iptables

Iptables is the user-space standard for firewalling in 2.4.x linux kernels. The kernel-space standard for 2.4.x linux kernels (though ipchains and ipfwadm are still available as kernel modules) is netfilter. The two work hand-in-hand to create a more extensive firewalling package for the linux operating system. One of the major new features allows the kernel to pass packets to the user-space for parsing and re-injection into the TCP/IP protocol stream. Iptables can be found at http://www.netfilter.org.

Iptables is the userspace binary to control Netfilter, a packet alteration and filtering framework for Linux 2.4. In other words, it controls the firewall and it's rules. Rusty Russell, the person who maintains the code says in his Linux packet filtering howto:

So What's A Packet Filter?

A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to DROP the packet (i.e., discard the packet as if it had never received it), ACCEPT the packet (i.e., let the packet go through), or something more complicated.

Linux packet filtering howto can be found from http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html

Iptables is quite a powerful package compared to old ipchains. One big advancement is that iptables allows stateful inspection of packets that travel through the chains of rules. Stateful inspection means in short that one can decide what to do with packet depending on its state; it can be NEW, ESTABLISHED or RELATED for example.

With my limited experience in last couple of days with changing my firewall from ipchains to iptables I learned that iptables can do NAT, Masquerading, Forwarding, Filtering based on UID, Transparent proxying as well as limiting the rate of packet flow.

One of the interesting features along the stateful inspection is possibility to tag different logging -instructions with specific text (only 29 characters allowed). This means that this string will be added in the beginning of the log entry, making it easy to identify faster what is happening, rather than having to try to figure out the otherwise quite complex looking mixture of source and destination, protocol, mac-address strings for example.

So, how it works?

There are 3 default chains, INPUT, OUTPUT and FORWARD, for which one can apply rules to. They are called chains because the rules are applied to build a chain. Then the packets travel this chain and the rules are applied to packets in the order the rules are defined. There is also possibility to create your own chains, and use these rules as targets for packets traveling through default chains.

this is by no means complete reference to iptables. node what you know

INPUT, OUTPUT and FORWARD are only the default chains for the filter table. Tables are the highest-level structures in iptables, like chains were in ipchains (D'oh!)

The big picture: Tables have Chains; Chains have Rules.

The three built-in tables are:

filter, which has INPUT, OUTPUT and FORWARD as default chains.
nat, which has PREROUTING, POSTROUTING and OUTPUT as default chains.
mangle, which I admit I know nothing about. (Node what you know, as a wise person once said)

Filtering and NAT work independently of one another. Chains in the nat table never drop or reject a packet; they are good only for altering input or output IP addresses (masquerading or redirection).

iptables is extensible. By installing new kernel modules, along with appropriate command-line modules for the userspace utility, one can implement some original matching rules, like:

- Block or unblock traffic based on time of day (block IRC or RealAudio or ICQ during work hours, for instance)
- Match based on a round robin cycle (can respond to one ping out of each 10. Or use with NAT to get some crude load balancing)
- Match based on probability

and many many more. See the Netfilter Extensions HOWTO at

http://www.netfilter.org/documentation/index.html#HOWTO

The MANGLE table is used to alter certain properties of packets as they traverse the firewall. You can change the TOS (type of service), TTL (time to live), and MARK .

The TOS is used by (some) routers to make routing decisions, as is the MARK. They are useful for internal routing on a large network, and various esoteric rituals. However, these properties are poorly implemented on the internet at large, so these fieldsare little use for traffic bound for the intraweb.

The only example I have seen for MANGLEing the TTL of packets is to disguise multiple computers sharing an internet connection, althoght there are doubtless many subtle and confusing applications.

(This really ought to be part of JCCyC's w/u above, 'cos he explains iptables better than I could. Just filling a gap :-)