19.1. Introduction to Firewalling with IPtables

A firewall is a system that protects itself and other hosts on a network from attackers on untrusted networks, such as the Internet. It can block packets and connections based on a variety of criteria, such as the source address, destination address, port, and protocol. Typically a firewall is also a router, forwarding packets between a secure local network and the untrusted Internet—however, it is also possible for a system to protect just itself.

A firewall system can also be configured to hide multiple hosts behind a single IP address, using a process known as NAT (Network Address Translation). Typically, the hidden hosts are on an internal LAN using a private IP network (such as 192.168.0.0) and the firewall has a single Internet IP address. NAT allows these internal hosts to communicate with others on the Internet, even though they do not have real public IP addresses.

The Linux kernel has included several different firewall implementations over the years, such as IPfwadm and IPchains. The 2.4 series of kernels include the IPtables firewall, which is more powerful and flexible than its predecessors. All Linux distributions that use the 2.4 kernel have IPtables support enabled, and include the commands needed to configure it. This chapter and the Linux Firewall module cover only the setting up of a firewall using IPtables, not any of the older implementations like IPchains or IPfwadm.

All IP network traffic is broken up into packets, which are chunks of data with a source, destination, and protocol information. Even a continuous flow of data such as the download of a large file is broken into packets when sent, and re-assembled at its destination. Because the IPtables firewall operates at the IP level, all of its rules and chains evaluate and operate on individual packets, not TCP connections or HTTP requests.

An IPtables firewall is made up of three different kinds of objects—tables, chains, and rules. Each of the three tables contains two or three standard chains, and possibly many user-defined custom chains. Each chain contains zero or more rules, which are applied to packets received by or sent out from the firewall to determine their fate. The three tables and their standard chains are:

Packet filtering (filter) The INPUT, OUTPUT, and FORWARD packets chains in this table apply to packets received by, sent out from, or forwarded by the firewall, respectively. If the firewall system is acting as a router, only the FORWARD chain applies to routed packets. Network traffic destined for the system itself is processed by the INPUT chain, and traffic sent out by local process by the OUTPUT chain.

For a system that is an ordinary router and not doing any masquerading, or a system that needs a firewall only to protect itself, this is the only table that rules need to be added to.

Network address translation (nat) This table is used only for packets that start a new connection. The rules in its PREROUTING chain are applied to packets as soon as they are received by the system for routing, and the POSTROUTING for packets about to leave after routing. The OUTPUT chain rules are applied to locally generated packets for modification before routing.

Rules are typically added to this table to set up masquerading, transparent proxying, or some other kind of address translation.

Packet alteration (mangle) This table is used only for specialized packet alteration. It contains two chains—PREROUTING for modifying packets before routing, and OUTPUT for modifying locally generated packets.

This table is rarely used in a typical firewall configuration.

When a network packet is processed by a chain, each rule in the chain is executed in order. Every rule has a set of conditions that determine whether the rule matches or not, and an action that is taken in the case of a match. This action may be to immediately accept the packet, immediately drop it, perform some modification, or continue execution. If the end of a chain is reached, its default action will be taken instead, which is usually to allow the packet through.

Figure 19.1 shows the tables and chains that a packet passes through, and the order in which they are checked. Packets coming in from the network enter the diagram at the top, and are processed by both the PREROUTING chains. At this point, a decision is made—packets destined for the local system go to the left, while those being forwarded to some other destination take the right hand branch. Those that go left are processed by the incoming packets chain before being delivered to local processes, such as servers. Forwarded data is processed by the Forwarded packets and After routing chains before being sent on to its destination.

The firewall can also affect packets sent out by processes on the local system. These are checked against the three Output chains and the After routing chain before being transmitted via the appropriate network interface to their destinations. This means that an IPtables firewall can be used to limit the addresses that local processes can connect to, and the protocols that they can use.