Introduction to NetFilter

Netfilter is another rewrite of the linux firewalling software, that allows much more in the way of filtering and routing than was possible before. Some of the more interesting features are throttling of bandwidth, both in and out, load balancing of servers, and routing based on many different criteria than was possible before, such as port, source IP address, time of day, or even user id.

To add these new features, there is a few new tools that replace the traditional route and ifconfig. Additionally, the networking code has been completely rewritten to allow these new features, as the previous code just couldn't support it. We'll just cover the firewalling software, iptables.

Getting support for netfilter in the kernel is a little more tricky than with earlier versions - mainly because there are many more options, there are many more modules. The basics that you need are:

CONFIG_NETFILTER Netfilter framework
CONFIG_IP_NF_CONNTRACK Connection tracking - required for ip masquerading / NAT
CONFIG_IP_NF_FTP For ftp masquerading
CONFIG_IP_NF_IPTABLES For iptables (replaces ipchains)
CONFIG_IP_NF_NAT For NAT under iptables
CONFIG_IP_NF_TARGET_MASQUERADE For masquerading under iptables

Iptables is the replacement tool for manipulating packet filters in the 2.4 series of kernels, replacing the old ipfwadm and ipchains. Iptables is very similar in some ways, but not in others - it has 3 chains by default, INPUT, FORWARD, and OUTPUT, as in ipchains. However, they are treated slightly differently - instead of a packet traversing from input to forward to output, packets are first checked to see if they are local or not. If a packet is routed elsewhere, it goes to the forward chain, else if it is destined to the local machine, it goes through the input chain. If the packet came from the local machine, it then goes through the output chain.

A chain consists of many rules, each of which says what to do with a packet when it looks a certain way. A packet that travels down a chain goes to the first rule, then the next, and the next, until it matches a description in a rule. If the rule says to accept the packet, it continues on to the next part of the firewall. If none of the rules match the packet, the firewall then checks the default policy, which is simply a rule that says what should be done with packets that don't match. Generally, if you're being security conscious, you'll just drop the packet.

Actually using iptables is very similar to using ipchains. There are options for creating chains, setting the default policy, listing rules, and manipulating them, by adding, deleting or replacing rules.

This is most of what you would need if you wanted a simple firewall, primarily for providing ip masquerading for a LAN over a dialup connection. There are many other modules that provide some extended functionality, and we'll cover these in a later article.