netfilter/iptables

In computer networking, netfilter, along with its companion iptables, are collectively a software extension to the Linux operating system that implements a stateful firewall framework. It also enables other networking features such as network address translation (NAT). Although netfilter is an extension to Linux, it is included in all major Linux distributions that use the 2.4 or 2.6 kernel. Netfilter does not work with Linux kernels older than version 2.4. Specifically, the netfilter software component is a set of custom hooks in the networking subsystem inside the Linux kernel. Netfilter is distributed as a set of patches to the kernel source code along with a patch tool called patch-o-matic. The iptables software component uses the hooks provided by netfilter to implement the firewall framework. It includes a set of kernel modules along with some user space administrative commands.

History

The netfilter/iptables project was started in 1999 with a small group of developers calling themselves the coreteam. The software they produced (called netfilter from here on) was designed for use with Linux 2.4 and made available to the public in 2000 under the GNU General Public License (GPL). In April 2004, following a crack-down, by the project, on those distributing the project's software embedded in routers without complying with the GPL, its developers were granted a historical injunction by a German court against Sitecom Germany who refused to follow the GPL's terms (see GPL-related disputes). Prior to netfilter, the predominant software packages for creating Linux firewalls were ipchains in Linux 2.2 and ipfwadm in Linux 2.0. Netfilter kept many of the basic ideas first introduced with ipchains, including the use of tables, chains, and packet matching rules. Netfilter unified many smaller networking extensions, most importantly NAT and proxy capabilities, as well as adding connection tracking and IPv6 support.

Operational summary

The netfilter framework allows the system administrator to define rules for how to deal with network packets. Rules are grouped into chains — each chain is an ordered list of rules. Chains are grouped into tables — each table is associated with a different kind of packet processing. Each rule contains a specification of which packets match it and a target that specifies what to do with the packet if it is matched by that rule. Every network packet arriving at or leaving from the computer traverses at least one chain, and each rule on that chain attempts to match the packet. If the rule matches the packet, the traversal stops, and the rule's target dictates what to do with the packet. If a packet reaches the end of a chain without being matched by any rule on the chain, the chain's policy target dictates what to do with the packet.

Tables

There are exactly three tables, each of which contains some predefined chains. It is not possible to create or delete tables, but the administrator can create and delete user-defined chains within any table. Initially, all chains are empty and have a policy target that allows all packets to pass without being blocked or altered in any fashion.

filter table — This table is responsible for filtering (blocking or permitting a packet to proceed). It contains the following predefined chains:

INPUT chain — All packets arriving into the system go through this chain.
OUTPUT chain — All packets leaving the system go through this chain.
FORWARD chain — All packets passing through the system (being routed) go through this chain.

nat table — This table is responsible for rewriting packet addresses or ports. It contains the following predefined chains:

PREROUTING chain — Incoming packets pass through this chain before the local routing table is consulted, primarily for DNAT (destination-NAT).
POSTROUTING chain — Outgoing packets pass through this chain after the routing decision has been made, primarily for SNAT (source-NAT).

mangle table — This table is responsible for adjusting packet options, such as quality of service. It contains the following predefined chains:

PREROUTING chain — Under construction.
INPUT chain — Under construction.
FORWARD chain — Under construction.
OUTPUT chain — Under construction.
POSTROUTING chain — Under construction.

In addition to the built-in chains, the user can create any number of user-defined chains within each table. Each chain contains a list of rules. When a packet is sent to a chain, it is compared against each rule in the chain in order. The rule specifies what properties the packet must have for the rule to match, such as the port number or IP address. If the rule does not match then processing continues with the next rule. If, however, the rule does match the packet, then the rule's target instructions are followed (and further processing of the chain is usually aborted).

Rule targets

The target of a rule can be the name of a user-defined chain or one of the built-in targets ACCEPT, DROP, QUEUE, or RETURN. When a target is the name of a user-defined chain, the packet is diverted to that chain for processing (much like a subroutine call in a programming language). If the packet makes it through the user-defined chain without being acted upon by one of the rules in that chain, processing of the packet resumes where it left off in the current chain. These inter-chain calls can be nested to an arbitrary depth. The following built-in targets exist:

ACCEPT: This target causes netfilter to accept the packet. What this means depends on the which chain is doing the accepting. For instance, a packet that is accepted on the INPUT chain is allowed to be received by the host, a packet that is accepted on the OUTPUT chain is allowed to leave the host, and a packet that is accepted on the FORWARD chain is allowed to be routed through the host.

DROP: This target causes netfilter to drop the packet without any further processing. The packet simply disappears without any indication of the fact that it was dropped being given to the sending host or application. This frequently appears to the sender as a communication timeout, which can cause confusion (though dropping undesireable inbound packets is often considered a good security policy, because it gives no indication to a potential attacker that your host even exists).

QUEUE: Under construction.

RETURN: Under construction.

The following extension targets are also available:

LOG: This target logs the packet. Under construction.

DNAT: This target causes the packet's destination address and port to be rewritten for network address translation. Under construction.

SNAT: This target causes the packet's source address and port to be rewritten for network address translation. Under construction.

This section is under construction.

Connection tracking

One of the important iptables features in netfilter is that of connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relating all of the packets which may make up that connection. It is this ability which allows netfilter to act as a stateful firewall.

This section needs more detail.

iptables

iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/iptables. The detailed syntax of the iptables command is documented in its man page, which can be displayed by typing the command "man iptables".

Common options

In each of the iptables invocation forms shown below, the following common options are available:

-t table: Makes the command apply to the specified table. When this option is omitted, the command applies to the filter table by default.
-v: Produces verbose output.
-n: Produces numeric output (i.e., port numbers instead of service names, and IP addresses instead of domain names).
--line-numbers: When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in its chain.

Rule-specifications

Most iptables command forms require you to provide a rule-specification, which is used to match a particular subset of the network packet traffic being processed by a chain. The rule-specification also includes a target that specifies what to do with packets that are matched by the rule. The following options are used (frequently in combination with each other) to create a rule-specification.

-j target
--jump target: Specifies the target of a rule. The target is either the name of a user-defined chain (created using the -N option), one of the built-in targets, ACCEPT, DROP, QUEUE, or RETURN, or an extension target, such as LOG, DNAT, or SNAT. If this option is omitted in a rule, then matching the rule will have no effect on a packet's fate, but the counters on the rule will be incremented.

-p ! protocol
--protocol ! protocol: Matches packets of the specified protocol name. If '!' precedes the protocol name, this matches all packets that are not of the specified protocol. Valid protocol names are ip, icmp, udp, and tcp.

-s ! source/prefix
--source ! source/prefix: Matches IP packets coming from the specified source address. The source address can be an IP address, an IP address with associated network prefix, or a hostname. If '!' precedes the source, this matches all packets that are not coming from the specified source.

-d ! destination/prefix
--destination ! destination/prefix: Matches IP packets going to the specified destination address. The destination address can be an IP address, an IP address with associated network prefix, or a hostname. If '!' precedes the destination, this matches all packets that are not going to the specified destination.

--destination-port ! port[:port]
--dport ! port[:port]: Matches TCP or UDP packets (depending on the argument to the -p option) destined for the specified port or the range of ports (when the port:port form is used). If '!' precedes the port specification, this matches all TCP or UDP packets not destined for the specified port or port range.

--source-port ! port[:port] --sport ! port[:port] Matches TCP or UDP packets (depending on the argument to the -p option) coming from the specified port or the range of ports (when the port:port form is used). If '!' precedes the port specification, this matches all TCP or UDP packets not coming from the specified port or port range. --tcp-flags ! mask comp Matches TCP packets having certain TCP protocol flags set or unset. The first argument specified the flags to be examined in each TCP packet, written as a comma-separated list (no spaces allowed). The second argument is a comma-separated list of flags which must be set within those that are examined. The flags are: SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE. Hence, the option "--tcp-flags SYN,ACK,FIN,RST SYN" will only match packets with the SYN flag set and the ACK, FIN and RST flags unset. ! --syn Matches TCP packets having the SYN flag set and the ACK and FIN flags unset. Such packets are used to initiate TCP connections. Blocking such packets on the INPUT chain will prevent incoming TCP connections, but outgoing TCP connections will be unaffected. This option can be combined with others, such as --source to block or allow inbound TCP connections only from certain hosts or networks. This option is equivalent to "--tcp-flags SYN,RST,ACK SYN". If the '!' flag precedes the --syn, the sense of the option is inverted. This section is under construction. Invocation The iptables command has the following invocation forms. Items in braces, {...|...|...}, are required, but only one of the items separated by '|' can be entered. Items in brackets, ..., are optional. iptables { -A | --append | -D | --delete } chain rule-specification options This form of the command adds (-A or --append) or deletes (-D or --delete) a rule from the specified chain. For example to add a rule to the INPUT chain in the filter table (the default table when option -t is not specified) to drop all UDP packets, use this command: iptables -A INPUT -p udp -j DROP To delete the rule added by the above command, use this command: iptables -D INPUT -p udp -j DROP The above command actually deletes the first rule on the INPUT chain that matches the rule-specification "-p udp -j DROP". If there are multiple identical rules on the chain, only the first matching rule is deleted. iptables { -R | --replace | -I | --insert } chain rulenum rule-specification options This form of the command replaces (-R or --replace) an existing rule or inserts (-I or --insert) a new rule in the specified chain. For instance, to replace the fourth rule in the INPUT chain with a rule that drops all ICMP packets, use this command: iptables -R INPUT 4 -p icmp -j DROP To insert a new rule in the second slot in the OUTPUT chain that drops all TCP traffic going to port 80 on any host, use this command: iptables -I OUTPUT 2 -p tcp --dport 80 -j DROP iptables { -D | --delete } chain rulenum options This form of the command deletes a rule at the specified numeric index in the specified chain. Rules are numbers starting with 1. For example, to delete the third rule from the FORWARD chain, use this command: iptables -D FORWARD 3 iptables { -L | --list | -F | --flush | -Z | --zero } chain options This form of the command is used to list the rules in a chain (-L or --list), flush (i.e., delete) all rules from a chain (-F or --flush), or zero the byte and packet counters for a chain (-Z or --zero). If no chain is specified, the operation is performed on all chains. For example, to list the rules in the OUTPUT chain, use this command: iptables -L OUTPUT To flush all chains, use this command: iptables -F To zero the byte and packet counters for the PREROUTING chain in the nat table, use this command: iptables -t nat -Z PREROUTING iptables { -N | --new-chain } chain iptables { -X | --delete-chain } chain This form of the command is used to create (-N or --new-chain) a new user-defined chain or to delete (-X or --delete-chain) an existing user-defined chain. If no chain is specified with the -X or --delete-chain options, all user-defined chains are deleted. It is not possible to delete built-in chains, such as the INPUT or OUTPUT chains in the filter table. iptables { -P | --policy } chain target This form of the command is used to set the policy target for a chain. For instance, to set the policy target for the INPUT chain to DROP, use this command: iptables -P INPUT DROP iptables { -E | --rename-chain } old-chain-name new-chain-name This form of the command is used to rename a user-defined chain. See also Shorewall, a software to more easily manage iptables. External links Netfilter/iptables project homepage A simple iptables firewall script << Previous Word Browser Next >> amon g. carter rocky (comic strip) love map ed powers charlie bucket inez tenenbaum leaning tower ira ruskin list of people by name: mars list of people by name: mari marr list of people by name: mara marh appraisal vietnam education system theodorus bailey antnio parreiras siebel si 204 splash pad vietnam private higher education keiko bonk stephen walker saybrook college untouched takeaway university of natural sciences party of one teixeira de freitas ada virus havanese list of people by name: mf mh the guide prague linguistic circle tmn hms pathfinder (1904) lyngbya marshall kay agrostis toshiko fujita vibrio vilnificus hadassah battle of chaldiran juncus fer de lance luzula 2004 u.s. presidential election timeline the burghers of calais