Before we begin, it should be said that this article presumes a general knowledge of networking, since it targets wannabe system administrators and/or security conscious-people. The article won’t get into explaining terms like IP packet, NAT masquerading, or packet filtering. Let’s see what Netfilter is all about instead.
Netfilter redefined the way IP packets are administered. As mentioned earlier, three functional schemes are supported: customizable packet filtering, connection tracking, and NAT. These operations are able to work individually on different layers. They aren’t tied to each other anymore (as they were before under ipchains). This is one of the most powerful benefits of using Netfilter—the ability to create stateful firewalls.
A stateful firewall is a firewall that verifies and maintains the state of network connections. Its decision-making process is based on those states (depending on how it’s configured). It accepts only specific states, while it rejects all of the rest.
Stateless firewalls of earlier generations administered each IP packet individually. Over the years, numerous exploits appeared that were possible with spoofing attacks and/or introducing rogue packets. Stateful firewalls keep and maintain a table of each connection that is active, and then everything that comes in and goes out is tracked. The state of each packet is known also, such as whether it’s part of an already-traveling connection.
IP spoofing is a common attacking technique that relies on fooling the stateless firewalls that make decisions based only on the source of the packet. With spoofing, the source of the attack is hidden; it's as simple as that.
In the paragraph above we’ve somewhat hinted at connection tracking. This is the technology that the Netfilter framework also sports. Each logical network connection or session is tracked individually and, thus, it is known to which of these that IP packets belong. This tracking is necessary to accomplish NAT. However, as we’ll see on the next page, the Iptables user space can use this information to act as a stateful firewall.
The possible states for which connections can be flagged are the following: new, established, related, invalid, and untracked. Based on this information, the system administrator can create rules with the Iptables extension. Therefore, Netfilter is a fully functional generic packet control framework that sports a flexible API. You can create your own patches, modules, plug-ins, and so forth using Netfilter’s “kernel hooks.”
There is another thing we should mention. A so-called “patch-o-matic” was added to Netfilter. This can always be found in the latest release of Netfilter, and it contains all of its new patches. These haven’t gone through extensive testing stages, and may be dangerous and eventually conflict with each other. Their usage is recommended only for experts (“make patch-o-matic”). The patches apply to your kernel source.
For further information regarding how to write your own Netfilter modules, please check Nicolas Bouliane's and Jan Engelhardt’s 62 page manual. The manual is quite comprehensive, though still under development. There are specific sections which are currently being written, while others are looking for contributors. But all of the material is still gold should you want to look into Netfilter module coding.
You should also keep an eye on Netfilter's official website. Moreover, once you're on the official website, you should check out the official HOWTO documentation. The documents are split into different categories, most of which are available in multiple languages.
