Main Menu
PHP Tools
PHP Help Request
PHP Editors Newsletter
Editor Search
Reviewed PHP Editors
Latest News
Submit News
PHP Tutorials
PHP Book Reviews
Online Book Chapters
PHP Games

Forums
RSS 2.0
PHP Desktop Editors
Other PHP Tools
PHP Contests
PHP Programming Help
Linux Help
Apache Help
MySQL Help
PHP Games
PHP Jobs
PHP Forums Home

Programming Contest
PHP Contests
PHP Contests Archive

Documentation
PHP Manual
PEAR Manual
PHP-GTK Manual
Smarty Manual
PostgreSQL Manual
CSS 2 Reference
Redhat Linux 9
HTML 4.01
Apache 2 Manual

Partner Sites
Ajax Tutorials
Webmaster Resources
Web Templates
PHP Scripts
PHP Code Examples
Learn PHP playing Trivia
PHP & MySQL Forums
Web Development Index
web site templates

Sponsors

NuSphere



All Red Hat Linux documents are copyrighted to Red Hat Inc.

Red Hat Linux 9: Red Hat Linux Reference Guide
PrevNext

Chapter 16. iptables

Installed with Red Hat Linux are advanced tools for network packet filtering — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Pre-2.4 kernels relied on ipchains for packet filtering and used lists of rules applied to packets at each step of the filtering process. The introduction of the 2.4 kernel brought with it iptables (also called netfilter), which is similar to ipchains but greatly expands the scope and control available for filtering network packets.

This chapter focuses on packet filtering basics, defines the differences between ipchains and iptables, explains various options available with iptables commands, and shows how filtering rules can be preserved between system reboots.

For instructions on constructing iptables rules or setting up a firewall based on these rules, refer to Section 16.5 Additional Resources.

WarningWarning
 

The default firewall mechanism under the 2.4 kernel is iptables, but iptables cannot be used if ipchains are already running. If ipchains are present at boot time, the kernel will issue an error and fail to start iptables.

The functionality of ipchains is not affected by these errors.

16.1. Packet Filtering

Traffic moves through a network in packets. A network packet is a collection of data in a specific size and format. In order to transmit a file over a network, the sending computer must first break the file into packets using the rules of the network protocol. Each of these packets holds a small part of the file data. Upon receiving the transmission, the target computer reassembles the packets into the file.

Every packet contains information which helps it navigate the network and move toward its destination. The packet can tell computers along the way, as well as the destination machine, where it came from, where it is going, and what type of packet it is, among other things. Most packets are designed to carry data, although some protocols use packets in special ways. For example, the Transmission Control Protocol (TCP) uses a SYN packet, which contains no data, to initiate communication between two systems.

The Linux kernel has the built-in ability to filter packets, allowing some of them into the system while stopping others. The 2.4 kernel's netfilter has three built-in tables or rules lists. They are as follows:

  • filter — The default table for handling network packets.

  • nat — Used to alter packets that create a new connection.

  • mangle — Used for specific types of packet alteration.

Each of these tables in turn have a group of built-in chains which correspond to the actions performed on the packet by the netfilter.

The built-in chains for the filter table are as follows:

  • INPUT — Applies to network packets that are targeted for the host.

  • OUTPUT — Applies to locally-generated network packets.

  • FORWARD — Applies to network packets routed through the host.

The built-in chains for the nat table are as follows:

  • PREROUTING — Alters network packets when they arrive.

  • OUTPUT — Alters locally-generated network packets before they are sent out.

  • POSTROUTING — Alters network packets before they are sent out.

The built-in chains for the mangle table are as follows:

  • INPUT — Alters network packets targeted for the host.

  • OUTPUT — Alters locally-generated network packets before they are sent out.

  • FORWARD — Alters network packets routed through the host.

  • PREROUTING — Alters incoming network packets before they are routed.

  • POSTROUTING — Alters network packets before they are sent out.

Every network packet received by or sent out of a Linux system is subject to at least one table.

A packet may be checked against multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address or set of addresses when using a particular protocol and network service.

Regardless of their destination, when packets match a particular rule in one of the tables, a target or action is applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE target, the packet to be passed to user-space. If a rule specifies the optional REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.

Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.

The iptables command configures these tables, as well as sets up new tables if necessary.

PrevHomeNext
Additional ResourcesUpDifferences between iptables and ipchains
© Copyright 2003-2023 www.php-editors.com. The ultimate PHP Editor and PHP IDE site.