Netfilter
In computer networking, netfilter, along with its companion iptables, are collectively a software extension to the Linux operating system that implements a stateful firewall framework. It also enables other networking features such as network address translation (NAT).
Specifically, the netfilter software component is a set of custom hooks in the networking subsystem inside the Linux kernel. Netfilter is distributed as a set of patches to the kernel source code along with a patch tool called patch-o-matic. The iptables software component uses the hooks provided by netfilter to implement the firewall framework. It includes a set of kernel modules along with some user space administrative commands.
History
The netfilter/iptables project was started in 1999 with a small group of developers calling themselves the coreteam. The software they produced (called netfilter from here on) was designed for use with the Linux 2.4 kernel and made available to the public in 2000 under the GNU General Public License.
Prior to netfilter, the predominant software packages for creating Linux firewalls were ipchains in Linux 2.2 and ipfwadm in Linux 2.0. Netfilter kept many of the basic ideas first introduced with ipchains, including the use of tables, chains, and packet matching rules. Netfilter unified many smaller networking extensions, most importantly NAT and proxy capabilities, as well as adding connection tracking and IPv6 support.
Netfilter is included in all major Linux distributions using the 2.4 or 2.6 kernel.
Operational summary
The primary purpose of the netfilter framework is to allow the user (system administrator) to define their own sets of rules for how to deal with network packets. All of these rules are organized into a set of tables, each of which has any number of chains. Each chain is an ordered list of rules. Every rule contains a specification of which packets match it, and if so, what to do with the packet.
There are three different tables, each of which has some predefined chains. As each packet is processed by the operating system it is passed into some of these chains.
- filter table: this table is responsible for filtering (blocking or permitting a packet to proceed).
- INPUT chain: all packets arriving into the system go through this chain.
- OUTPUT chain: all packets leaving the system go through this chain.
- FORWARD chain: all packets passing through the system (being routed) go through this chain.
- nat table: this table is responsible for rewriting packet addresses or ports.
- mangle table: this table is responsible for adjusting packet options, such as quality of service.
- PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING chains all allow packet options to be modified at any point during processing.
In addition to the predefined chains, the user can create any number of custom chains within each table.
Each chain contains a list of rules. When a packet is sent to a chain, it is compared against each rule in the chain in order. The rule specifies what properties the packet must have for the rule to match, such as the port number or IP address. If the rule does not match then processing continues to the next rule. If, however, the rule does match the packet, then the rule's target instructions are followed (and further processing of the chain is usually aborted).
The target of a rule may send the packet through a different chain (much like a subroutine in a programming language), or may choose to act upon the packet. For instance the packet may be accepted, rejected, or dropped. There are also a large number of custom targets such as logging the packet, rewriting address and port numbers, and changing the packet options. It is even possible to pass the packet up to a user space process, which may facilitate an application-level proxy.
One of the important iptables features in netfilter is that of connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relating all of the packets which may make up that connection. It is this ability which allows netfilter to act as a stateful firewall.
iptables
iptables is a user space application program that allows a system administrator to configure the netfilter tables (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function.
Command syntax
The detailed syntax of the iptables command is documented in its man page, which can be displayed by typing this command:
man iptables
- This section is under construction. More detail is needed.
Example
This example shows an already-configured workstation firewall. The command "iptables -L" is executed by user root to display the firewall configuration.
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-reply DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
RELATED,ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh...) work.
$ lynx www.iki.fi/karvinen
(A web page opens)
Computer does not respond to ping and no services are offered. Connections time out (DROP) when ports are being scanned.
$ ping -c 1 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 62.78.243.6 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Trying to connect to HTTP port (TCP 80)
$ telnet 10.0.0.1 80 Trying 10.0.0.1...
(Nothing happens for a long time. User quits program with ctrl-C)