Linux firewalls are often more secure than Windows firewalls because of the way they're implemented, according to James Turnbull, author of Hardening Linux. In this Q&A, he breaks down utilities that are major components of Linux firewalls -- Netfilter and iptables -- and explains how they secure your network stack. - Editor
What is netfilter?
Netfilter is a framework that hooks into the network stack to allow the manipulation and processing of network packets. It consists of two major components. The first component, netfilter, provides the hooks into the network stack to allow actions to be performed on the packets that traverse the stack. These actions are defined in the form of rules. The second component is iptables, which is a generic table structure for the rules and rulesets used by netfilter. The user space tool used to set these rules is also called iptables.
How does netfilter work?
Let's take a simple example. Netfilter has five points, or hooks, in the network stack at which it examines packets: pre-routing, incoming, forwarded, post-routing and outgoing. The most commonly used hooks are the incoming packets, packets being forwarded through the host and outgoing packets. The pre- and post-routing hooks are usually used to perform NAT (Network Address Translation) functions.
In this example, we have a Web server running on the host being firewalled. The Web server is bound to port 80 of the host. A packet reaches the host that is destined for the Web server on port 80. As it reaches the network stack, netfilter examines the content of the packet at each of the five hook points and tries to determine if any of the rules defined by iptables apply to this packet. On our host we've defined a rule saying that only traffic from our internal network should be received by the Web server. Netfilter inspects the incoming packet and determines if the source IP address of the packet is in the internal network as we have defined in the rule. If it is, then netfilter accepts the packet and passes it through the network stack to the Web server. If the IP address is not from the network defined in the rule, then netfilter will drop the packet from the network stack and prevent it from reaching the Web server.
How is the "iptables" command used to configure netfilter?
The iptables command provides a user space interface to netfilter. It allows you to add, change or delete individual rules or collections of rules. Netfilter calls these collections of rules "chains." These rules and chains influence how packets received by your host are processed. The best way to see how the iptables command works is to add a rule to a firewall. On the next line is an iptables command that adds a rule to your firewall to handle some incoming traffic.
iptables –A INPUT –s 192.168.0.0/24 –i eth0 –d 192.168.0.10 –p tcp --dport 80 –j ACCEPT
Let's take this command apart and understand how it works. The first option, -A, indicates that we are adding a rule. The next variable, INPUT, is the name of the collection of rules, or chain, that we are adding the rule too. In this case INPUT is the name of a default chain that holds the rules that relate to incoming packets. There are other default chains, for example FORWARD and OUTPUT, which handle other types of packets. You can also define your own chains to allow you to group together rules.
The next options control which packets are handled by the rule. The first option, -s, allows you to specify the source of the incoming packet. In our example the rule we have defined only applies to packets with a source address in the 192.168.0.0/24 subnet. All other packets will be ignored by this rule. Next using the -i option we tell iptables which interface the packets need to enter the host from, in this case the rule only applies to packets coming into the host from interface eth0. We have also used the -d option to specify the destination of the packets. This rule only applies to packets destined for IP address 192.168.0.10 (which is most likely the IP address of our host). Lastly we have specified using the -p and the -dport options that we are only interested in TCP packets that are destined for port 80.
The final option, -j, tells the firewall what to do with any packets that are matched to this rule. In our example we have specified that the packets should be accepted and passed to whatever service or application is bound to port 80. We could also have logged, dropped, or otherwise manipulated (using NAT, for example) the packet.
This is a simple example of a rule that should give you a basic understanding of how the iptables command works. There are a lot of other options you can use to configure Netfilter and creating complex firewalls using the command can become quite convoluted. But as you can see, basic rules handling incoming and outgoing traffic using iptables are very straightforward.