A Brief History of Netfilter


The Netfilter code changed dramatically from the 2.2 to the 2.4 series kernel (but, at least in terms of the iptables syntax, it did not change very much from the 2.4 to the 2.6 series). This means there is a big difference between ipchains and iptables. For historical purposes, we will briefly examine both in this section.

Note 

You can use ipchains on 2.4 kernels, but not in conjunction with the Linux Virtual Server, so this book will describe ipchains only in connection with 2.2 series kernels.

Figure 2-2 shows the ipchains packet matching for the input, forward, and output chains in Linux 2.2 series kernels.

image from book
Figure 2-2: ipchains in the Linux kernel

Notice how a packet arriving on eth0 and going out eth1 will have to traverse the input, forward, and output chains. In Linux 2.4 and later series kernels,[3] however, the same type of packet would only traverse the FORWARD chain. When using iptables, each chain only applies to one type of packet: INPUT rules are only applied to packets destined for locally running daemons, FORWARD rules are only applied to packets that arrived from a remote host and need to be sent back out on the network, and OUTPUT rules are only applied to packets that were created locally.[4] Figure 2-3 shows the iptables INPUT, FORWARD, and OUTPUT rules in Linux 2.4 series kernels.

image from book
Figure 2-3: iptables in the Linux kernel

This change (a packet passing through only one chain depending upon its source and destination) from the 2.2 series kernel to the 2.4 series kernel reflects a trend toward simplifying the sets of rules, or chains, to make the kernel more stable and the Netfilter code more sensible. With ipchains or iptables commands (these are command-line utilities), we can use the three chains to control which packets get into the system, which packets are forwarded, and which packets are sent out without worrying about the specific Netfilter hooks involved—we only need to remember when these rules are applied. We can summarize the chains as follows:

Summary of ipchains for Linux 2.2 series kernels

Packets destined for locally running daemons:

       input 

Packets from a remote host destined for a remote host:

       input       forward       output 

Packets originating from locally running daemons:

       output 

Summary of iptables for Linux 2.4 and later series kernels

Packets destined for locally running daemons:

       INPUT 

Packets from a remote host destined for a remote host:

       FORWARD 

Packets originating from locally running daemons:

       OUTPUT 

In this book, we will use the term iptables to refer to the program that is normally located in the /sbin directory. On a Red Hat system, iptables is:

  • A program in the /sbin directory

  • A boot script in the /etc/init.d[5] directory

  • A configuration file in the /etc/sysconfig directory

The same could be said for ipchains, but again, you will only use one method: iptables or ipchains.

Note 

For more information about ipchains and iptables, see http://www.netfilter.org. Also, look for Rusty Russell's Remarkably Unreliable Guides to the Netfilter Code or Linux Firewalls by Robert L. Ziegler, from New Riders Press. Also see the section "Netfilter Marked Packets" in Chapter 14.

[3]Up to the kernel 2.6 series at the time of this writing.

[4]This is true for the default "filter" table. However, iptables can also use the "mangle" table that uses the PREROUTING and OUTPUT chains, or the "nat" table, which uses the PREROUTING, OUTPUT, and POSTROUTING chains. The "mangle" table is discussed in Chapter 14.

[5]Recall from Chapter 1 that /etc/init.d is a symbolic link to the /etc/rc.d/init.d directory on Red Hat systems.



The Linux Enterprise Cluster. Build a Highly Available Cluster with Commodity Hardware and Free Software
Linux Enterprise Cluster: Build a Highly Available Cluster with Commodity Hardware and Free Software
ISBN: 1593270364
EAN: 2147483647
Year: 2003
Pages: 219
Authors: Karl Kopper

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net