iptables

Iptables is a user space program to configure the tables ( tables ) that are provided through the firewall in the Linux kernel ( consisting of a set of netfilter modules). These tables contain chains ( chains ) and rules ( rules). Several programs are currently used for different protocols; iptables is limited to IPv4, IPv6, there are ip6tables, ARP, it is arptables, and with ebtables there is a special component for Ethernet packets.

Because iptables advanced system privileges needed, it must be run as root. On most Linux systems, iptables is installed as / usr / sbin / iptables. Documentation is available in the man pages using iptables cost, if installed.

The term iptables is also often used to describe only the kernel components. x_tables is the name of the kernel module, which carries the code common to all four modules, and provides the API for iptables extensions. Consequently, with Xtables often the entire firewall infrastructure meant.

History

Netfilter and iptables were originally developed together, so there was overlap in the earlier development. See the Netfilter article.

Linux has since version 1.0 a packet filter. This stemmed initially from BSD and was extended in the Linux version 2.0 under the name ipfwadm. Rusty Russell revised the packet filter again and hired him as ipchains. He was integrated into Linux 2.2. Against 1999, the kernel and thus ipchains completely revised. From ipchains iptables showed that the Linux 2.4 belongs to the " delivery ".

Iptables retains the original basic idea of ipfwadm: lists of rules, each of which specifies what is checked in a package and then what to do with this package. ipchains brought the concept of chains ( chains ), and iptables extended this points to tables ( tables ). A table is responsible for NAT, another for filtering. In addition, the three points where packets are filtered on their "journey" were changed so that each package comes only through a filter point.

This division allowed iptables turn to use information that had worked out the connection tracking subsystem - this information was previously bound to NAT. Thus, iptables more options than ipchains, as it also monitor the state of a connection, redirect them, or can stop data packets based on the state and manipulate, instead of doing so only by source or destination address. A firewall such as iptables, satisfying these conditions is called a stateful while ipchains but was only stateless except in very limited circumstances.

Successor: From Linux version 3:13 iptables is replaced by nftables.

Summary of function

Xtables allows the system administrator to load tables containing chains of rules for the treatment of packets. Each table has its own purpose. Packets are forwarded by sequential execution of rules within a chain. A rule can jump (jump) or a call ( goto ) obtain in another chain, and this can be multiply nested. ( A call to the origin of the jump for a later return is noted. ) Each network packet that reaches the computer or leaves, passes through at least one chain.

The origin of the packet determines which chain, execution begins. There are five predefined chains ( the five netfilter hooks match ), even if a table does not necessarily have all of the chains. Predefined chains have a policy, such as DROP, is used if a packet has reached the end of the chain (ie, without having to fit a rule). You can create additional user groups, they have no policy; meets a package on their end, execution continues in the chain that originally triggered the jump. Empty strings are allowed.

Each rule in a chain contains specifications ( matches), on which packages it applies. Rules can also specify a target (target, for extensions) or judgment ( verdict ) included. With the passage of a packet through a chain rules are checked sequentially. If a rule does not match the packet, moving on to the next rule. Does it hold true, however, which is listed with target / judgment action is performed, which may result in the fact that the packet passes through the chain or not. Specifications represent the largest part of regulations, as they contain the conditions to which a packet is tested. These tests can be carried out for each layer in the OSI model to call the - mac-source and-p tcp - dport parameters. However, there are also protocol-independent options, eg- m time.

A package promoted in a chain until either a rule to the packet and a final judgment for the package is like contains ( eg by means of ACCEPT or DROP ), or until a rule as a judgment RETURN ( making it again in the parent chain goes on ) or until the end of the chain reached.

Frontends

In order to facilitate the setting up of rules software is offered by many manufacturers. Frontends in text-based or graphical manner allow users to create simple rules with a few mouse clicks; Scripts are often shell scripts ( but other languages ​​are available), the call iptables or ( faster ) iptables-restore with a set of predefined rules. This also templates may be used, which are applied by means of the configuration files. Linux distributions often use templates, but also offer the user the ability to define your own rules.

Examples:

Such front ends, generators and scripts are often limited by their templates and construction. In addition, the so- generated rules are usually not optimized for the specific application of the firewall because an automatic optimization in the front end would be a high development effort. Users who have a good understanding of iptables and want an optimized set of rules is, therefore, advised to construct the rules themselves.

416555
de