Iptables

Initially, the development of netfilter and iptables went together, so there is much in common in the early history of these projects. See the netfilter article for details.

The ipops predecessors were the ipchains projects (used to administer the Linux kernel version 2.2 firewall ) and ipfwadm (similarly to Linux versions 2.0). The latter was based on the BSD ipfw utility.

iptables preserves the ideology leading from ipfwadm: the functioning of a firewall is determined by a set of rules, each of which consists of a criterion and an action applied to packets that fall under that criterion. The concept of chains - independent lists of rules appeared in ipchains. Separate chains were introduced for filtering incoming (INPUT), outgoing (OUTPUT) and transit (FORWARD) packets. In continuation of this idea, tables appeared in iptables - independent groups of chains. Each table solved its problem - the filter table chains were responsible for filtering, the nat table chain was responsible for network address translation ( NAT ), other modifications of packet headers (for example, changing TTL or TOS ) were related to the mangle table tasks. In addition, the logic of the operation of the chains was slightly changed: in ipchains, all incoming packets, including transit packets, passed the INPUT chain. In iptables, only packets addressed to the host itself pass through INPUT.

This separation of functionality allowed iptables to use information about connections as a whole when processing individual packets (previously it was possible only for NAT). In this, iptables greatly exceeds ipchains, so iptables can monitor connection status and redirect, modify, or filter packets based not only on data from their headers (source, recipient) or packet contents, but also on the basis of connection data. This feature of the firewall is called stateful filtering, in contrast to the primitive stateless filtering implemented in ipchains (for more information on the types of filtering, see the article on firewalls ). It can be said that iptables analyzes not only the transmitted data, but also the context of their transmission, unlike ipchains, and therefore can make more informed decisions about the fate of each particular packet. For more information about stateful filtering in netfilter / iptables, see Netfilter . State detection mechanism .

In the future, netfilter developers are planning to replace iptables with nftables , a new generation tool that is still in early development ^[2] .

Basic Concepts

The key iptables concepts are:

• The rule consists of a criterion , an action and a counter . If a packet meets the criteria, an action is applied to it, and it is counted by a counter. The criterion may not be - then the criterion "all packages" is implicitly assumed. Specifying an action is also not necessary - in the absence of an action, the rule will only work as a counter.
  • A criterion is a logical expression that analyzes the properties of a packet and / or a connection and determines whether a given particular packet is subject to the current rule.
  • Action - a description of the action that needs to be done with the package and / or connection in the event that they fall under the criteria of this rule. The actions will be described in more detail below.
  • The counter is a component of the rule that ensures accounting for the number of packets that fell under the criteria of this rule. The meter also takes into account the total volume of such packets in bytes.
• A chain is an ordered sequence of rules. Chains can be divided into user and basic .
  • The base chain is the default chain created when the table is initialized. Each packet, depending on whether it is intended for the host itself, generated by it or is transit, must pass through it a set of basic chains of different tables. In addition, the basic chain differs from the user by the presence of a “default policy”. This action is applied to those packages that have not been processed by other rules of this chain and chains caused from it. The names of the base chains are always uppercase (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).
  • A user chain is a user-created chain. Can only be used within its own table. It is recommended not to use uppercase names for such chains in order to avoid confusion with basic chains and built-in actions.
• Table - a set of basic and user chains, united by a common functional purpose. Table names (as well as criteria modules) are written in lower case, since, in principle, they cannot conflict with the names of user chains. When invoking the iptables command, the table is specified in the format -t table_name . If there is no explicit indication, the filter table is used.

• Gregor N. Purdy. Linux iptables. Pocket Reference. - O'Reilly, 2004. - p. 97. - ISBN 0-596-00569-5 .

• Netfilter project site
• Man page of iptables (English)
• Guide to iptables (iptables Tutorial 1.1.19) * (rus.)