Table of Contents
Advertisement
Section 18.1:Packet Filtering
297
18 Firewalling with iptables
The Linux kernel contains advanced tools for packet filtering, the process of controlling network
packets as they attempt to enter, move through, and exit your system. Pre-2.4 kernels contained the
ability to manipulate packets using ipchains which used lists of rules that apply to packets at each
step of the filtering process. The introduction of the 2.4 kernel brought with it iptables, which is
similar to ipchains but greatly expands on the scope and control available when filtering packets.
This chapter focuses on essential packet filtering basics, defining the differences between ipchains
and iptables, explaining various options available with iptables commands, and showing how
filtering rules can be preserved between system reboots.
If you require instructions for constructing iptables rules or setting up a firewall based on these
rules, please see the Official Red Hat Linux Customization Guide.
18.1 Packet Filtering
Traffic moves through a network in packets, which are collections of data in particular sizes. A file
sent over a network between two computers may be comprised of many packets, each of which holds
a small part of the file data. The sending computer takes the file and breaks it into packets to be sent
over the network, using the rules of the particular network protocol being utilized. The other computer
receives the packets and, using the method specified by the protocol, reassembles the packets into the
file.
Every packet contains information which helps it navigate the network and move to its destination. The
packet can tell computers along the way, as well as the destination machine, where it came from, where
it is going, and what type of packet it is, among other things. Most packets are designed to carry data,
although some protocols use packets in special ways. The Transmission Control Protocol (TCP),
for example, uses a SYN packet, which contains no data, to initiate a communication between two
systems.
The Linux kernel contains the built-in ability to filter packets, allowing some of them into the system
while stopping others in their tracks. The 2.4 kernel contains three tables of chains; here we describe
the filter table. The filter table contains three sets of rule lists by default, called the INPUT, OUTPUT,
and FORWARD chains; every packet being sent in or out of the machine is subject to one of these lists
of rules. When a packet enters the system via a network interface, the kernel decides if it is destined
for the local system (INPUT chain) or another destination (FORWARD chain) to determine the rule
list to use with it. In the same way, if a packet originates on the system and attempts to leave the
system, the kernel will check it against the OUTPUT chain.
Each packet may need be checked against many, many rules before emerging at the end of the chain.
The structure and purpose of these rules may vary, but they usually seek to identify a packet coming
Advertisement
Table of Contents
