How to build a Firewall on UNIX ?

I want to build a firewall on Unix platform in C/C++ . It will allow the traffic to some known IP only.
Similar to iptables. Can anybody please provide any help . Do need to write the network driver ?
ArnabtechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jlevieCommented:
Is there some reason that you can't use iptables? If you can't, look at the source for iptables to see how to approach the problem.
nociSoftware EngineerCommented:
What Unix are you using:

Linux uses iptables
BSD uses Packet Filter (or PF).

There are various ready to run firewalls for both environments. Mostly as an Installation CD that after booting installs a complete firewall system on your PC.

Most other Unices have little firewall support.
Duncan RoeSoftware DeveloperCommented:
The support for iptables is in the Linux kernel. For every iptables feature you use, you need to load an LKM (Linux kernel module). So you can't just write something "Similar to iptables" for some random UNIX platform, unless you have access to the kernel source for that platform.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

ArnabtechAuthor Commented:
Thanks for all the answers. I am using CentOS and have the access to the kernel source.
I building a custom applications to monitor the traffic and block them if required. So I can communicate with the Firewall to pass a packet or not based on deep packet inspection. Its kind of SNORT .
Duncan RoeSoftware DeveloperCommented:
iptables already has the QUEUE and NFQUEUE targets to pass packets for custom inspection - why not use one of them?

(my last post for a few days)
nociSoftware EngineerCommented:
There are two angles to approach this: Linux only (use QUEUE & NFQUEUE and iptables stuff) or a general approach use libpcap to capture packets running on a host of systems. (Even non linux if you like).
http://www.tcpdump.org/ is the home of libpcap.

libpcap is designed to be used by tcpdump, but is also used in wireshark, carp and other product that need to capture odd frames of traffic.
iptables will only match IP packets that are more or less valid and nothing else.

ArnabtechAuthor Commented:
I am a bit familiar with libpcap . If I go for a packet capture based firewall will it be able to handle gbps traffic?

nociSoftware EngineerCommented:
First:
What do you want to do:
- define firewall...
   = Some black box in the network that filters stuff
   = Network filter technology (Iptables, PF, other)
   = Application firewall (proxy like function)
- Define what you need to do
- Try to devide functionality to the right level (driver, ip routing layer, application layer).

If you want DPI you very probably need more resources than a driver, ip router has. (logging, disk IO etc)
to effectuate a blocking action you need either to receive the data itself and forward it if appropriate ... ie proxy or at the IP routing layer (ie, PF/iptables).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
Oh and an application level system might not scale well in the Gbps range..
OTOH how much better would a DPI system do anyway... The decision is far more complex then just an ipaddress/port combination.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux OS Dev

From novice to tech pro — start learning today.