Beginning
b.  New Baby in the horizon
c.  Confrontation and development
d.  A Decade of Linux
e.  Tux: The Spirit of Linux
f.   Some Linux Cookies
g.  Timeline
h.  Links
i.  Acknowledgments

a. In The Beginning

It was 1991, and the ruthless agonies of the cold war were gradually coming to an end. There was an air of peace and tranquility that prevailed in the horizon. In the field of computing, a great future seemed to be in the offing, as powerful hardware pushed the limits of the computers beyond what anyone expected.

But still, something was missing.

And it was the none other than the Operating Systems, where a great void seemed to have appeared.

For one thing, DOS was still reigning supreme in its vast empire of personal computers. Bought by Bill Gates from a Seattle hacker for $50,000, the bare bones operating system had sneaked into every corner of the world by virtue of a clever marketing strategy. PC users had no other choice. Apple Macs were better, but with astronomical prices that nobody could afford, they remained a horizon away from the eager millions.

The other dedicated camp of computing was the Unixworld. But Unix itself was far more expensive. In quest of big money, the Unix vendors priced it high enough to ensure small PC users stayed away from it. The source code of Unix, once taught in universities courtesy of Bell Labs, was now cautiously guarded and not published publicly. To add to the frustration of PC users worldwide, the big players in the software market failed to provide an efficient solution to this problem.

A solution seemed to appear in form of MINIX. It was written from scratch by Andrew S. Tanenbaum, a US-born Dutch professor who wanted to teach his students the inner workings of a real operating system. It was designed to run on the Intel 8086 microprocessors that had flooded the world market.

As an operating system, MINIX was not a superb one. But it had the advantage that the source code was available. Anyone who happened to get the book ‘Operating Systems: Design and Implementation’ by Tanenbaum could get hold of the 12,000 lines of code, written in C and assembly language. For the first time, an aspiring programmer or hacker could read the source codes of the operating system, which to that time the software vendors had guarded vigorously. A superb author, Tanenbaum captivated the brightest minds of computer science with the elaborate and immaculately lively discussion of the art of creating a working operating system. Students of Computer Science all over the world pored over the book, reading through the codes to understand the very system that runs their computer.

And one of them was Linus Torvalds.



b. New Baby in the Horizon

In 1991, Linus Benedict Torvalds was a second year student of Computer Science at the University of Helsinki and a self-taught hacker. The 21 year old sandy haired soft-spoken Finn loved to tinker with the power of the computers and the limits to which the system can be pushed. But all that was lacking was an operating system that could meet the demands of the professionals. MINIX was good, but still it was simply an operating system for the students, designed as a teaching tool rather than an industry strength one.

At that time, programmers worldwide were greatly inspired by the GNU project by Richard Stallman, a software movement to provide free and quality software. Revered as a cult hero in the realm of computing, Stallman started his awesome career in the famous Artificial Intelligence Laboratory at MIT, and during the mid and late seventies, created the Emacs editor. In the early eighties, commercial software companies lured away much of the brilliant programmers of the AI lab, and negotiated stringent nondisclosure agreements to protect their secrets. But Stallman had a different vision. His idea was that unlike other products, software should be free from restrictions against copying or modification in order to make better and efficient computer programs. With his famous 1983 manifesto that declared the beginnings of the GNU project, he started a movement to create and distribute softwares that conveyed his philosophy (Incidentally, the name GNU is a recursive acronym which actually stands for ‘GNU is Not Unix’). But to achieve this dream of ultimately creating a free operating system, he needed to create the tools first. So, beginning in 1984, Stallman started writing the GNU C Compiler(GCC), an amazing feat for an individual programmer. With his legendary technical wizardry, he alone outclassed entire groups of programmers from commercial software vendors in creating GCC, considered as one of the most efficient and robust compilers ever created.

Richard Stallman, father of the GNU Project

By 1991, the GNU project created a lot of the tools. The much awaited Gnu C compiler was available by then, but there was still no operating system. Even MINIX had to be licensed.(Later, in April 2000, Tanenbaum released Minix under the BSD License.) Work was going the GNU kernel HURD, but that was not supposed to come out within a few years.

That was too much of a delay for Linus.

In August 25, 1991 the historic post was sent to the MINIX news group by Linus …..

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minix
Subject: What would you like to see most in minix?
Summary: small poll for my new operating system
Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>
Date: 25 Aug 91 20:57:08 GMT
Organization: University of HelsinkiHello everybody out there using minix –
I’m doing a (free) operating system (just a hobby, won’t be big and
professional like gnu) for 386(486) AT clones. This has been brewing
since april, and is starting to get ready.I’d like any feedback on
things people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system(due to practical reasons)
among other things). I’ve currently ported bash(1.08) and gcc(1.40),and
things seem to work.This implies that I’ll get something practical within a
few months, andI’d like to know what features most people would want. Any
suggestions are welcome, but I won’t promise I’ll implement them 🙂
Linus (
PS. Yes – it’s free of any minix code, and it has a multi-threaded fs.
It is NOT protable (uses 386 task switching etc), and it probably never
will support anything other than AT-harddisks, as that’s
all I have :-(.

As it is apparent from the posting, Linus himself didn’t believe that his creation was going to be big enough to change computing forever. Linux version 0.01 was released by mid September 1991, and was put on the net. Enthusiasm gathered around this new kid on the block, and codes were downloaded, tested, tweaked, and returned to Linus. 0.02 came on October 5th, along with this famous declaration from Linus:

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minix
Subject: Free minix-like kernel sources for 386-AT
Message-ID: <1991Oct5.054106.4647@klaava.Helsinki.FI>
Date: 5 Oct 91 05:41:06 GMT
Organization: University of Helsinki
Do you pine for the nice days of minix-1.1, when men were men and wrote their own device drivers?
Are you without a nice project and just dying to cut your teeth on a OS you can try to modify for your
needs? Are you finding it frustrating when everything works on minix? No more all-nighters to get a nifty program working? Then this post might be just for you 🙂
As I mentioned a month(?)ago, I’m working on a free version of a minix-lookalike for AT-386 computers. It has
finally reached the stage where it’s even usable (though may not be depending on
what you want), and I am willing to put out the sources for wider distribution. It is  just version 0.02 (+1 (very
small) patch already), but I’ve successfully run bash/gcc/gnu-make/gnu-sed/compress etc under it.
Sources for this pet project of mine can be found at ( in the directory /pub/OS/Linux.
The directory also contains some README-file and a couple of binaries to work under linux
(bash, update and gcc, what more can you ask for :-). Full kernel source is provided, as no minix code has been
used. Library sources are only partially free, so that cannot be distributed currently. The system is able to compile
“as-is” and has been known to work. Heh. Sources to the binaries (bash and gcc) can be found at the
same place in /pub/gnu.

Linux version 0.03 came in a few weeks. By December came version 0.10. Still Linux was little more than in skeletal form. It had only support for AT hard disks, had no login ( booted directly to bash). version 0.11 was much better with support for multilingual keyboards, floppy disk drivers, support for VGA,EGA, Hercules etc. The version numbers went directly from 0.12 to 0.95 and 0.96 and so on. Soon the code went worldwide via ftp sites at Finland and elsewhere.


c. Confrontation & Development

Linus displays Linux running on a notebook pc

Soon Linus faced some confrontation from none other than Andrew Tanenbaum, the great teacher who wrote MINIX. In a post to Linus, Tanenbaum commented:

“I still maintain the point that designing a monolithic kernel in 1991 is a fundamental error. Be thankful you are not my student. You would not get a high grade for such a design :-)”
(Andrew Tanenbaum to Linus Torvalds)

Linus later admitted that it was the worst point of his development of Linux. Tanenbaum was certainly the famous professor, and anything he said certainly mattered. But he was wrong with Linux, for Linus was one stubborn guy who won’t admit defeat.

Tanenbaum also remarked that : “Linux is obsolete”.

Now was the turn for the new Linux generation. Backed by the strong Linux community, Linus gave a reply to Tanenbaum which seems to be most fitting:

Your job is being a professor and researcher: That’s one hell of a good excuse for some of the brain-damages of minix.
(Linus Torvalds to Andrew Tanenbaum)

And work went on. Soon more than a hundred people joined the Linux camp. Then thousands. Then hundreds of thousands. This was no longer a hackers toy. Powered by a plethora of programs from the GNU project, Linux was ready for the actual showdown. It was licensed under GNU General Public License, thus ensuring that the source codes will be free for all to copy, study and to change. Students and computer programmers grabbed it.

Soon, commercial vendors moved in. Linux itself was, and is free. What the vendors did was to compile up various software and gather them in a distributable format, more like the other operating systems with which people were more familiar. Red Hat , Caldera, and some other companies gained substantial amount of response from the users worldwide. While these were commercial ventures, dedicated computer programmers created their very own volunteer-based distribution, the famed Debian. With the new Graphical User Interfaces (like X-window System, KDE, GNOME)the Linux distributions became very popular.

Meanwhile, there were amazing things happening with Linux. Besides the PC, Linux was ported to many different platforms. Linux was tweaked to run 3Com’s handheld PalmPilot computer. Clustering technology enabled large number of Linux machines to be combined into a single computing entity, a parallel computer. In April 1996, researchers at Los Alamos National Laboratory used Linux to run 68 PCs as a single parallel processing machine to simulate atomic shock waves. But unlike other Supercomputers costing a fortune, it was rather cheap. The do-it-yourself supercomputer cost only $152,000, including labor (connecting the 68 PCs with cables)-about one tenth the price of a comparable commercial machine. It reached a peak speed of 19 billion calculations per second, making it the 315th most powerful supercomputer in the world. And it was a robust one too. Three months later it still didn’t have to be rebooted.
A Beaming Linus Today

The best thing about Linux today is the fanatic following it commands. Whenever a new piece of hardware is out, Linux kernel is tweaked to take advantage of it. For example, within weeks after the introduction of Intel Xeon® Microprocessor, Linux kernel was tweaked and was ready for it. It has also been adapted for use in Alpha, Mac, PowerPC, and even for palmtops, a feat which is hardly matched by any other operating system. And it continues its journey into the new millennium, with the same enthusiasm that started one fine day back in 1991.
Linus in 2002

As for Linus, he remains a simple man. Unlike Bill Gates, he is not a billionaire. Having completed studies, he moved to USA and landed a job at Transmeta Corporation. After conducting a top-secret research and development project, Transmeta launched the Crusoeâ„¢ processor. Linus was an active member of the research team. Recently married to Tove, he is the proud father of a girl, Patricia Miranda Torvalds. But he remains as the world’s most favorite and most famous programmer to this date. Revered by Computer communities worldwide, Linus is by far the most popular programmer on this planet.


d. After a Decade: Linux Today

Proving all the warning and prophecies of the skeptics wrong, Linux has completed a decade of development. Today, Linux is one of the fastest growing operating systems in the history. From a few dedicated fanatics in 1991-92 to millions of general users at present, it is certainly a remarkable journey. The big businesses have ‘discovered’ Linux, and have poured millions of dollars into the development effort, denouncing the anti-business myth of the open-source movement. IBM corp. once considered the archenemy of open-source hacker community, has come forward with a huge fund for development of open source Linux based solutions. But what’s really amazing is the continuously increasing band of developers spread throughout the world who work with a fervent zeal to improve upon the features of Linux. The development effort is not, as many closed-sourced advocates accuse, totally engulfed with chaos. A well designed development model supervised by some maintainers is adopted. Along with this, there are thousands of developers working to port various applications to Linux.

Commercial enterprises are no longer wary of Linux. With a large number of vendors providing support for Linux based products, it is no longer a ‘do-at-your-own-risk’ thing to use Linux at the office. As for reliability, Linux certainly proved it during the nasty attacks of the CIH virus in 1999 and the love bug a year later, during which Linux based machines proved to be immune to the damages caused by these otherwise quite simple computer viruses. Linux startups like Red Hat received a cordial response as they went public. And even after the dot-com bust of the recent years, these companies continue to thrive and grow. With this added confidence, many large and small businesses have adopted Linux based servers and workstations as an integral part of their offices.

Rise of the Desktop Linux

What is the biggest complain against Linux? Perhaps in the past, it was the text based interface which scared off many people from using it. ‘Text mode gives total control’, some dedicated hackers and heavy users may explain. But for the millions of ordinary people, it also means a lot of effort towards learning the system. The existing X-Window system and the window managers were not up to the general computer users’ expectation. Exactly this argument had always been put forward by dedicated followers of the Windows(TM) camp. But things began to change in the last couple of years. The advent of professional looking desktop environments like KDE( K Desktop Environment) and GNOME completed the picture. The recent versions of these desktop environment have changed the general perception about the ‘user friendliness’ of Linux to a great extent. Though hard-core users grumble about the loss of purity of the hacker-culture, this great change in the mindset of the common users has increased the popularity of Linux.

Today, almost distributions of Linux include user-friendly GUIs. Installation has also become easier. Gone are the days when users would need detailed expertise in computer hardware to install Linux … distributions like Ubuntu, Debian, Suse, Knoppix, and Red Hat’s Fedora Core can be installed by even novice users. Most distributions are also available in Live CD format, which the users can just put in their CD drives and boot without installing it to the hard drive, making Linux available to the newbies.

Linux in the Developing World

Perhaps the greatest change is the spread of Linux to the developing world. In the days before Linux, developing countries were way behind in the field of computing. The cost of hardware fell down, but the cost of software was a huge burden to the cash-strapped computer enthusiasts of the Third World countries. In desperation, people resorted to piracy of almost all sorts of software products. This resulted in widespread piracy, amounting to billions of dollars. But then again, the pricetag of most of the commercial products were far beyond the reaches of the people in developing countries. For example, a typical operating system product costs at least US $100 or more. But in countries with per capita incomes of about US$200-300, is a huge amount.

The rise of Linux and other related open source product has changed it all. Since Linux can be scaled to run in almost computer with very few resources, it has become a suitable alternative for low budget computer users. Old, ancient 486/Pentium 1 computers that has become a part of history in the developed world are still used in developing countries. And Linux has enabled to unleash the full potential of these computers. The use of open source software has also proliferated, since the price of software is a big question. In countries of Asia, Africa and Latin America, Linux has appeared as a way out for the masses of computer enthusiasts. And a testament to the true global nature of Linux, local customizations were made in obscure parts of the world. The Linux documentation now includes documents written in almost all the major languages … and also many minor ones, for example, Vietnamese.

From Desktop to SuperComputing

When Linux was first envisaged by Linus Torvalds, it was just another hackers hobby. But from the humble Intel 386 machine of Linus that ran the first kernel, Linux has come a long way. Its most notable use now is in the field of massively parallel supercomputing clusters.

In August 2001, BBC reported that the US Government was planning to build what would be a mega computer, capable of performing over 13 trillion calculations per second (13.6 TeraFLOPS). The project, called Teragrid would consist of a connected network of 4 US supercomputing centers. The four labs that are collaborating to create the Teragrid are: National Center for Supercomputing Applications at the University of Illinois(NCSA), San Diego Supercomputer Center (SDSC) at the University of California Argonne National Laboratory in Chicago; California Institute of Technology in Pasadena. At each of these centers, there would be a supercomputer. In total, there would be more than 3000 processors running in parallel to create the Tetragrid.

By 2005, the use of Linux became more prevalent in Supercomputing. The 2005 Top500 list of Supercomputers shows that 4 of the top 5 fastest supercomputers use Linux as their operating system.

The Journey Continues

The journey of Linux from a hacking project to globalization has been more like an evolutionary experience. The GNU Project, started in the early 1980’s by Richard Stallman, laid the foundation for the development of open source software. Prof. Andrew Tanenbaum’s Personal Computer operating system Minix brought the study of operating systems from a theoretical basis to a practical one. And finally, Linus Torvald’s endless enthusiasm for perfection gave birth to Linux. Throughout the last couple of years, hundreds of thousands of people forming global community nurtured it and brought it to its glorious place in the annals of the computer revolution. Today Linux is not just another student’s hacking project, it is a worldwide phenomenon bringing together huge companies like IBM and the countless millions of people throughout the world in the spirit of the open source software movement. In the history of computing, it will forever remain as one of the most amazing endeavors of human achievement.

e. Tux the penguin: Linux’s Dear Logo

The logo of Linux is a penguin. Unlike other commercial products of computer operating systems, Linux doesn’t have a formidable serious looking symbol. Rather Tux, as the penguin is lovingly called, symbolizes the carefree attitude of the total movement. This cute logo has a very interesting history. As put forward by Linus, initially no logo was selected for Linux. Once Linus went to the southern hemisphere on a vacation. There he encountered a penguin, not unlike the current logo of Linux. As he tried to pat it, the penguin bit his hand. This amusing incident led to the selection of a penguin as the logo of Linux sometime later.


f. Some Linux Cookies

Here are some famous words by Linus himself.

Dijkstra probably hates me
(Linus Torvalds, in kernel/sched.c)

“How should I know if it works?  That’s what beta testers are for.  I only
coded it.”
(Attributed to Linus Torvalds, somewhere in a posting)

“I’m an idiot.. At least this one [bug] took about 5 minutes to find..”
(Linus Torvalds in response to a bug report.)

“If you want to travel around the world and be invited to speak at a lot
of different places, just write a Unix operating system.”
(By Linus Torvalds)

> > Other than the fact Linux has a cool name, could someone explain why I
> > should use Linux over BSD?

> No.  That’s it.  The cool name, that is.  We worked very hard on
> creating a name that would appeal to the majority of people, and it
> certainly paid off: thousands of people are using linux just to be able
> to say “OS/2? Hah.  I’ve got Linux. What a cool name”.  386BSD made the
> mistake of putting a lot of numbers and weird abbreviations into the
> name, and is scaring away a lot of people just because it sounds too
> technical.
(Linus Torvalds’ follow-up to a question about Linux)

> The day people think linux would be better served by somebody else (FSF
> being the natural alternative), I’ll “abdicate”.  I don’t think that
> it’s something people have to worry about right now – I don’t see it
> happening in the near future. I enjoy doing linux, even though it does
> mean some work, and I haven’t gotten any complaints (some almost timid
> reminders about a patch I have forgotten or ignored, but nothing
> negative so far).

> Don’t take the above to mean that I’ll stop the day somebody complains:
> I’m thick-skinned (Lasu, who is reading this over my shoulder commented
> that “thickheaded is closer to the truth”) enough to take some abuse.
> If I weren’t, I’d have stopped developing linux the day ast ridiculed me
> on c.o.minix.  What I mean is just that while linux has been my baby so
> far, I don’t want to stand in the way if people want to make something
> better of it (*).

> (*) Hey, maybe I could apply for a saint-hood from the Pope.  Does
> somebody know what his email-address is? I’m so nice it makes you puke.
(Taken from Linus’s reply to someone worried about the future of Linux)

`When you say “I wrote a program that crashed Windows”, people just stare at
you blankly and say “Hey, I got those with the system, *for free*”.’
(By Linus Torvalds)


G. Timeline of Linux History

Date Event
January 1984 Richard Stallman quits his job at MIT and starts working on the GNU Project.
Month unknown Free Software Foundation, an organization for creating and promoting free software, is founded by Richard Stallman.
March 1985 The GNU manifesto, a statement by Richard Stallman advocating the cause of free software movement, is published in the March 1985 issue of Dr. Dobb’s Journal
August 25 1991 Linus conceives the idea of Linux and announces the project in a Usenet Post
September 1991 Version 0.01 is released on the Net
January 1992 First Linux Newsgroup: alt.os.linux founded in the UseNet
April 1992 Ari Lemmke starts the popular Linux newsgroup comp.os.linux in the UseNet
November 1992 Adam Richter announces the release of the first Linux Distribution from his company: Yggdrasil
June 1993 Slackware, the famous Linux distribution is released by Peter Volkerding
August 1993 Matt Welsh releases Linux Installation and getting started: version 1
March 1994 Linux kernel version 1.0 is released


H. Links

Here are some links on the history of Linux which you may find helpful. A website with help on Linux related issues. Web site of Linus Torvalds … contains some funny comments and photos of Linus Torvalds and his family. (Linus claims himself to be a www-illiterate 🙂 A website devoted to geeks and other tech-minded people. Contains some interesting contemporary and historical information on Linux and other free technologies. Wikipedia article on Linux Wikipedia article on the GNU Project

Sponsored links–> //


I.Acknowledgments and Copyright

History is always boring, but history of Computing and that of Linux are very interesting. Much of the source of this article has been taken from the Internet. It was inspired by the questions asked by many would be Linux users at meetings and postings of Bangladesh Linux Users Group. Thanks to all.

All materials taken from various sources belong to their respective authors. All trademarks belong to the respective corporations and companies. Microsoft and Windows are registered trademarks of Microsoft corp.

This article is copyrighted by Ragib Hasan (1999+) and so all rights are reserved. But don’t worry, Any part of this article can be reproduced in any form with prior permission of the author which can be obtained for FREE by e-mailing him. Please feel encouraged to spread the spirit of the open source software movement.

For all mistakes and suggestions, please contact me:

Ragib Hasan

Department of Computer Science
University of Illinois at Urbana-Champaign,

Urbana, IL 61801
United States
mail me at ragibhasan aaaaht gmail daaawt com (You know what I mean 😉 )

This article is available at and

Slide1: Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP

Today’s Agenda: Today’s Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management Demo

Introduction: Introduction Why need a firewall? Increased network security Access Control (Network/Transport Level) Logging Why Linux? It’s FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community)

TCP/IP Recap: General Info: TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms TCP, UDP, IP, ICMP

TCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept Application TCP UDP IP Device Driver Device Driver Application Application Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMP

TCP/IP Recap: Layered Communication: TCP/IP Recap: Layered Communication Application TCP/UDP TCP/UDP IP Device Driver Device Driver IP Application Client Server

TCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept http TCP UDP IP Device Driver Device Driver ftp Netbios-ns dns 80 20,21 137 53 eth0 eth1

TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close

TCP/IP Recap: TCP, UDP, IP, ICMP: TCP/IP Recap: TCP, UDP, IP, ICMP TCP Stateful communication (Session, Reliable) UDP Stateless communication (no session, Less reliable, fast) IP Addressing, routing (best effort) ICMP Diagnostic (dangerous?)

Firewall Basics: What is a Firewall?: Firewall Basics: What is a Firewall? In simple term, a firewall is: A device filtering network traffic between 2 (or more) networks Network A Network B

Firewall Basics: What is NOT a Firewall?: Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out “install and leave it” Need to manage it for the ever-changing network environment Need to monitor it 100% safe Any software has bugs and vulnerabilities, so does any firewall

Firewall Basics: Different Types of Firewalls: Firewall Basics: Different Types of Firewalls A firewall can be in the form of: Packet-Filtering Gateway (Today’s focus) Application Gateway (http proxy, socks server)

Firewall Basics: How does it work?: Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Drop

ipchains: What is it?: ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with “ipmasqadm portfw”

iptables (a.k.a. Netfilter): What is it?: iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching) More features = more difficult to use

ipchains or iptables: Before we begin: ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables

ipchains: Basic Usage I: ipchains: Basic Usage I Command Syntax: ipchains –A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] –j [action] -l Useful Option: ! Means “NOT” -l means “log to syslog” -y means “SYN set & ACK clear -> connection initiation” ! –y means “ACK set ->response to initiation, established connection”

TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close

ipchains: The basic concept: ipchains: The basic concept Control the input, output, and forward behavior of the interfaces input eth0 output input eth1 output forward

ipchains: Using Script: ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700

ipchains Tips: Writing Script: ipchains Tips: Writing Script Use deny for default chain, “-P” “ipchains –P forward deny” “ipchains –P input deny” “ipchains –P output deny” Remember to allow localhost traffic Use variables to assist you: LOCALNET_1=”“ LOCAL_INTERFACE_1=”eth1“ “ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT”

ipchains Tips: REJECT vs. DENY: ipchains Tips: REJECT vs. DENY Two choice when blocking packet “REJECT” or “DENY” If “REJECT”, a “ICMP port unreachable” is sent back to the src-addr IF “DENY”, then the packet is just dropped

Implementation Tips: : Implementation Tips: Use common Linux distributions PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script Some Unique Linux distribution PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom

Implementation for Home: Typical Setup: Implementation for Home: Typical Setup Internet Firewall 1 or more PC’s Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic

Home use: firewall-config: Home use: firewall-config Use GUI to help you Based on ipchains Most distribution

Home use: firestarter: Home use: firestarter Use GUI to help you Rpm package available Based on iptables

Home use: firestarter: Home use: firestarter Wizard

Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using “linuxconf” or “/etc/sysconfig/network-script/ifcfg-eth0” “pump” or “dhcpcd” “pump” has to be fixed by “initscripts-6.22-1” or the IP address will disappear after the dhcp leasing period Choose “pump” or “dhcpcd” in the script “/etc/sysconfig/network-script/ifup”

Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you Most ADSL connection requires user account Configure the account in “/etc/ppp/pppoe.conf “ When filtering, refer to “pppO” rather than “eth0” Step-by-Step guide for rp-pppoe at

Home Use: Step-by-Step Setup – Step 1: Home Use: Step-by-Step Setup – Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE=”eth0“ IF ADSL: EXTERNAL_INTERFACE=“ppp0“ Loopback interface: LOOPBACK_INTERFACE=”lo“ Internal interface: LOCAL_INTERFACE_1=”eth1″ Local Network Address: LOCALNET_1=”″

Home Use: Step-by-Step Setup – Step 2: Home Use: Step-by-Step Setup – Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

Home Use: Step-by-Step Setup – Step 3: Home Use: Step-by-Step Setup – Step 3 Filter incoming traffic towards external interface Done by the default chain “ipchains -P input DENY” But that will disallow all input Need to allow TCP high port traffic that is NOT “connection initiation” (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y –destination-port 1024:65535 -j ACCEPT

What is “! –y” ??? : What is “! –y” ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client Close

Home Use: Step-by-Step Setup – Step 4: Home Use: Step-by-Step Setup – Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y –source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp –source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp –destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp –icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp –icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp –icmp-type time-exceeded -j ACCEPT

Home Use: Step-by-Step Setup – Final Step: Home Use: Step-by-Step Setup – Final Step Enable IP forwarding echo “1” > /proc/sys/net/ipv4/ip_forward

Office Use: Office Use Don’t rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script

Implementation for Office: Typical Setup 1: Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers)

Implementation for Office: Typical Setup 2: Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2

Office Use: Step-by-Step Setup – Step 1: Office Use: Step-by-Step Setup – Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE=”eth0“ Loopback interface: LOOPBACK_INTERFACE=”lo“ Internal interface: LOCAL_INTERFACE_1=”eth1“ LOCAL_INTERFACE_2=“eth2” Network Addresses and servers: LOCALNET_1=”“ MAIL_SERVER=“a.a.a.a” WEB_SERVER=“b.b.b.b”

Office Use: Step-by-Step Setup – Step 2: Office Use: Step-by-Step Setup – Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains –P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

Office Use: Step-by-Step Setup – Step 3: Office Use: Step-by-Step Setup – Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp –destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp –source-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -s $ANYWHERE -p tcp –source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp –destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp –destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp –destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp –destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp –destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT

Office Use: Step-by-Step Setup – Step 4: Office Use: Step-by-Step Setup – Step 4 Port forwarding to your servers Need “ipmasqadm” Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp –destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp –source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp –source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp –source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT

Office Use: Step-by-Step Setup – Final Step: Office Use: Step-by-Step Setup – Final Step Enable IP forwarding echo “1” > /proc/sys/net/ipv4/ip_forward

Troubleshooting Tips: Troubleshooting Tips Don’t panic when it doesn’t work Use “-l” (logging) to help you Logs are logged in syslog Location: /var/log/messages Use this command to view traffic as they pass along: #tail –f /var/log/messages Can also use tcpdump or snoop to help you

Firewall Management: Building Rules: Firewall Management: Building Rules gfcc For ipchains Provides good rules management

Firewall Management: View Current MASQ sessions: Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions

Firewall Management: Build your rules online!: Firewall Management: Build your rules online!

Firewall Management: Viewing Logs: Firewall Management: Viewing Logs Firestarter Real-time “hit-list” showing the blocked traffic

Firewall Management: Log Analyzer: Firewall Management: Log Analyzer fwlogwatch Generate html report Real time reporting Some customization work

Firewall Management: What’s missing?: Firewall Management: What’s missing? Enterprise level – multiple firewall Rules building, use: Scp (secure copy) X-window (need proper access control) Log management, use: Various syslog tools

Good References: Books: Good References: Books TCP/IP Illustrated (All time classic) By W. Richard Stevens Firewall and Internet Security (All time classic) By William R. Cheswick, Steven M. Bellovin Linux Firewall By Robert L. Ziegler

Good References: Sites: Good References: Sites SANS: Choosing a firewall Robert L. Ziegler Site: ipchains HOW-TO: Netfilter project and iptables HOW-TO: Robert Graham, analyzing firewall logs:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: