Chapter 14. Firewalling with iptables

The Linux kernel contains advanced tools for packet filtering — the process of controlling network packets as they attempt to enter, move through, and exit your system. Pre-2.4 kernels contained the ability to manipulate packets using ipchains which used lists of rules that apply to packets at each step of the filtering process. The introduction of the 2.4 kernel brought with it iptables, which is similar to ipchains but greatly expands on the scope and control available for filtering network packets.

This chapter focuses on packet filtering basics, defining the differences between ipchains and iptables, explaining various options available with iptables commands, and showing how filtering rules can be preserved between system reboots.

WarningWarning
 

The default firewall mechanism under the 2.4 kernel is iptables, but iptables cannot be used if ipchains are already running. If ipchains are present at boot time, the kernel will issue an error and fail to start iptables.

These boot error messages do not effect the functionality of ipchains.

If you require instructions for constructing iptables rules or setting up a firewall based on these rules, please see the Section called Additional Resources for more information.

Packet Filtering

Traffic moves through a network in packets, which are collections of data in particular sizes. A file sent over a network between two computers may be comprised of many packets, each of which holds a small part of the file data. The sending computer takes the file and breaks it into packets to be sent over the network, using the rules of the network protocol being utilized. The other computer receives the packets and, using the method specified by the protocol, reassembles the packets into the file.

Every packet contains information which helps it navigate the network and move to its destination. The packet can tell computers along the way, as well as the destination machine, where it came from, where it is going, and what type of packet it is, among other things. Most packets are designed to carry data, although some protocols use packets in special ways. The Transmission Control Protocol (TCP), for example, uses a SYN packet, which contains no data, to initiate communication between two systems.

The Linux kernel contains the built-in ability to filter packets, allowing some of them into the system while stopping others. The 2.4 kernel contains three tables also called rules lists. By default these tables contain three sets of rule lists: INPUT, OUTPUT, and FORWARD. Every packet being sent in or out of the machine is subject to one of these lists. When a packet enters the system via a network interface, the kernel decides if it is destined for the local system (INPUT) or another destination (FORWARD) to determine the rule list to use with it. In the same way, if a packet originates on the system and attempts to leave the system, the kernel will check it against the OUTPUT list.

Each packet may need be checked against multiple rules before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address or set of addresses when using a particular protocol and network service.

Regardless of their destination, when packets match a particular rule on one of the rule lists, they are designated for a particular target or action to be applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.

Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE the packet to be passed to userspace. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.

The iptables command allows you to configure these rule lists, as well as set up new tables to be used for your particular situation.