Chapter 25. Configuring iptables
The job of the TCP/IP stack in the Linux kernel is to receive data from an application, pack it up, and send it out a network port; and to receive data from the network, unpack it, and deliver it to an application. In theory, the kernel shouldn't alter or adjust the data in any but very specific ways that are permitted by the TCP/IP protocols. One particularly useful routing and security tool, though, violates this theoretical ideal. The iptables utility configures the Linux kernel to filter and even alter data packets based on various criteria, such as the packets' source and destination addresses. This makes iptables the standard utility for implementing certain network tools, most importantly packet-filter firewalls and Network Address Translation (NAT). This chapter covers these two topics and a couple of subsidiary topics: port redirection and iptables logging. All of these tools can be used to help secure a network, or sometimes just one computer.
This chapter's coverage of iptables is enough to help you implement some of the more common types of firewalls or other packet filtering tools. If you want to set up a particularly complex firewall, though, you may want to consult additional sources. Ziegler's Linux Firewalls, 2nd Edition (New Riders, 2001) and Sonnenreich and Yates's Building Linux and OpenBSD Firewalls (Wiley, 2000) are both useful resources, although the latter covers iptables ' predecessor tool, ipchains , rather than iptables .