IPTables
From WBITT's Cooker!
m (→Purpose of this document) |
m (→Introduction) |
||
| Line 23: | Line 23: | ||
In addition to looking at the source and destination IP addresses and ports, IPTables also has the ability to monitor the "state" of the packet. This makes iptables also work as a "stateful" firewall. In other words, it also does connection tracking. A stateful firewall can check context of the packet, to evaluate if it is a NEW packet, a packet related to a previous communication, or a packet from an already ESTABLISHED communication, etc. It can also inspect, and take action on, various TCP flags in a packet header, such as SYN, ACK, FIN, etc. | In addition to looking at the source and destination IP addresses and ports, IPTables also has the ability to monitor the "state" of the packet. This makes iptables also work as a "stateful" firewall. In other words, it also does connection tracking. A stateful firewall can check context of the packet, to evaluate if it is a NEW packet, a packet related to a previous communication, or a packet from an already ESTABLISHED communication, etc. It can also inspect, and take action on, various TCP flags in a packet header, such as SYN, ACK, FIN, etc. | ||
| - | <b>Note:</b> We would be using the word "iptables" in lower case. It is same as IPTables. | + | <b>Note:</b> We would be using the word "iptables" in lower case. It is same as "IPTables", or "IP Tables". |
You may be encountering the term/word "NetFilter", whenever you are reading any text related to IPTables. Netfilter and iptables were initially designed together, in 1998, so there is some overlap in early history. It might also be interesting to note, that the Netfilter maintainer Patrick McHardy has proposed to replace iptables with nftables in the future. The project is currently in the alpha stage of development. | You may be encountering the term/word "NetFilter", whenever you are reading any text related to IPTables. Netfilter and iptables were initially designed together, in 1998, so there is some overlap in early history. It might also be interesting to note, that the Netfilter maintainer Patrick McHardy has proposed to replace iptables with nftables in the future. The project is currently in the alpha stage of development. | ||
| - | |||
==References== | ==References== | ||
Revision as of 07:51, 27 February 2011
Alternate Title: "Understanding IPTables"
Author: Muhammad Kamran Azeem [CISSP, RHCE, OCP (DBA), CCNA] (http://wbitt.com , http://techsnail.com)
E-mail: kamran at wbitt dot com
Created: 27 Feb 2011
Updated: (Please see the footer area of this document for this information.)
Category: Firewall, Security
License: Copyright (c) 2011 by Muhammad Kamran Azeem. Permission to copy, distribute (sell or give-away) and translate, provided you retain the name of the original author.
Synopsis: This paper, explains the Linux default firewall, the IPTables.
Purpose of this document
Although, several extremely good articles already exist on the topic of IPTables, there was a popular demand for a CBT on this topic. The CBT definitely needed a text to follow, and thus this article was born. It should be noted that this document is for a beginner, for whom too much of information is confusing. Therefore, this document addresses basic concepts and mechanisms. If you are looking for a detailed discussion/explanation of TCP/IP protocol stack, TCP/IP headers, in relation to various moving parts of the entire iptables/netfilter mechanism, etc; you should read the latest version of "Iptables Tutorial by Oskar Andreasson", which is one of the finest documents on IPTables till date. You should also check "Rusty's Remarkably Unreliable Guides". Rusty Russell, was the person, who actually wrote (most of the) IPChains and IPTables code.
Introduction
IPTables is the mechanism for packet "Filter"-ing, in modern Linux distributions. In addition to packet filtering, it also does other interesting things such as "NAT"-ing and "Mangle"-ing. To be more specific, IPTables (originally from the NetFileter project), is the user-land application, which is used to manage/configure various packet handling "tables" provided in the Linux kernel (Linux Kernel Firewall). Each table has certain "chains" in it, and each chain has certain "rules", against which each packet is evaluated. IPTables is the default packet handling application in 2.4 and 2.6 series kernels. In 2.2 series kernels the application was "IPChains"; and in 2.0 series kernel, it was "IPFWAdm".
In addition to looking at the source and destination IP addresses and ports, IPTables also has the ability to monitor the "state" of the packet. This makes iptables also work as a "stateful" firewall. In other words, it also does connection tracking. A stateful firewall can check context of the packet, to evaluate if it is a NEW packet, a packet related to a previous communication, or a packet from an already ESTABLISHED communication, etc. It can also inspect, and take action on, various TCP flags in a packet header, such as SYN, ACK, FIN, etc.
Note: We would be using the word "iptables" in lower case. It is same as "IPTables", or "IP Tables".
You may be encountering the term/word "NetFilter", whenever you are reading any text related to IPTables. Netfilter and iptables were initially designed together, in 1998, so there is some overlap in early history. It might also be interesting to note, that the Netfilter maintainer Patrick McHardy has proposed to replace iptables with nftables in the future. The project is currently in the alpha stage of development.
