Iptables
Iptables is a stateful firewall framework for the Linux operating system. Iptables is part of the Netfilter software.
The iptables command and framework are used for defining the tables and rules for firewall. Iptables allows stateful packet filtering and network address translation (NAT). Netfilter connects iptables to the kernel.
Iptables works with Linux kernels 2.4 and 2.6. Older Linux kernels use ipchains (Linux 2.2) and ipfwadm (Linux 2.0).
Example
A workstation firewall.
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
RELATED,ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh...) work.
$ lynx www.iki.fi/karvinen
(A web page opens)
Computer does not respond to ping and no services are offered. Connections time out (DROP) when ports are being scanned.
$ ping -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
--- 62.78.243.6 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Trying to connect to http port (tcp 80)
$ telnet 10.0.0.1 80
Trying 10.0.0.1...
(Nothing happens for a long time. User quits program with ctrl-C)
