Packet Filtering | Official Red Hat Linux Administrators Guide

Traffic moves through a network in packets. A network packet is collection of data in a specific size and format. In order to transmit a file over a network, the sending computer must first break the file into packets using the rules of the network protocol. Each of these packets holds a small part of the file data. Upon receiving the transmission, the destination computer reassembles the packets into the file.

Every packet contains information that helps it navigate the network and move towards its destination. The packet can tell computers along the way, as well as the destination machine, where it came from, where it is going, and what type of packet it is, among other things. Most packets are designed to carry data, although some protocols use packets in special ways. For example, the Transmission Control Protocol (TCP) uses a SYN packet, which contains no data, to initiate communication between two systems.

The Linux kernel contains the built-in ability to filter packets, allowing some of them into the system while stopping others. The 2.4 kernel’s netfilter has three built-in tables or rules lists. They are as follows:

filter — This is the default table for handling network packets.
nat — This table is used to alter packets that create a new connection.
mangle — This table is used for specific types of packet alteration.

Each of these tables in turn has a group of built-in chains that correspond to the actions performed on the packet by the netfilter. The built-in chains for the filter table are as follows:

INPUT — This chain applies to packets received via a network interface.
OUTPUT — This chain applies to packets sent out via the same network interface that received the packets.
FORWARD — This chain applies to packets received on one network interface and sent out on another.

The built-in chains for the nat table are as follows:

PREROUTING — This chain alters packets received via a network interface when they arrive.
OUTPUT — This chain alters locally generated packets before they are routed via a network interface.
POSTROUTING — This chain alters packets before they are sent out via a network interface.

The built-in chains for the mangle table are as follows:

PREROUTING — This chain alters packets received via a network interface before they are routed.
OUTPUT — This chain alters locally generated packets before they are routed via a network interface.

Every network packet received by or sent out of a Linux system is subject to at least one table. A packet may be checked against multiple rules within each rules list before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address or set of addresses when using a particular protocol and network service.

Regardless of their destination, packets that match a particular rule on one of the tables are designated for a particular target or action to be applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system, and nothing is sent back to the host that sent the packet. If a rule specifies a REJECT target, the packet is dropped, but an error packet is sent to the packet’s originator.

Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE the packet to be passed to user-space. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy. The iptables command allows you to configure these rule lists, as well as set up new tables to be used for your particular situation.