What Is iptables ? | Advanced Linux Networking

What Is `iptables` ?

Although the details are hidden from most networking tools, the 2.4. x Linux kernel uses a procedure like that outlined in Figure 25.1 to process network packets. Early on in the process, a routing decision is made: Is the packet destined for the local computer, or should it be forwarded to another computer? Depending upon the answer to that question, the packet is passed to one of two chains: the INPUT chain or the FORWARD chain. Each of these chains can process or modify the incoming data in various ways, but the default is not to modify the data. The INPUT chain ultimately leads to what Figure 25.1 refers to as local processes. These may be network clients (Netscape, telnet , and so on) or network servers (Apache, telnetd , and so on). In most cases, these processes run in user space, but they may be kernel-based, as in the kernel's Network Filesystem (NFS) support or the kHTTPd Web server. Both the local processes and the FORWARD chain eventually lead to the OUTPUT chain, which can also manipulate data packets in ways described in this chapter.

Figure 25.1. The Linux networking system provides several chains in which data packets may be manipulated.

graphics/25fig01.gif

NOTE

It's possible for a data packet to not make a complete circuit in Figure 25.1. Certain chain rules can block the data packet, or the local processes might decide not to respond to a data packet. It's also possible for a transaction to originate with the local processes, in which case a response should arrive back as incoming data.

Each of the chains shown in Figure 25.1 provides the opportunity to manipulate data packets. A chain can filter packets based on features such as the source or destination IP address, the source or destination port, or the network interface involved in the transaction. Each chain is a collection of rules, each of which is matched in turn against the input packet. If a rule matches, the rule indicates what the kernel should do with the packet by specifying a target for the rule. Predefined targets include ACCEPT (accept the packet for further processing), DROP (ignore the packet), QUEUE (pass the packet to a user-space program), and RETURN (stop processing the chain and return to the chain that called the current chain). Some additional targets that require particular kernel options to be activated include REJECT (to reject the packet, telling the sender that it was rejected), MASQUERADE (used for NAT, as described in the upcoming section "Configuring NAT with iptables"), and LOG (used to log information on packet filtering).

Chains are organized into tables. The three chains shown in Figure 25.1 make up the filter table, which is what handles most standard traffic. Two other standard tables are nat (which is used for NAT, as described in the upcoming section "Configuring NAT with iptables") and mangle (which is used for specialized packet alterations). It's possible to place new chains within a table, and call these new chains from the existing chains. You might do this to create specialized and complex processing patterns to filter or alter data.

These network tables and chains are features of the Linux kernel, and iptables is the user-space tool you use to manipulate them. You can use iptables to add rules to any of the chains shown in Figure 25.1, or to other chains. For instance, you might add rules to the INPUT chain to block all packets directed at specific network ports, or you might add rules to the OUTPUT chain to stop packets directed at systems with which you don't want yours communicating. By manipulating these and other chains, you can implement a packet-filter firewall, NAT, or other security and routing tools.

The changes you make with iptables are transient; they disappear as soon as you reboot the computer. For this reason, you should create a script that sets your iptables rules. Some distributions, such as Red Hat and Mandrake, include tools to help you build firewall or NAT rules. You can implement such a script yourself and call it as a SysV or local startup script.

Alternative Filtering Tools

The iptables program was designed for use with the 2.4. x Linux kernel. Earlier kernels , though, used different tools. Specifically, 2.2. x kernels used a tool known as ipchains , and 2.0. x kernels used ipfwadm . The changes in firewall and NAT tools reflect changes in the kernel's networking structure. The latest iptables tool can implement features in the 2.4. x kernel that didn't exist in the 2.2. x kernel, such as stateful packet inspection, in which packets can be tracked based on an entire multi-packet transaction with another computer, rather than as isolated entities. Stateful packet inspection greatly enhances the ability of a firewall to protect the computers it serves.

If you're using a pre-2.4. x kernel, you can continue using it with the older tools. These tools implement similar principles, but many of the details differ . This chapter doesn't cover the syntax or features of ipchains or ipfwadm , so if you want to use them, you'll have to track down appropriate documentation. If future kernels require even more sophisticated tools than iptables , you may need to locate documentation on these future tools. Chances are good that the broad outlines of these tools' operation will resemble those of iptables , though, so knowledge of iptables won't be completely useless to you.

If you have access to a firewall rule set built with ipfwadm or ipchains , you can continue to use it with a 2.4. x kernel, but you must include appropriate kernel support for the older tool. Using such a firewall rule set with a 2.4. x kernel has no disadvantages over using it with a 2.0. x or 2.2. x kernel, but you might be able to use more powerful features if you rewrite the rules for iptables .

To some extent, iptables overlaps in function with tools like TCP Wrappers, xinetd , and server-specific access control options. All of these tools allow you to restrict access to a server based on a client's IP address, for instance. As a general rule, when multiple tools are available, I recommend using two or more, so that a bug in or misconfiguration of one tool can be corrected by another tool. Compared to other tools, iptables works at a lower level and with more protocols and servers. For instance, xinetd can only protect servers that xinetd launches, whereas iptables can protect all servers.