Packet filtering with iptables
iptables is currently considered the state-of-the-art in
programmable firewall software,
recently replacing similar, but deficient, software named
ipfw and ipchains.
iptables is very similar to earlier software,
but also provides stateful control over network traffic.
iptables actually consists of two software components:
- the iptables application program, controlling the set of
rules and policies to be enforced, and
- netfilter software configured as part of an operating system
kernel (compiled into the kernel)
to control IP traffic on several network interfaces.
The netfilter modifications have a long history from BSD Unix,
and support both IPv4 and IPv6 protocols,
including IPsec encrypted protocols.
Some informative block diagrams:
In combination,
the iptables software provides a variety of mechanisms to
filter packets,
perform network address translation, and
to mangle packet headers.
Three rule tables,
named filter, nat, and mangle,
are employed to perform these functions.
Each table of rules has a number of built-in rule chains (or lists),
which provide sequences of rules to be 'evaluated',
in order,
until it is decided what should happen to an individual packet.
The standard filter table provides default chains named
INPUT, FORWARD and OUTPUT,
and we'll initially focus on these.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p20, 15th May 2024.
|
CITS3002
