We live in a world where being connected is the norm. If we were able to see the packets traveling around us, then we’d surely go insane. One of the main tasks of system administrators is implementing systems that work with these packets. Probably the most popular need is for a firewall. In this article we are going to overview the Netfilter framework, along with its Iptables user space in Linux.
Everything started back in 1998 when Rusty Russell (with his development team) re-designed the already existing ipchains. It was one of earliest variations of firewalls that were able to administer IP packet filters. Ipchains, based on the classic ipfwadm, was probably the beginning of Netfilter. The developers realized that there was a lot of room for improvement, and having said that, project Netfilter was born.
Netfilter is a fully functional, feature-laden packet filtering framework available starting from the Linux Kernels 2.4.x and 2.6.x. The beauty of this framework is that there is a set of tools and components which are able to use its hooks to the kernel to accomplish various other tasks, such as NAT (network address translation), stateful tracking, packet mangling, and of course, the most important one—being an advanced firewall.
Furthermore, the project was expanded with Iptables. By definition, it has a table structure that allows system administrators to create, set up, and enforce definitions of rule-sets in terms of packet filtering as well as NAT modules. Iptables also comes with almost all Linux distributions. Iptables heavily relies on the Xtables sub-framework, and both of them together are sometimes called “iptables firewalling.”
Throughout this article we will first present some details and specifics on the Netfilter infrastructure, and then we are going to get into Iptables. We will examine chains, how rule-sets can be created and linked, and ultimately we will present some working examples to see everything in action.
Now that you have learned the structure of this article and know exactly what to expect, let’s begin. Keep in mind that this is just a brief overview. It is not a manual that explains how to create NAT modules, make chains of rules, and implement a highly secure Netfilter/iptables solution that “fits” your network situation. This article was written to make you aware of this possibility. The rest is up to you.