Linux today is the fastest growing operating system that is replacing it’s competitors in almost every sphere of technology field. The major reason for this is the simplicity and robustness of this operating system. Besides, there is another quality in Linux that makes it favourite of many. This quality is the seamless customization that can be done with every aspect of this OS. One of the very important aspect is the Linux security. There are many protections and inbuilt security mechanisms that Linux incorporates in the name of system and network security. One of the inbuilt security mechanism is the Linux firewall. Linux provides a very flexible and powerful mechanism to customize the firewall. This mechanism is the Linux IPtables.
This is the topic of discussion for this article. Lets discuss the basics of netfilter/Iptables framework in the following sections.
Why configure firewall?
Someone who is new to Linux may ask why configuring your own firewall in Linux is such a big deal? Why would anyone want to do that?
Well, being able to configure you own firewall can have various advantages for you.
- Unauthorized access to a Linux system can be blocked by specifying the trusted sources of communication.
- For kids too, appropriate level of security can be applied to firewall by allowing only selected websites or IPs.
- Firewall can be configured not only to control the traffic to and fro from internet but also to control the traffic between computers connected to local LAN.
So we see that being able to configure firewall is a huge plus.
The term Netfilter/Iptables may sound a bit confusing because of the ‘Netfilter’ tag. To clear the confusion, Both Netfilter and Iptables are related to each other in the sense that Iptables is to user space what Netfilter is to Kernel space. Iptables provides the facility to users to customize and configure the Linux firewall from user space. This firewall is implemented in Linux kernel through the concept of Netfilters. This functionality of Netfilter was added to Linux kernel from version 2.4.x onwards. Prior to this the concept of Ipchains was used but as that had many bugs and shortcomings so the concept of Netfilter/Iptables was developed.
Types of tables
As the name suggests, IPtables can be used to configure three types of tables that are used for fire-walling packets.
- Filter table : This table is used for packet filtering.
- NAT table : This table is not used for packet filtering but it rather provides NAT/PAT capabilities and IP masquerading.
- Mangle table : This table is used to alter packet fields and is also used to mark packets for later filtering. Again this is also not used for packet filtering
Here in this article we will be focusing totally on the filter table of Netfilter/IPTables module.
For any rule, the default table is the filter table. It is the only table where packet filtering takes place. This table consists of following types of chains.
- Prerouting chain
- Input chain
- Output chain
- Forward chain
- Postrouting chain
The prerouting chain consists of rules that are applied to those packets that are to be forwarded. The packets enter this chain before the routing decision has been made.
The input chain consists of rules that are applicable for those packets that are destined for the machine on which Netfilter/IPTables firewall is running. So, this chain contains filtering rules for incoming packets.
The output chain consists of rules that are applicable for those packets that are originating from the machine on which Netfiler/Iptables firewall is running. So, this chain contains filtering rules for the outgoing packets.
The forward chain consists of rules that applicable for those packets which are to be forwarded by the machine on which Netfilter/Iptables firewall is running. For these kind of packets, the Linux machine acts as a router. So, this chain contains filtering rules for the packets being forwarded.
The postrouting chain consists of rules that are applied to those packets that are to be forwarded. The packets enter this chain just before being handed over to the hardware for routing..
As clear from the above explanation of chains, each of the above chains can have a set of rules associated or grouped with them. For any and every rule associated with the above chains, there is target that specifies what to do with the packet if the packet matches the rule. Also, apart from the standard chains described above, the system administrator can make as many chains as he/she would like to.
For example, if a rule is for packets with destination IP 10.234.138.32 and port 80 exists in output chain then any packet coming destined to this IP and port would match this rule.
As already discussed, once a packet matches a rule, there is target or the action that is to be taken. The targets or actions available for rules in filter table chains are :
ACCEPT: This target is applied to those packets that are trustworthy and can be passed through the firewall.
REJECT: This target is applied to those packets that are to be dropped but an ICMP reply is to be sent to the originator for information on what happened to the packet.
DROP: This target is applied to those packets that are to be just dropped without sending any ICMP reply as if it never reached firewall.
If a packet does not match to any rule in the chain then the default target is applied to the packet. The default target can be any of the three targets already explained above.
Selecting a default target depends upon the type of firewall configuration. For example, One can configure the firewall in a way that by default all packets are ACCEPTed but the one’s which match any rule are DROPped or REJECTed. A more fesable configuration could be a default target of DROP or REJECT but the packets that match any of the rule gets ACCEPTed.
How filter table works
Here are some basic steps :
- Through IPtables the rules can be set for particular chains by users in the user space.
- Whenever a packet arrives at the Linux system from outside then Linux kernel checks if it needs to be forward or is it destined for this system only. There-on it places it in the forward chain or input chain of the netfilter module respectively.
- Whenever a packet is generated from inside the machine and destined to some other machine then Linux kernel places it in the output chain of the netfilter module.
- This packet is matched against all the rules present in the chain until it matches a rule.
- If packet successfully matches a rule then the target for that rule is applied to the packet and no further matching of packet to any rule takes place.
- If the packet does not match any rule in the chain then the default target is applied to that packet.
In the next article of this series, we will discuss some more in-depth details of the filter table used by Linux Iptables.
Read this interesting article to learn how Iptables can be used to solve real world problems.