This chapter focuses on packet filtering basics, defines the differences
between ipchains and iptables,
explains various options available with iptables
commands, and explains how filtering rules can be preserved between system
reboots.
17.1. Packet Filtering
The Linux kernel has the built-in ability to filter packets, allowing
some of them to be received by or pass through the system while stopping
others. The 2.4 kernel's netfilter has three built-in
tables or rules
lists. They are as follows:
filter — The default table for handling
network packets.
nat — Used to alter packets that create a
new connection and used for Network Address
Translation (NAT).
mangle — Used for specific
types of packet alteration.
 | Tip |
|---|
| | In addition to these built in tables, specialized tables can be created
and stored in the
/lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/
directory (where <kernel-version>
corresponds to the version kernel number).
|
Each table has a group of built-in chains which
correspond to the actions performed on the packet by the netfilter.
The built-in chains for the filter table are as
follows:
INPUT — Applies to network packets that are
targeted for the host.
OUTPUT — Applies to
locally-generated network packets.
FORWARD — Applies to network
packets routed through the host.
The built-in chains for the nat table are as follows:
PREROUTING — Alters network packets
when they arrive.
OUTPUT — Alters locally-generated
network packets before they are sent out.
POSTROUTING — Alters network
packets before they are sent out.
The built-in chains for the mangle table are as
follows:
INPUT — Alters network packets
targeted for the host.
OUTPUT — Alters locally-generated
network packets before they are sent out.
FORWARD — Alters network packets
routed through the host.
PREROUTING — Alters incoming
network packets before they are routed.
POSTROUTING — Alters network
packets before they are sent out.
Every network packet received by or sent out of a Linux system is
subject to at least one table. However, a packet may be subjected to
multiple rules within each table before emerging at the end of the
chain. The structure and purpose of these rules may vary, but they
usually seek to identify a packet coming from or going to a particular
IP address or set of addresses when using a particular protocol and
network service.
Regardless of their destination, when packets match a particular rule in
one of the tables, a target or action is applied
to them. If the rule specifies an ACCEPT target for a
matching packet, the packet skips the rest of the rule checks and is
allowed to continue to its destination. If a rule specifies a
DROP target, that packet is refused access to the
system and nothing is sent back to the host that sent the packet. If a
rule specifies a QUEUE target, the packet is passed
to user-space. If a rule specifies the optional
REJECT target, the packet is dropped, but an error
packet is sent to the packet's originator.
Every chain has a default policy to ACCEPT,
DROP, REJECT, or
QUEUE. If none of the rules in the chain apply to the
packet, then the packet is dealt with in accordance with the default
policy.
The iptables command configures these tables, as well
as sets up new tables if necessary.
