Basics of iptables

The Linux kernel uses a series of rules to determine what to do with any given packet it receives or that's generated by local processes. These rules are arranged in chains, which provide a series of patterns and actions to be taken should a packet match the pattern. The first rule to match a pattern determines what the system does with the packet—accept it, reject it, or pass it to another chain. The chains are in turn organized into tables, with relationships between them. The most important table is the filter table, which is illustrated in Figure 20.2. In this table, the INPUT chain processes packets destined for local programs, the FORWARD chain processes packets that the system is to forward (as in a router), and the OUTPUT chain processes packets that originate locally and are destined for outside systems. Any given packet passes through just one of these chains. Other standard tables include the nat table, which handles Network Address Translation (NAT), and the mangle table, which modifies packets in specialized ways.

Figure 20.2: Linux uses a series of rules, which are defined in chains that are called at various points during processing, to determine the fate of network packets.

In order to create a packet-filter firewall, you must design a series of rules for specific tables and chains. For instance, you might tell the INPUT chain to discard any packets directed at port 80 (the web server port) that don't originate from the local network. Another set of rules might tell the OUTPUT chain to block all outgoing packets from local processes destined for port 25 (the SMTP mail server) except for those directed at your network's mail server computer. A router is likely to include a number of special rules for the FORWARD chain, as well, in order to control routing features independently of local programs' accesses.

Linux provides the iptables utility for manipulating firewall rules. This program relies on the presence of assorted options in the Linux kernel. Most importantly, you must enable the Network Packet Filtering option in the Networking Options configuration area (which is in the Networking Support area in 2.5.x and later kernels). Once you've done this, you can activate various options in the IP: Netfilter Configuration submenu off of the Networking Options menu. . Be sure the IP Tables Support option is active. I recommend that you build just about everything else, as well, at least as modules. You can probably ignore the ipchains and ipfwadm support options, and in fact you must omit them if you compile IP Tables Support into the main kernel file. Most Linux distributions ship with most of these options compiled as modules.

Note The iptables utility works with 2.4.x through 2.6.x kernels, and it may work with future kernels, as well. The 2.2.x kernel series used the ipchains tool instead, and 2.0.x used ipfwadm. You only need to support these tools if you have an old firewall script created with these tools.

0 0

Post a comment