We can create our own firewall customized to our exact needs by using the "iptables" command to configure the kernel's packet handling rules.  Here's an example "iptables" invocation:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP

If you were to type in these commands (which would be a bad idea), you would have a nearly "perfect" firewall, and will be incredibly well protected against any form of incoming malicious attack.  Unfortunately, this firewall would also prevent your machine from accepting any kind of incoming networking traffic, period!  So, while this firewall is very secure, it also happens to be quite silly. If you're looking for this level of protection, your best bet is to unplug the network cable from the back of your Linux system.

While our "perfect" firewall is essentially useless, it does serve as a good way to introduce some important iptables concepts.  Whenever the Linux kernel encounters a packet, it associates the packet with a particular built-in netfilter "chain."  For example, if the kernel receives a packet coming in on its eth1 interface, it is associated with the INPUT chain.  Likewise, if a local program sends a packet out of your system's ppp0 interface, then this packet is associated with the OUTPUT chain.  For standard netfilter packet filtering operations, there are three officially recognized chains:

INPUT, for packets arriving over the network for your local machine;
OUTPUT, for packets being sent over the network by your local machine;
FORWARD, for packets that arrive over the network but are destined for other hosts.

We can control how Linux treats these various classes of packets by attaching rules to any one of these three chains.  When we do this, the kernel will go through each of the rules we specified in succession, checking to see if the rule applies to the particular packet in question.  If a rule matches, the kernel takes the action specified by that rule. However, if no rules match, then the kernel applies a default policy to the packet.  By default, all chains have a policy of "ACCEPT," which means that a packet is allowed to travel to its destination unhindered.

Previously, we used the iptables "-P" option to drastically change the default policy of the INPUT and the FORWARD chains.  By setting the default policy to "DROP," we tell netfilter to simply discard all incoming packets by default.  Because there are no rules in our INPUT and FORWARD chains to accept any potential incoming packets, the default policy applies and all incoming packets are thrown away.  End of story.

You may be surprised to learn that this hard-line policy (which, again, is incredibly unproductive by itself) is a great foundation for a firewall. Why is that?  Because by using a "deny by default" policy, we must explicitly define the set of network traffic that is acceptable to us.  We'll do this later on by adding rules that will accept just the network traffic we're interested in, but no more. With a "deny by default" policy, we have the assurance that any type of traffic that we haven't explicitly accepted won't be allowed through the firewall.  That's a good thing.