The application of Iptables

Absrtact: This paper introduces the principle and configuration of Firewall tool--iptables in linux2.4.x kernel, and also gives the example of practical application, and concludes the difference between iptables and ipchains in the end of the article.

I. Overview

Starting with the 1.1 kernel, Linux already has a packet-filtering function, and in the 2.0 kernel we use IPFWADM to manipulate the kernel-pack-and-go rule. After that, in the 2.2 kernel, we used ipchains to control the kernel-pack-and-go rule. Now that the latest Linux kernel version is 2.4.1, we are no longer using ipchains in the 2.4 kernel, but using a completely new kernel-packet-management tool--iptables. This new kernel-pack-filtering tool will make it easier for users to understand how they work, easier to use, and, of course, more powerful.

We said Iptables is just a tool for managing kernel-pack filtering, iptables can add, insert, or delete rules in the core Package filter form (chain). Actually, the netfilter (a common architecture in the Linux core) and its associated modules (such as the Iptables module and the NAT module) are the real ways to implement these rules, so let's look at how the NetFilter works.

Second, the principle

NetFilter is a common architecture in the Linux core, which provides a series of "tables", each consisting of a number of "chains" (chains), each of which can consist of one or several rules (rule). We can understand that NetFilter is the container of the table, the table is the container of the chain, and the chain is the container of the rules (as shown in figure).

The default table for the system is "filter", which contains input, forward, and output 3 chains. Each chain can have one or several rules, each one of which is defined as "if the packet header meets such a condition, the packet is processed". When a packet arrives at a chain, the system starts checking from the first rule to see if it meets the conditions defined by the rule: if satisfied, the system will process the packet according to the method defined by the rule, and continue to check the next rule if it is not satisfied. Finally, if the packet does not conform to any of the rules in the chain, the system processes the packet according to the predefined policy (policy) of the chain.